[pmwiki-users] Argon2ID authentication

Petko Yotov 5ko at 5ko.fr
Wed Apr 22 03:54:29 PDT 2026 

You should never need to modify core PmWiki files. Everything can be 
configured and your custom functions grafted without changing 
authuser.php. This will ensure your custom functions will continue to 
work when you upgrade your PmWiki core.

If you can't see how, please ask.

Here is some sample code to check passwords from a database. It should 
get you started:

   # before including authuser.php, attach our own function
   $AuthUserFunctions['peters_backend'] = 'AuthUserPetersDB';
   $AuthUser['peters_backend'] = 1;
   function AuthUserPetersDB($pagename, $username, $password, $pwlist, 
&$authlist) {
     global $pdo;
     # Get the hash from the database
     $stmt = $pdo->prepare("SELECT `pass_hash` FROM `users` WHERE 
`username` = ? LIMIT 1");
     $stmt->execute([$username]);
     $passHash = $stmt->fetchColumn();

     # username not found: prevent timing attacks
     if ($passHash === false) $passHash = 'not a valid hash';

     # invalid password
     if (! password_verify($password, $passHash)) return false;

     # success

     # set user groups
     $authlist['@admins'] = 1;
     $authlist['@editors'] = 1;

     return true;
   }
   include_once("scripts/authuser.php");

PDO and prepared statements are very strongly recommended.

This code should go in local/config.php or in a new script under 
cookbook/ included before the including authuser.php.

Let me know if you have questions.

Petko


-- 
If you upgrade :  https://www.pmwiki.org/Upgrades

On 22/04/2026 10:17, Peter van Es wrote:
> I am setting up a new PMWiki site.
> 
> I have user records in a database table on the same host. It contains
> username’s and passwords which are Argon2ID salted hashes. They can
> be verified using the php function:
> https://www.php.net/manual/en/function.password-verify.php
> which just needs the hash, and the password entered by the user.
> 
> I’m looking into using recepies:
> 
> 1. standard authuser.php, which is where the password is checked, if
> I’m not mistaken
> 2. AuthUserDB which looks overly complicated given that all user
> management and password resets are done on another system
> 3. and the adodb-connect.php script
> 
> However, most of these do not appear to have been updated since
> 2007…
> 
> Should I simplify things and just build my own customised database
> layer, and modify authuser.php to use the password verify function?
> Additionally I want to add groups to the user so that I have more
> fine-grained access control…
> 
> Thanks in advance for your guidance

More information about the pmwiki-users mailing list