From 831d7b854beaff2d95ff81265a15c6030c89a519 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Thu, 14 Nov 2024 11:31:02 -0500
Subject: [PATCH 01/14] [Config] Add password algorithm selector

---
 SQL/0000-00-03-ConfigTables.sql                      | 12 +++++++-----
 .../2024-11-14-Add-Password-Algo-Config.sql          |  7 +++++++
 htdocs/postdeploy.php                                |  4 +++-
 modules/configuration/php/configuration.class.inc    |  8 ++++++++
 .../configuration/templates/form_configuration.tpl   | 10 +++++++++-
 php/installer/Installer.class.inc                    |  4 +++-
 php/libraries/Password.class.inc                     |  4 +++-
 php/libraries/SinglePointLogin.class.inc             |  6 ++++--
 tools/resetpassword.php                              |  4 +++-
 9 files changed, 47 insertions(+), 12 deletions(-)
 create mode 100644 SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql

diff --git a/SQL/0000-00-03-ConfigTables.sql b/SQL/0000-00-03-ConfigTables.sql
index e7b4d637a0d..0d32b1d3425 100644
--- a/SQL/0000-00-03-ConfigTables.sql
+++ b/SQL/0000-00-03-ConfigTables.sql
@@ -8,7 +8,7 @@ CREATE TABLE `ConfigSettings` (
     `Description` varchar(255) DEFAULT NULL,
     `Visible` tinyint(1) DEFAULT '0',
     `AllowMultiple` tinyint(1) DEFAULT '0',
-    `DataType` ENUM('text','boolean','email','instrument','textarea','scan_type','date_format','lookup_center','path','web_path', 'log_level') DEFAULT NULL,
+    `DataType` ENUM('text','boolean','email','instrument','textarea','scan_type','date_format','lookup_center','path','web_path','log_level','password_algo') DEFAULT NULL,
     `Parent` int(11) DEFAULT NULL,
     `Label` varchar(255) DEFAULT NULL,
     `OrderNumber` int(11) DEFAULT NULL,
@@ -59,10 +59,11 @@ INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType,
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'citation_policy', 'Citation Policy for Acknowledgements module', 1, 0, 'textarea', ID, 'Citation Policy', 25 FROM ConfigSettings WHERE Name="study";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'CSPAdditionalHeaders', 'Extensions to the Content-security policy allow only for self-hosted content', 1, 0, 'text', ID, 'Content-Security Extensions', 26 FROM ConfigSettings WHERE Name="study";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'usePwnedPasswordsAPI', 'Whether to query the Have I Been Pwned password API on password changes to prevent the usage of common and breached passwords', 1, 0, 'boolean', ID, 'Enable "Pwned Password" check', 27 FROM ConfigSettings WHERE Name="study";
-INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'dateDisplayFormat', 'The date format to use throughout LORIS for displaying date information - formats for date inputs are browser- and locale-dependent.', 1, 0, 'text', ID, 'Date display format', 28 FROM ConfigSettings WHERE Name="study";
-INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'adminContactEmail', 'An email address that users can write to in order to report issues or ask question', 1, 0, 'text', ID, 'Administrator Email', 29 FROM ConfigSettings WHERE Name="study";
-INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'UserMaximumDaysInactive', 'The maximum number of days since last login before making a user inactive', 1, 0, 'text', ID, 'Maximum Days Before Making User Inactive', 30 FROM ConfigSettings WHERE Name="study";
-INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'useDoB', 'Use DoB (Date of Birth)', 1, 0, 'boolean', ID, 'Use DoB', 31 FROM ConfigSettings WHERE Name="study";
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo',1,'Password Algorithm',28 FROM ConfigSettings WHERE Name="study";
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'dateDisplayFormat', 'The date format to use throughout LORIS for displaying date information - formats for date inputs are browser- and locale-dependent.', 1, 0, 'text', ID, 'Date display format', 29 FROM ConfigSettings WHERE Name="study";
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'adminContactEmail', 'An email address that users can write to in order to report issues or ask question', 1, 0, 'text', ID, 'Administrator Email', 30 FROM ConfigSettings WHERE Name="study";
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'UserMaximumDaysInactive', 'The maximum number of days since last login before making a user inactive', 1, 0, 'text', ID, 'Maximum Days Before Making User Inactive', 31 FROM ConfigSettings WHERE Name="study";
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'useDoB', 'Use DoB (Date of Birth)', 1, 0, 'boolean', ID, 'Use DoB', 32 FROM ConfigSettings WHERE Name="study";
 
