Heratio Framework API Reference

PasswordPolicyService
in package

Password Policy Service — expiry and history enforcement.

Enforces:

  • Password expiry (configurable days, default 90)
  • Password history (prevents reuse of last N passwords, default 5)

Requires the password_history table. Gracefully degrades if the table does not exist (returns safe defaults so authentication still works).

Table SQL: CREATE TABLE IF NOT EXISTS password_history ( id BIGINT UNSIGNED AUTO_INCREMENT PRIMARY KEY, user_id INT NOT NULL, password_hash VARCHAR(255) NOT NULL, changed_at DATETIME NOT NULL DEFAULT CURRENT_TIMESTAMP, INDEX idx_password_history_user (user_id), CONSTRAINT fk_password_history_user FOREIGN KEY (user_id) REFERENCES user(id) ON DELETE CASCADE ) ENGINE=InnoDB DEFAULT CHARSET=utf8mb4 COLLATE=utf8mb4_unicode_ci;

Table of Contents

Methods

daysUntilExpiry()  : int
Get days until password expires.
isPasswordExpired()  : bool
Check if a user's password has expired.
isPasswordReused()  : bool
Check if a password was previously used by this user.
recordPasswordChange()  : void
Record a password change in history.

Methods

daysUntilExpiry()

Get days until password expires.

public static daysUntilExpiry(int $userId) : int
Parameters
$userId : int

The user ID

Return values
int

Days remaining (0 = expired, -1 = no expiry)

isPasswordExpired()

Check if a user's password has expired.

public static isPasswordExpired(int $userId) : bool
Parameters
$userId : int

The user ID

Return values
bool

True if the password has expired

isPasswordReused()

Check if a password was previously used by this user.

public static isPasswordReused(int $userId, string $sha1Hash) : bool

The plaintext password is hashed with each stored salt+hash to detect reuse. AtoM stores passwords as: password_hash(sha1(salt . plaintext), PASSWORD_DEFAULT).

Parameters
$userId : int

The user ID

$sha1Hash : string

The SHA1(salt + plaintext) hash to check

Return values
bool

True if the password was previously used

recordPasswordChange()

Record a password change in history.

public static recordPasswordChange(int $userId, string $passwordHash) : void
Parameters
$userId : int

The user ID

$passwordHash : string

The new password_hash value (Argon2i/Bcrypt)


        

        
    




    

    

                                

                

                                
    

        On this page

        
    


                

                            

            

    

        

            
Search results