Remove lib ozh/phpass

[ozh]

We've been using ozh/phpass for a super long time because back then when dealing with PHP prior to 5.5 we didn't have builtin functions password_hash() and password_verify().

We can, so we should, remove this dependency and use password_hash(), which should be a straightforward replacement in includes/functions-auth.php and in the unit tests.

Things to ponder :

• we could use PASSWORD_BCRYPT by default and allow another hashing algorithm with a filter
• do we really need that $ <-> ! replacement ?

Note : the bcrypt hash is limited to 72 chars, see https://stackoverflow.com/questions/16594613/how-to-hash-long-passwords-72-characters-with-blowfish (note that ozh/phpass behaves the same, see https://3v4l.org/F6NvW).
Now, passwords longer than 72 chars shouldn't be an issue I guess, but it may be worth documenting it somewhere (there's got to be some zealot one day with a password manager who will use a 128 char long password, obviously) (Other hashing algorithm don't have that limitation)

[My1]

couldnt we even make argon the default considering the minimum PHP is 7.4

[ozh]

I think it depends on how PHP was compiled, ie could be totally unavailable on some distros or web hosts, while Blowfish is always avail

[My1]

Now that's dumb. Windows php at least always had argon in as long as it existed.

Then I'd at the very least say that the algo should definitely be able to be customized, params as well as the default bcrypt cost wasn't high either last time i checked.)

The entire $ to ! swap is imo entirely unneeded and likely just a thing to keep phpass happy and not accidentally clash with other had handlers maybe.

[My1]

might it be possible to long term rewrite phpass hashes into normal password_hash() hashes without any substitution? one could even do this in combo with password_needs_rehash() to re-hash if the parameters have changed

[ozh]

I think the substitution is needed because of the way we include() the config.php. At least, I removed it and it failed, so I added it back :^P

[My1]

does the password hash happen to be enclosed in double quotes, e.g. "$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a"
if yes make sure to use single quotes:
'$2y$10$.vGA1O9wmRjrwAVXD98HNOgsNpDczlqm3Jq7KnEd1rVAGv3Fykk1a'
double quotes mean you can $variable names are being resolved or at least tried to.

long ago (no idea when exactly, I basically just hacked in password_hash based validation with a manually made hash which i just stuck into the config.

I basically just amended the functions_auth.php's yourls_check_password_hash function a little like this (not useful now as it is likely different by now:

function yourls_check_password_hash( $user, $submitted_password ) {
	global $yourls_user_passwords;
	
	if( !isset( $yourls_user_passwords[ $user ] ) )
		return false;
//I started from here
	if(substr($yourls_user_passwords[ $user ],0,7)==='$argon2') { //check if the password is the argon2 password I set
return(password_verify($submitted_password,$yourls_user_passwords[ $user ])); //just use password_verify
}
//and ended here
	if ( yourls_has_phpass_password( $user ) ) {
//confinue as normal

and the config file's user section looks like this:

$yourls_user_passwords = array(
	'My1' => '$argon2i$v=19$m=524288,t=2,p=4$M0...',

just checked and damn that was on 1.7.1 so REALLY long ago