Deprecate md5() and weak algos in passwordless API & normal login

docs/guide/advanced/passwordless-api.md

@@ -6,17 +6,21 @@ If you're worried about sending your credentials into the wild, you can also mak
 
 ## Signature token
 
-Your secret signature token will be a string like `1002a612b4`
+Your secret signature token will be a 32 character string like `4ea59aab37f6df0755a6da98ee5ca85d`.
 
-A secret signature token is unique, associated to one account, and can be used only for API requests. It cannot be used to log in your YOURLS setup. You will find it in the Tools page of your YOURLS install.
+A secret signature token is unique, associated to one account, and can be used only for API requests. It cannot be used to
+log in your YOURLS setup. You will find it in the Tools page of your YOURLS install.
 
-**NB**: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a login and password to use it. Therefore there's no signature token to be used instead of a login/password pair.
+**NB**: Can't see this signature on the Tools page? It's probably because your install is public. Therefore, you don't use a
+login and password to use it. Therefore there's no signature token to be used instead of a login/password pair.
+
+If you know what you are doing, you can customize the signature length or even content with filters `auth_signature_length` and `auth_signature`.
 
 ## Usage of the signature token
 
 Use parameter `signature` in your API requests. Example:
 
-`https://yoursite/yourls-api.php?signature=1002a612b4&action=...`
+`https://yoursite/yourls-api.php?signature=4ea59aab37f6df0755a6da98ee5ca85d&action=...`
 
 ## Usage of a time limited signature token
 
@@ -27,36 +31,24 @@ First, craft the time limited signature token:
 ```php
 <?php
 $timestamp = time();
-$signature = md5( $timestamp . '1002a612b4' );
-// Replace with your own secret signature token. Example result:
-// $signature = "ed8d12124fc7916b00e3ecd7dc2c1d6a"
+$signature = hash('sha256', $timestamp . '4ea59aab37f6df0755a6da98ee5ca85d' );
+// $signature = "10c28ab4a8b1b6acf3bef1a3e3284f4984d... (64 chars)"
 ?>
 ```
 
-Now use parameters `signature` and `timestamp` in your API requests. Example:
+The hash must be one of `sha256`, `sha384` or `sha512`, unless explicitly allowed by a plugin via
+the `allowed_hash_algos` filter.
+
+Now use parameters `signature`, `timestamp` and `hash` in your API requests. Example:
 
-`https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&action=...`
+`https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&hash=sha256&action=...`
 
 This URL would be valid for only 43200 seconds (12 hours), the default value of constant `YOURLS_NONCE_LIFE`.
 
 To modify this duration, add the following to your `config.php`:
 `define( 'YOURLS_NONCE_LIFE', number_of_seconds );`
 (note this also affect all the internal links of YOURLS such as the ones to activate a plugin, delete a short URL, etc.)
 
-### Use other hash algorithms than `md5`
-
-From YOURLS 1.7.7 you can use any hash function instead of `md5()`. Simply add the `hash=<hash algo>` argument to your API request, for instance:
-
-```php
-<?php
-$timestamp = time();
-$signature = hash('sha512', $timestamp . '1002a612b4' );
-// $signature = "10c28ab4a8b1b6acf3bef1a3e3284f4984d... (128 chars)"
-?>
-```
-
-Now use `https://yoursite/yourls-api.php?timestamp=$timestamp&signature=$signature&hash=sha512&action=...`
-
 **NB**: if you try to use a hash algorithm that your setup doesn't support, you will get a simple authentication error as if the timestamp or signature were incorrect.
 
 ## Reset your secret signature token

docs/guide/essentials/credentials.md

@@ -4,11 +4,11 @@
 
 In `config.php`, the variable `$yourls_user_passwords` shall contain an array of usernames and passwords.
 
-To improve security and user experience, YOURLS 1.7+ **automatically encrypts** these passwords within your config file.
+To improve security and user experience, YOURLS **automatically encrypts** these passwords within your config file.
 
 ## Editing login & passwords in `config.php`
 
-Edit and save your config file with an array of simple `key => value` associations like the followings:
+Edit and save your config file with an array of simple `key => value` associations like the following:
 
 One login/password:
 
@@ -33,7 +33,8 @@ $yourls_user_passwords = array(
 
 ## Password auto-encryption
 
-Next time you'll run YOURLS, this array will be rewritten, replacing plain text passwords with encrypted and undecipherable hashes. If you check now your `config.php`, you should see something like:
+Next time you'll run YOURLS, this array will be rewritten, replacing plain text passwords with encrypted and
+undecipherable hashes. If you check now your `config.php`, you should see something like:
 
 ```php
 <?php
@@ -44,10 +45,12 @@ $yourls_user_passwords = array(
 );
 ```
 
-User will still log in using `joe` as a username and `MyPassword` as a password, but this password is no longer written down anywhere in the config file.
+User will still log in using `joe` as a username and `MyPassword` as a password, but this password is no longer written
+down anywhere in the config file.
 
