Page 5 of 6

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Mon Dec 30, 2019 3:03 pm
by 24unix
warmweer wrote:
Mon Dec 30, 2019 10:29 am
BlackPandaBear wrote:
Mon Dec 30, 2019 9:50 am
Could someone with more knowledge on here explain why an extension could become incompatible after upgrading from 3.2.8 to 3.3?
One of the reasons would be the change in coding guidelines
Is there anything to read how the guidelines will look in the future?
PSR compliant braces?
Camelcase variables like the rest of symfony?

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Mon Dec 30, 2019 8:42 pm
by mrgoldy
The change was not in phpBB Guidelines but in Symfony’s code.
Moreover, it was deprecated for quite a while already. Meaning that phpBB extension developers shouldn’t of been using it or had plenty of time to adjust it by now.
So now that ‘feature’ is completely removed in Symfony so phpBB extensions that still have it, will error.
Basically, phpBB didn’t change. Symfony did. So you’ll have to look there for answers.
danieltj wrote:
Mon Dec 30, 2019 2:58 pm
I'd like to help test and develop phpBB. What's the best way to get involved and contribute code?
This should get you started:
https://www.phpbb.com/get-involved/

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Tue Dec 31, 2019 4:38 am
by John connor
There are two versions of Argon2. Which PHP version supports which hashing version? Also, when you update the forum to 3.3.x, will all the passwords get rehashed on the fly?

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Tue Dec 31, 2019 9:35 pm
by 3Di
argon2i supported by PHP 7.2
argon2id supported by PHP 7.3 / 7.4

PWs will be converted when users log in, depending on the PHP version the Board is running on, in the following cases.
  • If using PHP 7.1 the passwords will remain with the same hash.
  • If using PHP 7.2 the passwords will be automatically converted to argon2i.
  • If using PHP 7.3 / 7.4 the passwords will be automatically converted to argon2id.
  • By switching from PHP 7.2 to PHP 7.3 / 7.4 the passwords will be automatically converted from argon2i to argon2id.

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Tue Dec 31, 2019 10:16 pm
by koraldon
If someone downgrades the php version, will it also convert the hash or can it cause issues?

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Tue Dec 31, 2019 10:44 pm
by 3Di
Downgrading to PHP 7.1 will cause the PWs no longer work. :geek:

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Wed Jan 01, 2020 12:46 am
by david63
3Di wrote:
Tue Dec 31, 2019 10:44 pm
Downgrading to PHP 7.1 will cause the PWs no longer work. :geek:
That I can confirm from my test board - it took me an hour to get back in!!

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Wed Jan 01, 2020 12:53 am
by 3Di
david63 wrote:
Wed Jan 01, 2020 12:46 am
3Di wrote:
Tue Dec 31, 2019 10:44 pm
Downgrading to PHP 7.1 will cause the PWs no longer work. :geek:
That I can confirm from my test board - it took me an hour to get back in!!
I should have posted a fix for the daredevils... :lol:

https://bcrypt-generator.com/

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Wed Jan 01, 2020 1:48 am
by John connor
So I'm using PHP 7.2 now. If I upgrade to 3.3.x and then latter on upgrade to PHP 7.3 or 7.4, will the passwords still automatically get rehased?

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Wed Jan 01, 2020 2:27 am
by 3Di
I can't be any clearer than I've already been. :?

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Wed Jan 01, 2020 2:31 am
by 24unix
3Di wrote:
Tue Dec 31, 2019 9:35 pm
argon2i supported by PHP 7.2
argon2id supported by PHP 7.3 / 7.4

PWs will be converted when users log in, depending on the PHP version the Board is running on, in the following cases.
Can you give a short clue how that is done?

Well, I could look at the source, but, maybe you're faster :-)

The PW is only stored as a hash, without a way to recover (without breaking the hash). How do I convert from one method to the other?

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Wed Jan 01, 2020 2:58 am
by 3Di
24unix wrote:
Wed Jan 01, 2020 2:31 am
How do I convert from one method to the other?
You need to do nothing using phpBB. :)

If you are asking as a developer: https://www.php.net/manual/en/function. ... d-hash.php

Note: this topic is not devoted to general PHP coding questions nor this board.

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Wed Jan 01, 2020 5:06 am
by 24unix
3Di wrote:
Wed Jan 01, 2020 2:58 am
24unix wrote:
Wed Jan 01, 2020 2:31 am
How do I convert from one method to the other?
You need to do nothing using phpBB. :)

If you are asking as a developer: https://www.php.net/manual/en/function. ... d-hash.php

Note: this topic is not devoted to general PHP coding questions nor this board.
It is neither, I think. But isn't everyone interested in whats going on under the hood?

I just found this article: https://www.michalspacek.com/upgrading- ... ord-hashes, so a reasonable way would be to store both, old and new hash, and convert during a successful login.

I just looked at the migrations, there is nothing that look like a copy of the hash.

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Wed Jan 01, 2020 10:00 pm
by Marc
When a user logs in, the password that user entered will be hashed using the new password algorithm and that will be stored as the new hash. Easy as that. ;)

Re: Discuss: phpBB 3.3.0-RC1 Release

Posted: Thu Jan 02, 2020 3:53 am
by 24unix
Marc wrote:
Wed Jan 01, 2020 10:00 pm
When a user logs in, the password that user entered will be hashed using the new password algorithm and that will be stored as the new hash. Easy as that. ;)
Sounds reasonable :-)

thx.

Edith says:

I thought a while about it, was glimpsing through the 3.3 code.

If you become PSR compliant and use CamelCase instead of the 80ies snkae_case phpBB might become an interesting softwarestack.

I already have three Mods in the pipeline to be converted as extensions, but they will never get officially granted from phpBB, as I use decent naming schemes and code styles (mind PSR).