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, Label, OrderNumber) VALUES ('paths', 'Specify directories where LORIS-related files are stored or created. Take care when editing these fields as changing them incorrectly can cause certain modules to lose functionality.', 1, 0, 'Paths', 2);
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'imagePath', 'Path to images for display in Imaging Browser (e.g. /data/$project/data/) ', 1, 0, 'text', ID, 'Images', 9 FROM ConfigSettings WHERE Name="paths";
@@ -282,6 +283,7 @@ INSERT INTO Config (ConfigID, Value) SELECT ID, 't1'    FROM ConfigSettings WHER
 INSERT INTO Config (ConfigID, Value) SELECT ID, 't2'    FROM ConfigSettings WHERE Name="modalities_to_deface";
 INSERT INTO Config (ConfigID, Value) SELECT ID, 'pd'    FROM ConfigSettings WHERE Name="modalities_to_deface";
 INSERT INTO Config (ConfigID, Value) SELECT ID, 'false'  FROM ConfigSettings WHERE Name="usePwnedPasswordsAPI";
+INSERT INTO Config (ConfigID, Value) SELECT ID, 'PASSWORD_DEFAULT'  FROM ConfigSettings WHERE Name="passwordAlgorithm";
 INSERT INTO Config (ConfigID, Value) SELECT ID, 'Y-m-d H:i:s'  FROM ConfigSettings WHERE Name="dateDisplayFormat";
 INSERT INTO Config (ConfigID, Value) SELECT ID, '/data/issue_tracker/' FROM ConfigSettings WHERE Name="IssueTrackerDataPath";
 INSERT INTO Config (ConfigID, Value) SELECT ID, ''  FROM ConfigSettings WHERE Name="adminContactEmail";
diff --git a/SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql b/SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql
new file mode 100644
index 00000000000..1eda15db7ae
--- /dev/null
+++ b/SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql
@@ -0,0 +1,7 @@
+ALTER TABLE ConfigSettings
+MODIFY COLUMN DataType enum('text','boolean','email','instrument','textarea','scan_type','date_format','lookup_center','path','web_path','log_level', 'password_algo') DEFAULT NULL;
+
+INSERT INTO `ConfigSettings` (`Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`)
+VALUES ('passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo',1,'Password Algorithm',28);
+
+INSERT INTO Config (`ConfigID`, `Value`) VALUES (LAST_INSERT_ID(), 'PASSWORD_DEFAULT');
\ No newline at end of file
diff --git a/htdocs/postdeploy.php b/htdocs/postdeploy.php
index 86fd80d7072..8c1a7e66b15 100644
--- a/htdocs/postdeploy.php
+++ b/htdocs/postdeploy.php
@@ -47,7 +47,9 @@
 $sqls         = file_get_contents($path_to_file);
 $conn->exec($sqls);
 
-$pw = password_hash($password, PASSWORD_DEFAULT);
+$config =& \NDB_Config::singleton();
+$password_algo = $config->getSetting("passwordAlgorithm");
+$pw = password_hash($password, $password_algo);
 
 $conn->query(
     "UPDATE users SET Password_hash=" . $conn->quote($pw) .
diff --git a/modules/configuration/php/configuration.class.inc b/modules/configuration/php/configuration.class.inc
index 06c2266f1b4..4696b89725c 100644
--- a/modules/configuration/php/configuration.class.inc
+++ b/modules/configuration/php/configuration.class.inc
@@ -88,6 +88,14 @@ class Configuration extends \NDB_Form
             'emergency' => 'Emergency',
         ];
 
+        $this->tpl_data['password_algos'] = [
+            '' => '',
+            'PASSWORD_DEFAULT' => 'PASSWORD_DEFAULT',
+            'PASSWORD_BCRYPT' => 'PASSWORD_BCRYPT',
+            'PASSWORD_ARGON2I' => 'PASSWORD_ARGON2I',
+            'PASSWORD_ARGON2ID' => 'PASSWORD_ARGON2ID'
+        ];
+
         $this->tpl_data['date_format']   = $date_format;
         $this->tpl_data['lookup_center'] = [
             ''            => '',
diff --git a/modules/configuration/templates/form_configuration.tpl b/modules/configuration/templates/form_configuration.tpl
index 2ed16e8a299..ebf217d4e0f 100644
--- a/modules/configuration/templates/form_configuration.tpl
+++ b/modules/configuration/templates/form_configuration.tpl
@@ -22,7 +22,13 @@
     </div>
 {/function}
 
-
+{function name=createPasswordAlgo}
+    <select class="form-control" name="{$k}" {if $d eq "Yes"}disabled{/if}>
+        {foreach from=$password_algos key=name item=label}
+            <option {if $v eq $name}selected{/if} value="{$name}">{$label}</option>
+        {/foreach}
+    </select>
+{/function}
 