 :::tip Nerd note:
-We're using the Blowfish algorithm to encrypt passwords, an industry standard strong one-way hashing algorithm. This will hash your passwords so tight even the NSA will never be able to find out.
+We're using PHP's default password hashing algorithm, Blowfish as of writing, an industry standard strong one-way hashing algorithm.
+This will hash your passwords so tight even the NSA will never be able to find out.
 :::
 
 ## FAQ
@@ -58,46 +61,24 @@ If YOURLS cannot edit and save your `config.php` file, you will see the followin
 
 > _Could not auto-encrypt passwords. Error was: "cannot write file"._
 
-Your config file is probably locked for reading and or writing (eg _chmoded_), which can be a good security practice. Temporarily lift that restriction (`chmod 0666 config.php`), load a YOURLS page again, then `chmod` it back.
+Your config file is probably locked for reading and or writing (eg _chmoded_), which can be a good security practice. In a terminal console, note
+the original _chmod_ (`stat -c "%a" config.php`), temporarily lift that restriction (`chmod 0666 config.php`), load a YOURLS page again,
+then `chmod` it back to the original value (for example `chmod 600 config.php`).
 
-If for some reason you cannot get it working, see **manual MD5 encryption** below
+### I have an error message: "_Password stored as MD5 hash_"
+
+If your `config.php` contains password encrypted the old way with `md5()`, you should consider using more robust hashes.
+
+To do so: simply replace the string `md5:<5 digits>:<32 chars>` with your password in clear text, load a YOURLS page again. Everything should be now encrypted.
 
 ### Why hash passwords?
 
-Storing your password as a crypted hash is more secure: if someone has access to your `config.php`, they won't be able to determine what your password is and won't be able to log in your setup. The drawback is that if you forget your own password, you cannot retrieve it: see below.
+Storing your password as a encrypted hash is more secure: if someone has access to your `config.php`, they won't be able to determine what your password is and won't be able to log in your setup. The drawback is that if you forget your own password, you cannot retrieve it: see below.
 
 ### I don't remember my password / I want to change it
 
 Simply edit your `config.php` and write a new password in clear text. Next time you'll load YOURLS, it will be encrypted again.
 
-### Manual MD5 encryption
-
-If you prefer, you can manually encrypt passswords using a MD5 salted hash of the following structure:
-
-`md5:< salt of 5 digits >:< md5 of salt + password >`
-
-A PHP example to generate an encrypted password would be:
-
-```php
-<?php
-$password = 'MyPassword';
-$salt = rand( 10000, 99999 ); // example: 71688
-$encrypted = 'md5:' . $salt . ':' . md5( $salt . $password ) // example: md5:71688:0ce43474167f743b7b92d046ae970801
-```
-
-You can simply use the [YOURLS salted hash generator](https://yourls.org/md5).
-
-Edit your `config.php` so that the `key => value` associations with encrypted passwords looks like the following:
-
-```php
-<?php
-$yourls_user_passwords = array(
-    'joe' => 'md5:71688:0ce43474167f743b7b92d046ae970801',
-);
-```
-
-Hashes using MD5 are slightly less secure than using native YOURLS encryption, but still way better than plain text passwords.
-
 ### I don't want to encrypt my password
 
 If for some reason you'd rather keep your password unencrypted and in plain text in your config, simply add the following at the end of your `config.php`:

package.json

@@ -17,15 +17,14 @@
   "dependencies": {
     "@mdx-js/react": "^3.1.1",
     "clsx": "^2.1.1",
-    "md5": "^2.3.0",
     "prism-react-renderer": "^2.4.1",
     "react": "^19.2.6",
     "react-dom": "^19.2.6"
   },
   "devDependencies": {
     "@docusaurus/core": "3.10.1",
-    "@docusaurus/preset-classic": "3.10.1",
     "@docusaurus/module-type-aliases": "3.10.1",
+    "@docusaurus/preset-classic": "3.10.1",
     "@docusaurus/types": "3.10.1",
     "graphql-request": "^7.4.0",
     "prettier": "^3.8.3",

static/_redirects

@@ -1,7 +1,8 @@
 # https://developers.cloudflare.com/workers/static-assets/redirects/
 
 /blog/feed/ /blog/atom.xml 301
-/md5.php /md5 301
+/md5.php /docs/guide/essentials/credentials 301
+/md5 /docs/guide/essentials/credentials 301
 /cookiekey.php https://api.yourls.org/services/cookiekey/1.0/ 301
 /hooklist.php https://app.yourls.org/hooklist.php 308
 /admin/* https://app.yourls.org/admin/:splat 308