#!/usr/bin/php
<?php

/**
 * Password Hashing Tool
 * Version 2.20260307
 *
 * Copyright (c) 2025-2026 Ryan Coe / Inland Integration
 *
 * The MIT License (MIT)
 *
 * Permission is hereby granted, free of charge, to any person obtaining a copy
 * of this software and associated documentation files (the "Software"), to deal
 * in the Software without restriction, including without limitation the rights
 * to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 * copies of the Software, and to permit persons to whom the Software is
 * furnished to do so, subject to the following conditions:
 *
 * The above copyright notice and this permission notice shall be included in
 * all copies or substantial portions of the Software.
 *
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
 * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
 * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
 * AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
 * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
 * OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
 * THE SOFTWARE.
 */

declare(strict_types=1);

function password_prompt(string $prompt = ''): string
{
    $command = "/usr/bin/env bash -c 'read -s -p \"".addslashes($prompt)."\" mypassword && echo \$mypassword'";
    $password = rtrim(strval(@shell_exec($command)));
    echo "\n";
    return $password;
}

function check_complexity(string $password): bool
{
    // TODO: improve password checks
    if (strlen($password) < 5) {
        return false;
    }
    return true;
}

function exit_response(int $retval, string $retmsg, string $hash = ''): never
{
    $ret = [];
    $ret['retval'] = $retval;
    $ret['retmsg'] = $retmsg;
    if (strlen($hash) > 0) {
        $ret['hash'] = $hash;
    }
    echo json_encode($ret)."\n";
    exit(0);
}

if (posix_isatty(STDIN)) {
    //  Get password and remove line endings
    do {
        $password = password_prompt('Enter password: ');
        if (strlen($password) > 0) {
            if (check_complexity($password)) {
                $confirm = password_prompt('Confirm password: ');
                if ($password !== $confirm) {
                    echo "Passwords do not match\n\n";
                }
            } else {
                $confirm = '';
                echo "Password does not meet complexity requirements\n";
            }
        }
    } while (strlen($password) > 0 && $password !== $confirm);
    $json = ['password' => $password];
} else {
    $request = @stream_get_contents(STDIN);
    if ($request === false || strlen($request) === 0) {
        exit_response(-1, 'Invalid input');
    }
    $json = @json_decode($request, true);
    if ($json === false || !is_array($json)) {
        exit_response(-2, 'Failed to decode json');
    }
}
if (!isset($json['password']) || !is_string($json['password']) || strlen($json['password']) === 0) {
    exit_response(-3, 'Invalid or missing password');
}
$password = $json['password'];
$algo = PASSWORD_BCRYPT;
$opts = ['cost' => 12];
if (isset($json['cost']) && is_int($json['cost']) && $json['cost'] > $opts['cost']) {
    $opts['cost'] = $json['cost'];
}
if (!isset($json['hash'])) {
    if (!check_complexity($password)) {
        exit_response(-4, 'Password does not meet complexity requirements');
    }
    $hash = password_hash($password, $algo, $opts);
    exit_response(0, 'Hash success', $hash);
}

if (!is_string($json['hash']) || strlen($json['hash']) === 0) {
    exit_response(-5, 'Invalid hash');
}
$hash = $json['hash'];
if (!password_verify($password, $hash)) {
    exit_response(-6, 'Incorrect password');
}
if (password_needs_rehash($hash, $algo, $opts)) {
    $hash = password_hash($password, $algo, $opts);
    exit_response(2, 'Rehash success', $hash);
}
exit_response(1, 'Check success', $hash);