 {function name=createScanType}
     <select class="form-control" name="{$k}" {if $d eq "Yes"}disabled{/if}>
@@ -108,6 +114,8 @@
             {call createInstrument k=$id v=$v d=$node['Disabled']}
         {elseif $node['DataType'] eq 'scan_type'}
             {call createScanType k=$id v=$v d=$node['Disabled']}
+        {elseif $node['DataType'] eq 'password_algo'}
+            {call createPasswordAlgo k=$id v=$v d=$node['Disabled']}
         {elseif $node['DataType'] eq 'date_format'}
             {call createDateFormat k=$id v=$v d=$node['Disabled']}
         {elseif $node['DataType'] eq 'email'}
diff --git a/php/installer/Installer.class.inc b/php/installer/Installer.class.inc
index 1b0d9b338bb..85ffbe6e50d 100644
--- a/php/installer/Installer.class.inc
+++ b/php/installer/Installer.class.inc
@@ -543,12 +543,14 @@ class Installer
                Active='Y'
              WHERE ID=1"
         );
+        $config =& \NDB_Config::singleton();
+        $password_algo = $config->getSetting("passwordAlgorithm");
         return $stmt->execute(
             [
                 'q_userID'   => $values['frontenduser'],
                 'q_password' => password_hash(
                     $values['frontendpassword'],
-                    PASSWORD_DEFAULT
+                    $password_algo
                 ),
             ]
         );
diff --git a/php/libraries/Password.class.inc b/php/libraries/Password.class.inc
index 31f4997234a..7289eea9704 100644
--- a/php/libraries/Password.class.inc
+++ b/php/libraries/Password.class.inc
@@ -205,7 +205,9 @@ class Password
         $this->_validate($value);
         // Don't store the value in the object; instead use the hashed version
         // This mitigates the risk of accidentally revealing the plaintext.
-        $this->_hash = password_hash($value, PASSWORD_DEFAULT);
+        $config =& \NDB_Config::singleton();
+        $password_algo = $config->getSetting("passwordAlgorithm");
+        $this->_hash = password_hash($value, $password_algo);
     }
 
     /**
diff --git a/php/libraries/SinglePointLogin.class.inc b/php/libraries/SinglePointLogin.class.inc
index c6ee9e94e37..34b053b0f72 100644
--- a/php/libraries/SinglePointLogin.class.inc
+++ b/php/libraries/SinglePointLogin.class.inc
@@ -287,8 +287,10 @@ class SinglePointLogin
         // Validate passsword
         $oldhash = $row['Password_hash'] ?? '';
         if (password_verify($password, $oldhash)) {
+            $config =& \NDB_Config::singleton();
+            $password_algo = $config->getSetting("passwordAlgorithm");
             // Rehash according to latest standards if necessary.
-            if (password_needs_rehash($oldhash, PASSWORD_DEFAULT)) {
+            if (password_needs_rehash($oldhash, $password_algo)) {
                 try {
                     $newHash = new \Password($password);
                     \User::factory($username)->updatePassword(
@@ -302,7 +304,7 @@ class SinglePointLogin
                     // update the password here without using the Password class
                     $newHash = password_hash(
                         $password,
-                        PASSWORD_DEFAULT
+                        $password_algo
                     );
                     \NDB_Factory::singleton()->database()->update(
                         'users',
diff --git a/tools/resetpassword.php b/tools/resetpassword.php
index 2a79f6a3999..c75509186cb 100755
--- a/tools/resetpassword.php
+++ b/tools/resetpassword.php
@@ -43,7 +43,9 @@
 // Don't echo the password being typed
 `/bin/stty -echo`;
 $newPass = trim(fgets(STDIN));
-$newHash = password_hash($newPass, PASSWORD_DEFAULT);
+$config =& \NDB_Config::singleton();
+$password_algo = $config->getSetting("passwordAlgorithm");
+$newHash = password_hash($newPass, $password_algo);
 `/bin/stty echo`;
 
 ;

From b5f1f455f1c4d70cb22e30324e22f5189e0522d0 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Thu, 14 Nov 2024 11:49:07 -0500
Subject: [PATCH 02/14] Add to raisinbread

---
 raisinbread/RB_files/RB_Config.sql         | 1 +
 raisinbread/RB_files/RB_ConfigSettings.sql | 1 +
 2 files changed, 2 insertions(+)

diff --git a/raisinbread/RB_files/RB_Config.sql b/raisinbread/RB_files/RB_Config.sql
index 7a91dd3186f..ac236993249 100644
--- a/raisinbread/RB_files/RB_Config.sql
+++ b/raisinbread/RB_files/RB_Config.sql
@@ -107,6 +107,7 @@ INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (126,129,'365');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (127,130,'/var/www/loris/');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (128,131,'/data/EEGUploadIncomingPath/');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (129,132,'false');
+INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (130,133,'PASSWORD_DEFAULT');
 
 UNLOCK TABLES;
 SET FOREIGN_KEY_CHECKS=1;
diff --git a/raisinbread/RB_files/RB_ConfigSettings.sql b/raisinbread/RB_files/RB_ConfigSettings.sql
index 6e5137f91f3..12081d10715 100644
--- a/raisinbread/RB_files/RB_ConfigSettings.sql
+++ b/raisinbread/RB_files/RB_ConfigSettings.sql
@@ -121,5 +121,6 @@ INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMult
 INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`) VALUES (130,'DownloadPath','Where files are downloaded',1,0,'text',26,'Downloads',4);
 INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`) VALUES (131,'EEGUploadIncomingPath', 'Path to the upload directory for incoming EEG studies', 1, 0, 'text', 26, 'EEG Incoming Directory', 15);
 INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`) VALUES (132,'useDoB','Use DoB (Date of Birth)',1,0,'boolean',1,'Use DoB',12);
+INSERT INTO `ConfigSettings` (`ID`, `Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`) VALUES (133, 'passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo',1,'Password Algorithm',28);
 UNLOCK TABLES;
 SET FOREIGN_KEY_CHECKS=1;

