fix(auth): retire le bouton mort PASSWORD_ALGO (argon2id fixe dans le code) #29

Merged

Corentin merged 1 commit from fix/remove-dead-password-algo into dev

2026-06-16 14:21:10 +02:00

Author	SHA1	Message	Date
Imugiii	c4c55338ac	fix(auth): retire le bouton mort PASSWORD_ALGO (argon2id fixe dans le code) All checks were successful CI / php-lint (push) Successful in 26s Details CI / static-tests (push) Successful in 35s Details CI / php-lint (pull_request) Successful in 23s Details CI / auto-merge (push) Has been skipped Details CI / auto-merge (pull_request) Successful in 5s Details CI / secret-scan (push) Successful in 13s Details CI / secret-scan (pull_request) Successful in 11s Details CI / static-tests (pull_request) Successful in 43s Details PASSWORD_ALGO etait expose (.env.example + docker-compose) comme si l'algorithme de hashage etait configurable, mais PasswordHasher code PASSWORD_ARGON2ID en dur : poser PASSWORD_ALGO=bcrypt n'aurait eu aucun effet (faux levier, risque de fausse confiance dans une config inactive). argon2id est un choix security-by-design non configurable. On retire donc la var (.env.example + compose) et on documente l'intention dans PasswordHasher::hash. Les COUTS (ARGON2_MEMORY/TIME/THREADS) restent reglables et honores. Aucun code ne lisait PASSWORD_ALGO : pas de changement de comportement.	2026-06-16 12:08:01 +00:00