AcadeNice/corentin_wakdo
7
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

fix(auth): retire le bouton mort PASSWORD_ALGO (argon2id fixe dans le code) #29

Merged
Corentin merged 1 commit from fix/remove-dead-password-algo into dev 2026-06-16 14:21:10 +02:00
Conversation 0 Commits 1 Files changed 3 +6 -4
Corentin commented 2026-06-16 14:08:07 +02:00
Owner
Copy link

Finding LOW (audit 2026-06-16)

PASSWORD_ALGO etait expose (.env.example + docker-compose.yml) comme si l'algorithme de hashage etait configurable, mais PasswordHasher code PASSWORD_ARGON2ID en dur. Poser PASSWORD_ALGO=bcrypt n'aurait eu aucun effet : faux levier, risque de fausse confiance dans une config inactive.

Correctif

argon2id = choix security-by-design non configurable. Var retiree de .env.example et docker-compose.yml ; intention documentee dans PasswordHasher::hash. Les COUTS (ARGON2_MEMORY/TIME/THREADS) restent regables et honores. Aucun code ne lisait PASSWORD_ALGO -> pas de changement de comportement.

Pas de label auto-merge.

## Finding LOW (audit 2026-06-16) `PASSWORD_ALGO` etait expose (`.env.example` + `docker-compose.yml`) comme si l'algorithme de hashage etait configurable, mais `PasswordHasher` code `PASSWORD_ARGON2ID` en dur. Poser `PASSWORD_ALGO=bcrypt` n'aurait eu **aucun effet** : faux levier, risque de fausse confiance dans une config inactive. ## Correctif argon2id = choix security-by-design non configurable. Var retiree de `.env.example` et `docker-compose.yml` ; intention documentee dans `PasswordHasher::hash`. Les COUTS (`ARGON2_MEMORY/TIME/THREADS`) restent regables et honores. Aucun code ne lisait `PASSWORD_ALGO` -> pas de changement de comportement. Pas de label auto-merge.
Corentin added 1 commit 2026-06-16 14:08:12 +02:00
fix(auth): retire le bouton mort PASSWORD_ALGO (argon2id fixe dans le code)
All checks were successful
CI / php-lint (push) Successful in 26s
Details
CI / static-tests (push) Successful in 35s
Details
CI / php-lint (pull_request) Successful in 23s
Details
CI / auto-merge (push) Has been skipped
Details
CI / auto-merge (pull_request) Successful in 5s
Details
CI / secret-scan (push) Successful in 13s
Details
CI / secret-scan (pull_request) Successful in 11s
Details
CI / static-tests (pull_request) Successful in 43s
Details
c4c55338ac 
PASSWORD_ALGO etait expose (.env.example + docker-compose) comme si l'algorithme
de hashage etait configurable, mais PasswordHasher code PASSWORD_ARGON2ID en dur :
poser PASSWORD_ALGO=bcrypt n'aurait eu aucun effet (faux levier, risque de fausse
confiance dans une config inactive).

argon2id est un choix security-by-design non configurable. On retire donc la var
(.env.example + compose) et on documente l'intention dans PasswordHasher::hash.
Les COUTS (ARGON2_MEMORY/TIME/THREADS) restent reglables et honores. Aucun code
ne lisait PASSWORD_ALGO : pas de changement de comportement.
Corentin merged commit 656c7a2f3d into dev 2026-06-16 14:21:10 +02:00
Corentin deleted branch fix/remove-dead-password-algo 2026-06-16 14:21:10 +02:00
Sign in to join this conversation.
Reviewers
No reviewers
Labels
Clear labels   
auto-merge

Fusion automatique sur CI verte

No labels
auto-merge
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: AcadeNice/corentin_wakdo#29
No description provided.
Delete branch "fix/remove-dead-password-algo"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?