From e23aca458a482567f74bd1ca0f6f7506d260881c Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Thu, 14 Nov 2024 13:27:19 -0500
Subject: [PATCH 03/14] change select source

---
 modules/configuration/php/configuration.class.inc | 15 ++++++++-------
 1 file changed, 8 insertions(+), 7 deletions(-)

diff --git a/modules/configuration/php/configuration.class.inc b/modules/configuration/php/configuration.class.inc
index 4696b89725c..747d3965507 100644
--- a/modules/configuration/php/configuration.class.inc
+++ b/modules/configuration/php/configuration.class.inc
@@ -88,13 +88,14 @@ class Configuration extends \NDB_Form
             'emergency' => 'Emergency',
         ];
 
-        $this->tpl_data['password_algos'] = [
-            '' => '',
-            'PASSWORD_DEFAULT' => 'PASSWORD_DEFAULT',
-            'PASSWORD_BCRYPT' => 'PASSWORD_BCRYPT',
-            'PASSWORD_ARGON2I' => 'PASSWORD_ARGON2I',
-            'PASSWORD_ARGON2ID' => 'PASSWORD_ARGON2ID'
-        ];
+        $password_algos = array_merge(
+            ['PASSWORD_DEFAULT'],
+            password_algos()
+        );
+        $this->tpl_data['password_algos'] = array_combine(
+            $password_algos,
+            $password_algos
+        );
 
         $this->tpl_data['date_format']   = $date_format;
         $this->tpl_data['lookup_center'] = [

From e00ed67d7d1d7a5f01ae3852cae9bfcc6c68be31 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Thu, 14 Nov 2024 14:35:30 -0500
Subject: [PATCH 04/14] Remove 'PASSWORD_DEFAULT' as it is now null after php
 7.4

---
 SQL/0000-00-03-ConfigTables.sql                         | 2 +-
 SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql | 2 +-
 htdocs/postdeploy.php                                   | 4 ++--
 modules/configuration/php/configuration.class.inc       | 8 ++------
 php/installer/Installer.class.inc                       | 4 ++--
 php/libraries/Password.class.inc                        | 4 ++--
 php/libraries/SinglePointLogin.class.inc                | 2 +-
 raisinbread/RB_files/RB_Config.sql                      | 2 +-
 tools/resetpassword.php                                 | 6 +++---
 9 files changed, 15 insertions(+), 19 deletions(-)

diff --git a/SQL/0000-00-03-ConfigTables.sql b/SQL/0000-00-03-ConfigTables.sql
index 0d32b1d3425..4175702baca 100644
--- a/SQL/0000-00-03-ConfigTables.sql
+++ b/SQL/0000-00-03-ConfigTables.sql
@@ -283,7 +283,7 @@ INSERT INTO Config (ConfigID, Value) SELECT ID, 't1'    FROM ConfigSettings WHER
 INSERT INTO Config (ConfigID, Value) SELECT ID, 't2'    FROM ConfigSettings WHERE Name="modalities_to_deface";
 INSERT INTO Config (ConfigID, Value) SELECT ID, 'pd'    FROM ConfigSettings WHERE Name="modalities_to_deface";
 INSERT INTO Config (ConfigID, Value) SELECT ID, 'false'  FROM ConfigSettings WHERE Name="usePwnedPasswordsAPI";
-INSERT INTO Config (ConfigID, Value) SELECT ID, 'PASSWORD_DEFAULT'  FROM ConfigSettings WHERE Name="passwordAlgorithm";
+INSERT INTO Config (ConfigID, Value) SELECT ID, '2y'  FROM ConfigSettings WHERE Name="passwordAlgorithm";
 INSERT INTO Config (ConfigID, Value) SELECT ID, 'Y-m-d H:i:s'  FROM ConfigSettings WHERE Name="dateDisplayFormat";
 INSERT INTO Config (ConfigID, Value) SELECT ID, '/data/issue_tracker/' FROM ConfigSettings WHERE Name="IssueTrackerDataPath";
 INSERT INTO Config (ConfigID, Value) SELECT ID, ''  FROM ConfigSettings WHERE Name="adminContactEmail";
diff --git a/SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql b/SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql
index 1eda15db7ae..0f2107e4292 100644
--- a/SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql
+++ b/SQL/New_patches/2024-11-14-Add-Password-Algo-Config.sql
@@ -4,4 +4,4 @@ MODIFY COLUMN DataType enum('text','boolean','email','instrument','textarea','sc
 INSERT INTO `ConfigSettings` (`Name`, `Description`, `Visible`, `AllowMultiple`, `DataType`, `Parent`, `Label`, `OrderNumber`)
 VALUES ('passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo',1,'Password Algorithm',28);
 
