I have a token of around 1400 characters, and I want to hash it using the password_hash function but using the PASSWORD_DEFAULT algorithm will only generate the hash using only first 72 characters. I have explored PASSWORD_ARGON2I algorithm, but I am not sure if it is considering the full token length of 1400 characters.
I have tested the following:
php -r echo password_hash(<$embedtokenhere>, PASSWORD_ARGON2I) . "
";
This will give me the result as
$argon2i$v=19$m=1024,t=2,p=2$cUdEZjFHN2lHYzUwR2hqeg$aRzXaa1RAArMl+cwuczG6rng2omZjqJnaImnh4ZvxeM
Is it hashing considering all the characters or does the PASSWORD_ARGON2I has a limit length for the input string to be hashed?
If you read the documentation of password_hash, you will see this:
CAUTION Using the PASSWORD_BCRYPT as the algorithm, will result in the password parameter being truncated to a maximum length of 72 characters.
This only applies for PASSWORD_BCRYPT, which is the default hashing algo for password_hash. If you use PASSWORD_ARGON2I, this limitation doesn't exists.
But you should keep in mind, that PASSWORD_ARGON2I only exists in PHP7.2 and newer.
The answer I would provide is don't hash it using password_hash. 1400 characters should have enough entropy that a simple sha256 / sha3 would suffice. The reason is that password_hash is designed for low entropy inputs (< 128 bits of entropy), as the computation time offsets the low entropy and makes it harder to attack. But for high entropy inputs, that computation time is wasted effort.
Whether or not a salt is necessary depends on your use-case. My instinct is that it isn't (given how much entropy is in a 1400 token anyway), but it depends specifically on how the token is generated, and what it's used for.
If you need a salt, simply use hash_hmac() to hash the token with the salt. Otherwise use hash().