IBX-10124: Add support for Argon2 password hashes

[glye]

🎫 Issue	IBX-10124

Related PRs:

• [WIP] EZP-31682: Support Argon2 password hashes ezsystems/ezplatform-kernel#76 (obsolete)

Description:

Add support for PASSWORD_ARGON2I and PASSWORD_ARGON2ID password hashes, which increase security over the standard bcrypt.

Tested manually by passing hash type PASSWORD_ARGON2ID to the PasswordHashService:

# ibexa/core: src/lib/Resources/settings/fieldtype_services.yml
-    Ibexa\Core\Repository\User\PasswordHashService: ~
+    Ibexa\Core\Repository\User\PasswordHashService:
+        arguments:
+            $hashType:  9

Newly created users get the new hash type, and login works fine. For existing users with the standard hashtype 7 (bcrypt), this doesn't update the password hash on either login or when changing the password. It seems the code for this was removed when we removed MD5 support way back in the day. UserService::updateUserPassword() always goes with the current hashtype the user has.

If I change the code to always use the default hash type, it seamlessly updates the hash type when changing the password. But this may not be what we want. It would be a BC break in the sense that the new hashes won't work in the older DXP, or custom code based on the older DXP. However, if you want to keep BC, why change the default hash type in the first place?

We could set the preferred hash type in config. Or we could potentially set the hash type in the User FT, to make it zero config.

TODO / followup

• If the configured hash type or cost parameters have changed, update password hash accordingly on login and/or on password change. We need to determine the logic we want. See password_needs_rehash()
• Do we even have configuration for hash algos anymore? Was it removed when we removed support for MD5 and other insecure ones?
• New config: 1) Default hash type, effective immediately for new users. 2) Boolean for whether existing users should be upgraded to the default hash type. 3) Boolean for whether the upgrade should happen only on password change, or also on login.
• Performance: Upgrade on login adds a db write to login when the upgrade happens (once per user), but after that there are no extra db calls, just the password-needs-rehash() call.
• Consider if we should also expose the parameters for memory_cost, time_cost and threads, or rely on defaults. The current PHP defaults are well above the OWASP recommended minimum settings.
• There is also the general "cost" parameter for bcrypt. The default is occasionally increased in new PHP releases. This only takes effect for new users, unless we implement updates for existing users as in the first point above.

Read more

• https://www.php.net/manual/en/function.password-hash.php
• https://en.wikipedia.org/wiki/Argon2
• https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#argon2id

Documentation:

Docs that need an update:
https://doc.ibexa.co/en/latest/content_management/field_types/field_type_reference/userfield/#available-password-hash-types
https://doc.ibexa.co/en/latest/infrastructure_and_maintenance/security/security_checklist/#use-secure-password-hashing

[sonarqubecloud]

Quality Gate failed

Failed conditions
11.9% Duplication on New Code (required ≤ 3%)

See analysis details on SonarQube Cloud