-INSERT INTO Config (`ConfigID`, `Value`) VALUES (LAST_INSERT_ID(), 'PASSWORD_DEFAULT');
\ No newline at end of file
+INSERT INTO Config (`ConfigID`, `Value`) VALUES (LAST_INSERT_ID(), '2y');
\ No newline at end of file
diff --git a/htdocs/postdeploy.php b/htdocs/postdeploy.php
index 8c1a7e66b15..0b9b105c8a9 100644
--- a/htdocs/postdeploy.php
+++ b/htdocs/postdeploy.php
@@ -47,9 +47,9 @@
 $sqls         = file_get_contents($path_to_file);
 $conn->exec($sqls);
 
-$config =& \NDB_Config::singleton();
+$config        =& \NDB_Config::singleton();
 $password_algo = $config->getSetting("passwordAlgorithm");
-$pw = password_hash($password, $password_algo);
+$pw            = password_hash($password, $password_algo);
 
 $conn->query(
     "UPDATE users SET Password_hash=" . $conn->quote($pw) .
diff --git a/modules/configuration/php/configuration.class.inc b/modules/configuration/php/configuration.class.inc
index 747d3965507..1708a777358 100644
--- a/modules/configuration/php/configuration.class.inc
+++ b/modules/configuration/php/configuration.class.inc
@@ -88,13 +88,9 @@ class Configuration extends \NDB_Form
             'emergency' => 'Emergency',
         ];
 
-        $password_algos = array_merge(
-            ['PASSWORD_DEFAULT'],
-            password_algos()
-        );
         $this->tpl_data['password_algos'] = array_combine(
-            $password_algos,
-            $password_algos
+            password_algos(),
+            password_algos()
         );
 
         $this->tpl_data['date_format']   = $date_format;
diff --git a/php/installer/Installer.class.inc b/php/installer/Installer.class.inc
index 85ffbe6e50d..11f677018b8 100644
--- a/php/installer/Installer.class.inc
+++ b/php/installer/Installer.class.inc
@@ -535,7 +535,7 @@ class Installer
             return false;
         }
 
-        $stmt = $DB->prepare(
+        $stmt          = $DB->prepare(
             "UPDATE users
              SET
                UserID=:q_userID,
@@ -543,7 +543,7 @@ class Installer
                Active='Y'
              WHERE ID=1"
         );
-        $config =& \NDB_Config::singleton();
+        $config        =& \NDB_Config::singleton();
         $password_algo = $config->getSetting("passwordAlgorithm");
         return $stmt->execute(
             [
diff --git a/php/libraries/Password.class.inc b/php/libraries/Password.class.inc
index 7289eea9704..05b00c6b534 100644
--- a/php/libraries/Password.class.inc
+++ b/php/libraries/Password.class.inc
@@ -205,9 +205,9 @@ class Password
         $this->_validate($value);
         // Don't store the value in the object; instead use the hashed version
         // This mitigates the risk of accidentally revealing the plaintext.
-        $config =& \NDB_Config::singleton();
+        $config        =& \NDB_Config::singleton();
         $password_algo = $config->getSetting("passwordAlgorithm");
-        $this->_hash = password_hash($value, $password_algo);
+        $this->_hash   = password_hash($value, $password_algo);
     }
 
     /**
diff --git a/php/libraries/SinglePointLogin.class.inc b/php/libraries/SinglePointLogin.class.inc
index 34b053b0f72..be36dddb3d3 100644
--- a/php/libraries/SinglePointLogin.class.inc
+++ b/php/libraries/SinglePointLogin.class.inc
@@ -287,7 +287,7 @@ class SinglePointLogin
         // Validate passsword
         $oldhash = $row['Password_hash'] ?? '';
         if (password_verify($password, $oldhash)) {
-            $config =& \NDB_Config::singleton();
+            $config        =& \NDB_Config::singleton();
             $password_algo = $config->getSetting("passwordAlgorithm");
             // Rehash according to latest standards if necessary.
             if (password_needs_rehash($oldhash, $password_algo)) {
diff --git a/raisinbread/RB_files/RB_Config.sql b/raisinbread/RB_files/RB_Config.sql
index ac236993249..b8858a28169 100644
--- a/raisinbread/RB_files/RB_Config.sql
+++ b/raisinbread/RB_files/RB_Config.sql
@@ -107,7 +107,7 @@ INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (126,129,'365');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (127,130,'/var/www/loris/');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (128,131,'/data/EEGUploadIncomingPath/');
 INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (129,132,'false');
-INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (130,133,'PASSWORD_DEFAULT');
+INSERT INTO `Config` (`ID`, `ConfigID`, `Value`) VALUES (130,133,'2y');
 
 UNLOCK TABLES;
 SET FOREIGN_KEY_CHECKS=1;
diff --git a/tools/resetpassword.php b/tools/resetpassword.php
index c75509186cb..53bbc5cbebd 100755
--- a/tools/resetpassword.php
+++ b/tools/resetpassword.php
@@ -42,10 +42,10 @@
 
