Support changing password hashing settings

Signed-off-by: Florian Pritz <bluewind@xinu.at>

2 files changed, 15 insertions, 1 deletions

diff --git a/application/config/config.php b/application/config/config.php
index 45cff945e..a535c4fea 100644
--- a/application/config/config.php
+++ b/application/config/config.php
@@ -440,6 +440,15 @@ $config['auth_fluxbb'] = array(
 	'database' => 'fluxbb'
 );
 
+// This is only used if the driver is set to db
+// For information about these values refer to https://secure.php.net/manual/en/function.password-hash.php
+$config['auth_db'] = array(
+	'hashing_options' => array(
+		'cost' => 10,
+	),
+	'hashing_algorithm' => PASSWORD_DEFAULT,
+);
+
 
 // Possible values: production, development
 // "development" enables features like profiling and display of SQL queries.
diff --git a/application/models/muser.php b/application/models/muser.php
index ced8c5ca2..852a7c3e3 100644
--- a/application/models/muser.php
+++ b/application/models/muser.php
@@ -14,12 +14,17 @@ class Muser extends CI_Model {
 	// last level has the most access
 	private $access_levels = array("basic", "apikey", "full");
 
+	private $hashalgo;
+	private $hashoptions = array();
+
 	function __construct()
 	{
 		parent::__construct();
 
 		$this->load->helper("filebin");
 		$this->load->driver("duser");
+		$this->hashalgo = $this->config->item('auth_db')['hashing_algorithm'];
+		$this->hashoptions = $this->config->item('auth_db')['hashing_options'];
 	}
 
 	function has_session()
@@ -258,7 +263,7 @@ class Muser extends CI_Model {
 
 	function hash_password($password)
 	{
-		$hash = password_hash($password, PASSWORD_DEFAULT);
+		$hash = password_hash($password, $this->hashalgo, $this->hashoptions);
 		if ($hash === false) {
 			throw new \exceptions\ApiException('user/hash_password/failed', "Failed to hash password");
 		}