From b1247d2fa10be17354f9462165d9688c662a53ad Mon Sep 17 00:00:00 2001
From: Yisroel Baum <yisroel.d.baum@gmail.com>
Date: Sun, 26 Apr 2026 09:06:17 +0300
Subject: [PATCH] add PasswordHasher interface with bcrypt implementation

Introduce an injectable abstraction over password_hash and
password_verify so callers can be swapped for a fast fake in tests
without paying bcrypt's CPU cost. The bcrypt implementation is a
direct passthrough using PASSWORD_DEFAULT, matching the prior inline
behavior, so existing stored hashes continue to verify.

Wired into the DI container alongside the other auth primitives
(Clock, TokenGenerator). No callers reference it yet, so production
behavior is unchanged.
---
 app/Auth/BcryptPasswordHasher.php | 16 ++++++++++++++++
 app/Auth/PasswordHasher.php       | 10 ++++++++++
 bootstrap/container.php           |  3 +++
 3 files changed, 29 insertions(+)
 create mode 100644 app/Auth/BcryptPasswordHasher.php
 create mode 100644 app/Auth/PasswordHasher.php

diff --git a/app/Auth/BcryptPasswordHasher.php b/app/Auth/BcryptPasswordHasher.php
new file mode 100644
index 0000000..8593710
--- /dev/null
+++ b/app/Auth/BcryptPasswordHasher.php
@@ -0,0 +1,16 @@
+<?php
+
+namespace App\Auth;
+
+class BcryptPasswordHasher implements PasswordHasher
+{
+    public function hash(string $plaintext): string
+    {
+        return password_hash($plaintext, PASSWORD_DEFAULT);
+    }
+
+    public function verify(string $plaintext, string $hash): bool
+    {
+        return password_verify($plaintext, $hash);
+    }
+}
diff --git a/app/Auth/PasswordHasher.php b/app/Auth/PasswordHasher.php
new file mode 100644
index 0000000..332d105
--- /dev/null
+++ b/app/Auth/PasswordHasher.php
@@ -0,0 +1,10 @@
+<?php
+
+namespace App\Auth;
+
+interface PasswordHasher
+{
+    public function hash(string $plaintext): string;
+
+    public function verify(string $plaintext, string $hash): bool;
+}
diff --git a/bootstrap/container.php b/bootstrap/container.php
index 4568c66..2ae6e4c 100644
--- a/bootstrap/container.php
+++ b/bootstrap/container.php
@@ -2,8 +2,10 @@
 
 use DI;
 use DI\Container;
+use App\Auth\BcryptPasswordHasher;
 use App\Auth\Clock;
 use App\Auth\JsonSessionRepository;
+use App\Auth\PasswordHasher;
 use App\Auth\RandomTokenGenerator;
 use App\Auth\SessionRepository;
 use App\Auth\SystemClock;
@@ -30,6 +32,7 @@ $container = new Container([
         DI\autowire(JsonSessionRepository::class),
     TokenGenerator::class => DI\autowire(RandomTokenGenerator::class),
     Clock::class => DI\autowire(SystemClock::class),
+    PasswordHasher::class => DI\autowire(BcryptPasswordHasher::class),
 ]);
 
 return $container;