 // Don't echo the password being typed
 `/bin/stty -echo`;
-$newPass = trim(fgets(STDIN));
-$config =& \NDB_Config::singleton();
+$newPass       = trim(fgets(STDIN));
+$config        =& \NDB_Config::singleton();
 $password_algo = $config->getSetting("passwordAlgorithm");
-$newHash = password_hash($newPass, $password_algo);
+$newHash       = password_hash($newPass, $password_algo);
 `/bin/stty echo`;
 
 ;

From 9aa4afbabe3f81631259aa07a86f5e5b5d102eaf Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Thu, 14 Nov 2024 15:49:39 -0500
Subject: [PATCH 05/14] Fix missing ID from ConfigSettings

---
 SQL/0000-00-03-ConfigTables.sql | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/SQL/0000-00-03-ConfigTables.sql b/SQL/0000-00-03-ConfigTables.sql
index 4175702baca..218aa23d2da 100644
--- a/SQL/0000-00-03-ConfigTables.sql
+++ b/SQL/0000-00-03-ConfigTables.sql
@@ -59,7 +59,7 @@ INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType,
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'citation_policy', 'Citation Policy for Acknowledgements module', 1, 0, 'textarea', ID, 'Citation Policy', 25 FROM ConfigSettings WHERE Name="study";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'CSPAdditionalHeaders', 'Extensions to the Content-security policy allow only for self-hosted content', 1, 0, 'text', ID, 'Content-Security Extensions', 26 FROM ConfigSettings WHERE Name="study";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'usePwnedPasswordsAPI', 'Whether to query the Have I Been Pwned password API on password changes to prevent the usage of common and breached passwords', 1, 0, 'boolean', ID, 'Enable "Pwned Password" check', 27 FROM ConfigSettings WHERE Name="study";
-INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo',1,'Password Algorithm',28 FROM ConfigSettings WHERE Name="study";
+INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'passwordAlgorithm','Which PHP password algorithm to use for hashing the passwords',1,0,'password_algo', ID,'Password Algorithm', 28 FROM ConfigSettings WHERE Name="study";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'dateDisplayFormat', 'The date format to use throughout LORIS for displaying date information - formats for date inputs are browser- and locale-dependent.', 1, 0, 'text', ID, 'Date display format', 29 FROM ConfigSettings WHERE Name="study";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'adminContactEmail', 'An email address that users can write to in order to report issues or ask question', 1, 0, 'text', ID, 'Administrator Email', 30 FROM ConfigSettings WHERE Name="study";
 INSERT INTO ConfigSettings (Name, Description, Visible, AllowMultiple, DataType, Parent, Label, OrderNumber) SELECT 'UserMaximumDaysInactive', 'The maximum number of days since last login before making a user inactive', 1, 0, 'text', ID, 'Maximum Days Before Making User Inactive', 31 FROM ConfigSettings WHERE Name="study";

From 870132e690e60025ce319c6ed1330fbf66e5d5a2 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Fri, 15 Nov 2024 15:18:40 -0500
Subject: [PATCH 06/14] Try to setup config for tests

---
 test/unittests/PasswordTest.php | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/test/unittests/PasswordTest.php b/test/unittests/PasswordTest.php
index 96aeae2bfc2..7d282b523fe 100644
--- a/test/unittests/PasswordTest.php
+++ b/test/unittests/PasswordTest.php
@@ -141,6 +141,15 @@ public function testContructorInvalidValues($invalidValue): void
      */
     public function testWellFormedPassword(): void
     {
+        $this->_configMap = [
+            [
+                'passwordAlgorithm',
+                '2y',
+            ],
+        ];
+
+        $this->_configMock->method('getSetting')
+            ->will($this->returnValueMap($this->_configMap));
         $this->assertInstanceOf('Password', new \Password(self::VALID_PASSWORD));
     }
 

From 27883cbf9506eaa3f0a63aed08113a1bd64d8d40 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Fri, 15 Nov 2024 15:43:47 -0500
Subject: [PATCH 07/14] Another attempt for config

---
 test/unittests/PasswordTest.php | 15 ++++++---------
 1 file changed, 6 insertions(+), 9 deletions(-)

diff --git a/test/unittests/PasswordTest.php b/test/unittests/PasswordTest.php
index 7d282b523fe..1e9d3971c77 100644
--- a/test/unittests/PasswordTest.php
+++ b/test/unittests/PasswordTest.php
@@ -49,7 +49,11 @@ class PasswordTest extends TestCase
      */
     private $_factory;
 
-    private $_configInfo = [0 => ['65' => 'false']];
+    private $_configInfo = [
+        ['65' => 'false'],
+        ['133','2y',],
+    
+    ];
 
