Deprecation: #102763 - Extbase HashService

See forge#102763

Description

Internal class \TYPO3\CMS\Extbase\Security\Cryptography\HashService is deprecated in favor of \TYPO3\CMS\Core\Crypto\HashService , which requires an additional secret to prevent re-using generated hashes in different contexts.

Impact

Using class \TYPO3\CMS\Extbase\Security\Cryptography\HashService will trigger a PHP deprecation warning.

Affected installations

TYPO3 installations with custom extensions using \TYPO3\CMS\Extbase\Security\Cryptography\HashService.

Migration

Class \TYPO3\CMS\Core\Crypto\HashService must be used to migrate.

Before

$hashService = new \TYPO3\CMS\Extbase\Security\Cryptography\HashService();

$generatedHash = $hashService->generateHmac('123');
$isValidHash = $hashService->validateHmac('123', $generatedHash);

$stringWithAppendedHash = $hashService->appendHmac('123');
$validatedStringWithHashRemoved = $hashService->validateAndStripHmac($stringWithAppendedHash);
Copied!

After

$hashService = new \TYPO3\CMS\Core\Crypto\HashService();

$generatedHash = $hashService->hmac('123', 'myAdditionalSecret');
$isValidHash = $hashService->validateHmac('123', 'myAdditionalSecret', $generatedHash);

$stringWithAppendedHash = $hashService->appendHmac('123', 'myAdditionalSecret');
$validatedStringWithHashRemoved = $hashService->validateAndStripHmac($stringWithAppendedHash, 'myAdditionalSecret');
Copied!

Note, $additionalSecret string must be unique per context, so hashes for the same input are different depending on scope.