ezsystems · glye · Jun 12, 2020
diff --git a/eZ/Publish/API/Repository/Values/User/User.php b/eZ/Publish/API/Repository/Values/User/User.php
@@ -30,9 +30,23 @@ abstract class User extends Content implements UserReference
     /** @var int Passwords hashed by PHPs default algorithm, which may change over time */
     const PASSWORD_HASH_PHP_DEFAULT = 7;
 
+    /** @var int Passwords in Argon2i */
+    const PASSWORD_HASH_ARGON2I = 8;
+
+    /** @var int Passwords in Argon2id */
+    const PASSWORD_HASH_ARGON2ID = 9;
+
     /** @var int Default password hash, used when none is specified, may change over time */
     const DEFAULT_PASSWORD_HASH = self::PASSWORD_HASH_PHP_DEFAULT;
 
+    /** @var int[] Password hash algoritms supported by PHP's password_hash() function, may change over time */
+    const PHP_PASSWORD_HASH_ALGORITHMS = [
+        self::PASSWORD_HASH_BCRYPT,
+        self::PASSWORD_HASH_PHP_DEFAULT,
+        self::PASSWORD_HASH_ARGON2I,
+        self::PASSWORD_HASH_ARGON2ID,
+    ];
+
     /**
      * User login.
      *

diff --git a/eZ/Publish/Core/Repository/User/PasswordHashService.php b/eZ/Publish/Core/Repository/User/PasswordHashService.php
@@ -40,15 +40,29 @@ public function createPasswordHash(string $password, ?int $hashType = null): str
             case User::PASSWORD_HASH_PHP_DEFAULT:
                 return password_hash($password, PASSWORD_DEFAULT);
 
+            case User::PASSWORD_HASH_ARGON2I:
+                if (!defined('PASSWORD_ARGON2I')) {
+                    throw new InvalidArgumentException('hashType', "Password hash algorithm 'PASSWORD_ARGON2I' is not compiled into PHP");
+                }
+
+                return password_hash($password, PASSWORD_ARGON2I);
+
+            case User::PASSWORD_HASH_ARGON2ID:
+                if (!defined('PASSWORD_ARGON2ID')) {
+                    throw new InvalidArgumentException('hashType', "Password hash algorithm 'PASSWORD_ARGON2ID' is not compiled into PHP");
+                }
+
+                return password_hash($password, PASSWORD_ARGON2ID);
+
             default:
                 throw new InvalidArgumentException('hashType', "Password hash type '$hashType' is not recognized");
         }
     }
 
     public function isValidPassword(string $plainPassword, string $passwordHash, ?int $hashType = null): bool
     {
-        if ($hashType === User::PASSWORD_HASH_BCRYPT || $hashType === User::PASSWORD_HASH_PHP_DEFAULT) {
-            // In case of bcrypt let php's password functionality do it's magic
+        if (in_array($hashType, User::PHP_PASSWORD_HASH_ALGORITHMS, true)) {
+            // Let php's password functionality do it's magic
             return password_verify($plainPassword, $passwordHash);
         }