     /**
      * Setup
@@ -141,15 +145,8 @@ public function testContructorInvalidValues($invalidValue): void
      */
     public function testWellFormedPassword(): void
     {
-        $this->_configMap = [
-            [
-                'passwordAlgorithm',
-                '2y',
-            ],
-        ];
-
         $this->_configMock->method('getSetting')
-            ->will($this->returnValueMap($this->_configMap));
+            ->will($this->returnValueMap($this->_configInfo));
         $this->assertInstanceOf('Password', new \Password(self::VALID_PASSWORD));
     }
 

From 87a2fd55e9c980e3247adeb712a132e414c02b2f Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Mon, 18 Nov 2024 14:15:42 -0500
Subject: [PATCH 08/14] Remove leftover space

---
 test/unittests/PasswordTest.php | 1 -
 1 file changed, 1 deletion(-)

diff --git a/test/unittests/PasswordTest.php b/test/unittests/PasswordTest.php
index 1e9d3971c77..d2f667613ea 100644
--- a/test/unittests/PasswordTest.php
+++ b/test/unittests/PasswordTest.php
@@ -52,7 +52,6 @@ class PasswordTest extends TestCase
     private $_configInfo = [
         ['65' => 'false'],
         ['133','2y',],
-    
     ];
 
     /**

From 11d7c379a622b0d3095ddb50996c8bf49fc78639 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Wed, 27 Nov 2024 10:56:42 -0500
Subject: [PATCH 09/14] Add Shen's changes + Dave's suggestion

---
 .../configuration/php/configuration.class.inc  |  7 ++++++-
 php/libraries/Password.class.inc               | 18 +++++++++++++-----
 test/unittests/PasswordTest.php                | 16 ++++++++++++++--
 3 files changed, 33 insertions(+), 8 deletions(-)

diff --git a/modules/configuration/php/configuration.class.inc b/modules/configuration/php/configuration.class.inc
index 1708a777358..078f9428cbb 100644
--- a/modules/configuration/php/configuration.class.inc
+++ b/modules/configuration/php/configuration.class.inc
@@ -90,7 +90,12 @@ class Configuration extends \NDB_Form
 
         $this->tpl_data['password_algos'] = array_combine(
             password_algos(),
-            password_algos()
+            array_map(
+                function ($algo) {
+                    return $algo === '2y' ? 'Blake2b' : $algo;
+                },
+                password_algos()
+            )
         );
 
         $this->tpl_data['date_format']   = $date_format;
diff --git a/php/libraries/Password.class.inc b/php/libraries/Password.class.inc
index 05b00c6b534..3a27f5576d8 100644
--- a/php/libraries/Password.class.inc
+++ b/php/libraries/Password.class.inc
@@ -196,18 +196,26 @@ class Password
      * well-formed.
      *
      * @param string $value The proposed password value.
+     * @param NDB_Config $config The config
      *
      * @throws InvalidArgumentException When passsword is too short or too simple.
      */
-    public final function __construct(string $value)
+    public final function __construct(string $value, ?NDB_Config $config = null)
     {
         // Ensure proposed value is well-formed.
         $this->_validate($value);
-        // Don't store the value in the object; instead use the hashed version
-        // This mitigates the risk of accidentally revealing the plaintext.
-        $config        =& \NDB_Config::singleton();
+        $config        = $config ?? \NDB_Config::singleton();
         $password_algo = $config->getSetting("passwordAlgorithm");
-        $this->_hash   = password_hash($value, $password_algo);
+
+        if (empty($password_algo)) {
+            throw new ConfigurationException(
+                "Password algorithm is not configured in the settings.
+        "
+            );
+        }
+
+        // Hash the password using the configured algorithm
+        $this->_hash = password_hash($value, $password_algo);
     }
 
     /**
diff --git a/test/unittests/PasswordTest.php b/test/unittests/PasswordTest.php
index d2f667613ea..02241b8fc00 100644
--- a/test/unittests/PasswordTest.php
+++ b/test/unittests/PasswordTest.php
@@ -157,9 +157,21 @@ public function testWellFormedPassword(): void
      */
     public function testToString(): void
     {
-        $password = new \Password(self::VALID_PASSWORD);
+        // Create a mock NDB_Config object
+        $configMock = $this->createMock(NDB_Config::class);
+
+        // Configure the mock to return a valid password algorithm
+        $configMock->method('getSetting')
+            ->with('passwordAlgorithm')
+            ->willReturn(PASSWORD_BCRYPT);
+
+        // Instantiate the Password object with the valid password and config
+        $password = new \Password(self::VALID_PASSWORD, $configMock);
+
+        // Assert that the password can be verified with the hashed value
         $this->assertTrue(
-            password_verify(self::VALID_PASSWORD, (string) $password)
+            password_verify(self::VALID_PASSWORD, (string) $password),
+            "Password string should correctly verify against the original value."
         );
     }
 }

From d743e132decd6c5d165d67c8058b3f698efe6b38 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Wed, 27 Nov 2024 11:16:19 -0500
Subject: [PATCH 10/14] Fix tests?

