NotificationsYou must be signed in to change notification settings
Fork9.6k
Star30.4k

Commit8243e9a

committed

[Security] Support hashing the hashed password using crc32c when putting the user in the session

1 parentdc38bb0 commit8243e9aCopy full SHA for 8243e9a

File tree

5 files changed

+47

-11

lines changed

src/Symfony/Component/Security
- Core/User
  - PasswordAuthenticatedUserInterface.php
- Http
  - CHANGELOG.md
  - Firewall
    - ContextListener.php
  - Tests
    - Firewall
      - ContextListenerTest.php
    - Fixtures
      - CustomUser.php

5 files changed

+47

-11

lines changed

`‎src/Symfony/Component/Security/Core/User/PasswordAuthenticatedUserInterface.php`

Lines changed: 20 additions & 3 deletions

Original file line number	Diff line number	Diff line change
`@@ -14,6 +14,26 @@`
`14`	`14`	`/**`
`15`	`15`	`* For users that can be authenticated using a password.`
`16`	`16`	`*`
	`17`	`+ * The __serialize/__unserialize() magic methods can be implemented on the user`
	`18`	`+ * class to prevent hashed passwords from being put in the session storage.`
	`19`	`+ * If the password is not stored at all in the session, getPassword() should`
	`20`	`+ * return null after unserialization, and then, changing the user's password`
	`21`	`+ * won't invalidate its sessions.`
	`22`	`+ * In order to invalidate the user sessions while not storing the password hash`
	`23`	`+ * in the session, it's also possible to hash the password hash before`
	`24`	`+ * serializing it; crc32c is the only algorithm supported.`
	`25`	`+ * For example:`
	`26`	`+ *`
	`27`	`+ * public function __serialize(): array`
	`28`	`+ * {`
	`29`	`+ * $data = (array) $this;`
	`30`	`+ * $data["\0".self::class."\0password"] = hash('crc32c', $this->password);`
	`31`	`+ *`
	`32`	`+ * return $data;`
	`33`	`+ * }`
	`34`	`+ *`
	`35`	`+ * Implement EquatableInteface if you need another logic.`
	`36`	`+ *`
`17`	`37`	`* @author Robin Chalas <robin.chalas@gmail.com>`
`18`	`38`	`* @author Wouter de Jong <wouter@wouterj.nl>`
`19`	`39`	`*/`
`@@ -23,9 +43,6 @@ interface PasswordAuthenticatedUserInterface`
`23`	`43`	`* Returns the hashed password used to authenticate the user.`
`24`	`44`	`*`
`25`	`45`	`* Usually on authentication, a plain-text password will be compared to this value.`
`26`		`- *`
`27`		`- * The __serialize/__unserialize() magic methods can be implemented on the user`
`28`		`- * class to prevent hashed passwords from being put in the session storage.`
`29`	`46`	`*/`
`30`	`47`	`publicfunctiongetPassword(): ?string;`
`31`	`48`	`}`

`‎src/Symfony/Component/Security/Http/CHANGELOG.md`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,7 @@ CHANGELOG`
`6`	`6`
`7`	`7`	* Add encryption support to`OidcTokenHandler` (JWE)
`8`	`8`	* Replace`$hideAccountStatusExceptions` argument with`$exposeSecurityErrors` in`AuthenticatorManager` constructor
	`9`	`+* Support hashing the hashed password using crc32c when putting the user in the session`
`9`	`10`
`10`	`11`	`7.2`
`11`	`12`	`---`

`‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php`

Lines changed: 8 additions & 4 deletions

Original file line number	Diff line number	Diff line change
`@@ -292,9 +292,13 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa`
`292`	`292`	`}`
`293`	`293`
`294`	`294`	`if ($originalUserinstanceof PasswordAuthenticatedUserInterface \|\|$refreshedUserinstanceof PasswordAuthenticatedUserInterface) {`
`295`		`-if (!$originalUserinstanceof PasswordAuthenticatedUserInterface`
`296`		`- \|\| !$refreshedUserinstanceof PasswordAuthenticatedUserInterface`
`297`		`- \|\|$refreshedUser->getPassword() !== ($originalUser->getPassword() ??$refreshedUser->getPassword())`
	`295`	`+if (!$originalUserinstanceof PasswordAuthenticatedUserInterface \|\| !$refreshedUserinstanceof PasswordAuthenticatedUserInterface) {`
	`296`	`+returntrue;`
	`297`	`+ }`
	`298`	`+`
	`299`	`+if (null !== ($originalPassword =$originalUser->getPassword())`
	`300`	`+ && ($refreshedPassword =$refreshedUser->getPassword()) !==$originalPassword`
	`301`	`+ && (8 !==\strlen($originalPassword) \|\|hash('crc32c',$refreshedPassword ??$originalPassword) !==$originalPassword)`
`298`	`302`	`) {`
`299`	`303`	`returntrue;`
`300`	`304`	`}`
`@@ -303,7 +307,7 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa`
`303`	`307`	`returntrue;`
`304`	`308`	`}`
`305`	`309`
`306`		`-if ($originalUserinstanceof LegacyPasswordAuthenticatedUserInterface &&$refreshedUserinstanceof LegacyPasswordAuthenticatedUserInterface &&$originalUser->getSalt() !==$refreshedUser->getSalt()) {`
	`310`	`+if ($originalUserinstanceof LegacyPasswordAuthenticatedUserInterface &&$originalUser->getSalt() !==$refreshedUser->getSalt()) {`
`307`	`311`	`returntrue;`
`308`	`312`	`}`
`309`	`313`	`}`

`‎src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php`

Lines changed: 6 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -377,9 +377,13 @@ public function testOnKernelResponseRemoveListener()`
`377`	`377`	`$this->assertEmpty($dispatcher->getListeners());`
`378`	`378`	`}`
`379`	`379`
`380`		`-publicfunctiontestRemovingPasswordFromSessionDoesntInvalidateTheToken()`
	`380`	`+/**`
	`381`	`+ * @testWith [true]`
	`382`	`+ * [false]`
	`383`	`+ */`
	`384`	`+publicfunctiontestNullOrHashedPasswordInSessionDoesntInvalidateTheToken(bool$hashPassword)`
`381`	`385`	`{`
`382`		`-$user =newCustomUser('user', ['ROLE_USER'],'pass');`
	`386`	`+$user =newCustomUser('user', ['ROLE_USER'],'pass',$hashPassword);`
`383`	`387`
`384`	`388`	`$userProvider =$this->createMock(UserProviderInterface::class);`
`385`	`389`	`$userProvider->expects($this->once())`

`‎src/Symfony/Component/Security/Http/Tests/Fixtures/CustomUser.php`

Lines changed: 12 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -19,7 +19,8 @@ final class CustomUser implements UserInterface, PasswordAuthenticatedUserInterf`
`19`	`19`	`publicfunction__construct(`
`20`	`20`	`privatestring$username,`
`21`	`21`	`privatearray$roles,`
`22`		`-private ?string$password =null,`
	`22`	`+private ?string$password,`
	`23`	`+privatebool$hashPassword,`
`23`	`24`	`) {`
`24`	`25`	`}`
`25`	`26`
`@@ -44,6 +45,15 @@ public function eraseCredentials(): void`
`44`	`45`
`45`	`46`	`publicfunction__serialize():array`
`46`	`47`	`{`
`47`		`-return [\sprintf("\0%s\0username",self::class) =>$this->username];`
	`48`	`+$data = (array)$this;`
	`49`	`+$passwordKey =\sprintf("\0%s\0password",self::class);`
	`50`	`+`
	`51`	`+if ($this->hashPassword) {`
	`52`	`+$data[$passwordKey] =hash('crc32c',$this->password);`
	`53`	`+ }else {`
	`54`	`+ unset($data[$passwordKey]);`
	`55`	`+ }`
	`56`	`+`
	`57`	`+return$data;`
`48`	`58`	`}`
`49`	`59`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit8243e9a

File tree

5 files changed

5 files changed

`‎src/Symfony/Component/Security/Core/User/PasswordAuthenticatedUserInterface.php`

`‎src/Symfony/Component/Security/Http/CHANGELOG.md`

`‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php`

`‎src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php`

`‎src/Symfony/Component/Security/Http/Tests/Fixtures/CustomUser.php`

0 commit comments