Wp Password Laravel Package

Getting Started

Minimal Setup

1. Installation:

   composer require mikemclin/laravel-wp-password
   

   Add the service provider to config/app.php:

   MikeMcLin\WpPassword\WpPasswordProvider::class
   

2. First Use Case: Hash a password for WordPress compatibility:

   use MikeMcLin\WpPassword\Facades\WpPassword;
   
   $hashed = WpPassword::make('user_input_password');
   

3. Where to Look First:

   • Facade: MikeMcLin\WpPassword\Facades\WpPassword (for quick usage).
   • Helper Class: MikeMcLin\WpPassword\WpPassword (for direct instantiation).
   • Tests: /tests/ for edge cases and validation logic.

Implementation Patterns

Core Workflows

1. Password Hashing:

   // Basic hashing
   $hash = WpPassword::make('plain_password');
   
   // With custom cost (default: 8)
   $hash = WpPassword::make('plain_password', 10);
   

2. Password Verification:

   // Check if plain password matches hashed
   if (WpPassword::check('user_input', $stored_hash)) {
       // Valid
   }
   

3. Integration with Laravel Auth:

   • Use in App\Providers\AuthServiceProvider for custom password validation:

     public function boot()
     {
         Hash::extend('wp', function($app) {
             return new MikeMcLin\WpPassword\WpPassword();
         });
     }
     

   • Configure config/auth.php:

     'defaults' => [
         'password' => 'wp',
     ],
     

4. Migrating Existing Data:

   // Update user passwords in a migration
   DB::table('users')->update([
       'password' => WpPassword::make('new_password')
   ]);
   

5. API Responses:

   // Return hashed password in API responses (e.g., user registration)
   return response()->json([
       'status' => 'success',
       'password_hash' => WpPassword::make($request->password)
   ]);
   

Advanced Patterns

• Custom Cost Logic: Dynamically set hash cost based on user role or security settings:

  $cost = auth()->user()->isAdmin() ? 12 : 8;
  $hash = WpPassword::make($password, $cost);
  

• Batch Processing: Use in queue jobs for bulk password updates:

  class UpdatePasswordsJob implements ShouldQueue
  {
      public function handle()
      {
          User::chunk(100, function ($users) {
              foreach ($users as $user) {
                  $user->password = WpPassword::make('new_password');
                  $user->save();
              }
          });
      }
  }
  

• Legacy System Integration: Sync with external systems using WordPress hashes:

  $externalHash = $legacySystem->getHash();
  if (WpPassword::check('user_input', $externalHash)) {
      // Proceed with legacy auth
  }
  

Gotchas and Tips

Common Pitfalls

1. Cost Parameter:

   • WordPress defaults to cost 8. Higher values increase security but slow hashing.
   • Tip: Avoid setting cost dynamically in production without testing performance impact.

2. Facade vs. Class:

   • The facade (WpPassword::make()) is convenient but less flexible than the class:

     // Facade (simpler)
     $hash = WpPassword::make('password');
     
     // Class (more control)
     $wpPassword = new MikeMcLin\WpPassword\WpPassword();
     $hash = $wpPassword->make('password', 10);
     

3. Thread Safety:

   • The package is stateless and thread-safe, but ensure no race conditions when updating passwords in bulk.

4. Laravel Hashing Conflicts:

   • If using Laravel’s built-in Hash facade, avoid naming collisions:

     // Bad: Ambiguous if both packages are loaded
     $hash = Hash::make('password');
     
     // Good: Explicitly use WP package
     $hash = WpPassword::make('password');
     

5. Deprecated Methods:

   • The package follows WordPress’s wp_hash_password() and wp_check_password() signatures. Check the WordPress Codex for updates.

Debugging Tips

1. Verify Hashes: Use WordPress’s wp_check_password() in PHP CLI to validate hashes:

   require 'vendor/autoload.php';
   use MikeMcLin\WpPassword\Facades\WpPassword;
   
   $hash = WpPassword::make('test');
   var_dump(WpPassword::check('test', $hash)); // bool(true)
   

2. Cost Validation: Test edge cases for cost values (e.g., 0 or >12):

   try {
       WpPassword::make('password', 0); // May throw or behave unexpectedly
   } catch (\Exception $e) {
       // Handle
   }
   

3. Performance Profiling: Benchmark hashing with different costs:

   $start = microtime(true);
   WpPassword::make('long_password', 12);
   $time = microtime(true) - $start;
   

Extension Points

1. Custom Hash Algorithms: Extend the package to support additional algorithms (e.g., Argon2):

   class CustomWpPassword extends MikeMcLin\WpPassword\WpPassword
   {
       public function make($password, $cost = 8)
       {
           // Custom logic here
           return parent::make($password, $cost);
       }
   }
   

2. Event Listeners: Trigger events for password hashing/verification:

   // In EventServiceProvider
   public function boot()
   {
       WpPassword::addListener('hashing', function ($hash) {
           Log::info("Password hashed: " . substr($hash, 0, 10) . "...");
       });
   }
   

3. Configuration: Override defaults in config/wp-password.php (if added by the package):

   'default_cost' => 10,
   'algorithm' => 'wp_standard',
   

4. Testing: Mock the package in PHPUnit:

   $this->partialMock(MikeMcLin\WpPassword\WpPassword::class, ['make'])
        ->shouldReceive('make')
        ->with('password', 8)
        ->andReturn('$hashed');