I am trying to migrate users from my Magneto 2 database to Auth0
I am using the bulk import endpoints (Too new for link). The user passwords are hashed using "Argon 2ID13” algorithm in php. I am reasonably confident the built in php function “sodium_crypto_pwhash” is being used. (Doc found by googling sodium_crypto_pwhash, account to new to link).
I’m reasonably confident the implementation of all this within Magneto can be found here (magento2/Encryptor.php at 1c3837ce0183180d40d4c0e0fd0ae7baca38673f · magento/magento2 · GitHub)
Relevant snippet
sodium_crypto_pwhash(
SODIUM_CRYPTO_SIGN_SEEDBYTES, // 32?
$data,
$salt,
SODIUM_CRYPTO_PWHASH_OPSLIMIT_INTERACTIVE, // Unknown
SODIUM_CRYPTO_PWHASH_MEMLIMIT_INTERACTIVE, // Unknown
$this->hashVersionMap[self::HASH_VERSION_ARGON2ID13] // 2
)
I’m not a PHP developer and it seems nearly impossible to find the values for constants online. Here is a list of the constants (https://www.php.net/manual/en/sodium.constants.php) with no values, how helpful.
Similar looking constants can be found in the source looking in these files: (libsodium/crypto_pwhash_argon2id.h at master · jedisct1/libsodium · GitHub)
crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE 2U
crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE 67108864U // 65,536 KB
Looking elsewhere, according to the PHP RFC: Argon2 Password Hash it looks like the defaults for hashing Argon in PHP are
- memory_cost = 1024 KiB
- time_cost = 2
- threads = 2
I’ve tried many permutations of these values and have not been able to get the “right" output
As a test I created a user in a staging env which I have since deleted with these facts:
- Salt: FGzVvZzPx67rz4um
- B64 Salt: Rkd6VnZaelB4NjdyejR1bQ
- Hash:
- B64 Hash:
- m: ?
- t: ?
- p: ?
ULTIMATE QUESTION:
What should the end result be for my “custom_password_hash.hash.value”. I know it should be something like this:
$argon2id$m=?,t=?,p=?$Rkd6VnZaelB4NjdyejR1bQ$<b64 hash>
Thank you