---
 php/libraries/Password.class.inc | 2 +-
 test/unittests/PasswordTest.php  | 9 +++++++--
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/php/libraries/Password.class.inc b/php/libraries/Password.class.inc
index 3a27f5576d8..8b751585b27 100644
--- a/php/libraries/Password.class.inc
+++ b/php/libraries/Password.class.inc
@@ -195,7 +195,7 @@ class Password
      * Creates a new Password object when the $value param is well-formed.
      * well-formed.
      *
-     * @param string $value The proposed password value.
+     * @param string     $value  The proposed password value.
      * @param NDB_Config $config The config
      *
      * @throws InvalidArgumentException When passsword is too short or too simple.
diff --git a/test/unittests/PasswordTest.php b/test/unittests/PasswordTest.php
index 02241b8fc00..83287d5433f 100644
--- a/test/unittests/PasswordTest.php
+++ b/test/unittests/PasswordTest.php
@@ -145,8 +145,13 @@ public function testContructorInvalidValues($invalidValue): void
     public function testWellFormedPassword(): void
     {
         $this->_configMock->method('getSetting')
-            ->will($this->returnValueMap($this->_configInfo));
-        $this->assertInstanceOf('Password', new \Password(self::VALID_PASSWORD));
+            ->with('passwordAlgorithm')
+            ->willReturn(PASSWORD_BCRYPT);
+
+        $this->assertInstanceOf(
+            'Password',
+            new \Password(self::VALID_PASSWORD, $this->_configMock)
+        );
     }
 
     /**

From a655bcbca3820cac8a8796787b30c811a9d55291 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Wed, 27 Nov 2024 11:29:04 -0500
Subject: [PATCH 11/14] Fix nullable type declaration

---
 php/libraries/Password.class.inc | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/php/libraries/Password.class.inc b/php/libraries/Password.class.inc
index 8b751585b27..397e1d94420 100644
--- a/php/libraries/Password.class.inc
+++ b/php/libraries/Password.class.inc
@@ -195,8 +195,8 @@ class Password
      * Creates a new Password object when the $value param is well-formed.
      * well-formed.
      *
-     * @param string     $value  The proposed password value.
-     * @param NDB_Config $config The config
+     * @param string      $value  The proposed password value.
+     * @param ?NDB_Config $config The config
      *
      * @throws InvalidArgumentException When passsword is too short or too simple.
      */

From c40b600bd4e83b307ee32182a2675155046ccc70 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Wed, 27 Nov 2024 11:43:38 -0500
Subject: [PATCH 12/14] Try re-using old configMock

---
 test/unittests/PasswordTest.php | 5 +----
 1 file changed, 1 insertion(+), 4 deletions(-)

diff --git a/test/unittests/PasswordTest.php b/test/unittests/PasswordTest.php
index 83287d5433f..f0080fb8d25 100644
--- a/test/unittests/PasswordTest.php
+++ b/test/unittests/PasswordTest.php
@@ -162,11 +162,8 @@ public function testWellFormedPassword(): void
      */
     public function testToString(): void
     {
-        // Create a mock NDB_Config object
-        $configMock = $this->createMock(NDB_Config::class);
-
         // Configure the mock to return a valid password algorithm
-        $configMock->method('getSetting')
+        $this->_configMock->method('getSetting')
             ->with('passwordAlgorithm')
             ->willReturn(PASSWORD_BCRYPT);
 

From 679c2eca767e030794e4bd7578a30212c95b9878 Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Wed, 27 Nov 2024 11:47:30 -0500
Subject: [PATCH 13/14] Try again

---
 test/unittests/PasswordTest.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/test/unittests/PasswordTest.php b/test/unittests/PasswordTest.php
index f0080fb8d25..2992d657018 100644
--- a/test/unittests/PasswordTest.php
+++ b/test/unittests/PasswordTest.php
@@ -168,7 +168,7 @@ public function testToString(): void
             ->willReturn(PASSWORD_BCRYPT);
 
         // Instantiate the Password object with the valid password and config
-        $password = new \Password(self::VALID_PASSWORD, $configMock);
+        $password = new \Password(self::VALID_PASSWORD, $this->_configMock);
 
         // Assert that the password can be verified with the hashed value
         $this->assertTrue(

From 3dd70e84c7ad34b871e0c92e62adc938cf505dea Mon Sep 17 00:00:00 2001
From: Saagar Arya <saagar.arya@mcin.ca>
Date: Fri, 13 Dec 2024 16:09:27 -0500
Subject: [PATCH 14/14] correct 2y name

---
 modules/configuration/php/configuration.class.inc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/modules/configuration/php/configuration.class.inc b/modules/configuration/php/configuration.class.inc
index 078f9428cbb..366958f2823 100644
--- a/modules/configuration/php/configuration.class.inc
+++ b/modules/configuration/php/configuration.class.inc
@@ -92,7 +92,7 @@ class Configuration extends \NDB_Form
             password_algos(),
             array_map(
                 function ($algo) {
-                    return $algo === '2y' ? 'Blake2b' : $algo;
+                    return $algo === '2y' ? 'bcrypt' : $algo;
                 },
                 password_algos()
             )