Uh oh!
There was an error while loading.Please reload this page.
- Notifications
You must be signed in to change notification settings - Fork9.6k
[Security] Extract password hashing from security-core - with proper wording#39802
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Uh oh!
There was an error while loading.Please reload this page.
Conversation
src/Symfony/Component/Security/Password/SaltingPasswordHasherInterface.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Component/Security/Core/Encoder/UserPasswordEncoder.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.phpShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
ed07ff3 to1dd61ccComparesrc/Symfony/Component/Security/Core/Encoder/EncoderAwareInterface.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Component/Security/Guard/Provider/GuardAuthenticationProvider.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Component/Security/Password/Hasher/HasherFactoryInterface.php OutdatedShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
I like the idea of moving password hasing out of security-core. Would it make sense to create a contracts package for the new hasher interfaces? |
I don't think these interfaces need to be in contracts. HasherInterface is not something you would typehint anyway most of the time (you need the factory to get the right hasher for that user class). |
7203a1e tob40a7e0CompareA note on the interface implementation, it happened multiple times that the neeed for a re hashing of a password was something depended on the user/token holding it, not just the password itself. Would it be possible to talke that into consideration somehow? |
b39ced8 tob6ed024Compare…TypeDeclarationsPass (chalasr)This PR was merged into the 4.4 branch.Discussion----------[DependencyInjection] Skip deprecated definitions in CheckTypeDeclarationsPass| Q | A| ------------- | ---| Branch? | 4.4| Bug fix? | yes| New feature? | no| Deprecations? | no| Tickets | -| License | MIT| Doc PR | -When a definition uses a deprecated class , `CheckTypeDeclarationsPass` (with `$autoload = true`) will autoload the class, which triggers a deprecation notice. That breaks the CI in#39802 because the compiler pass is registered inside the SecurityBundle test suite.I propose to stop checking deprecated definitions. Makes sense?Commits-------531c81a [DI] Skip deprecated definitions in CheckTypeDeclarationsPass
Uh oh!
There was an error while loading.Please reload this page.
src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.phpShow resolvedHide resolved
Uh oh!
There was an error while loading.Please reload this page.
nicolas-grekas left a comment• edited
Loading Uh oh!
There was an error while loading.Please reload this page.
edited
Uh oh!
There was an error while loading.Please reload this page.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Thanks! Good to me,once UPGRADE files are updated :)
Thanks a lot@chalasr! I can't wait to see all the deprecated stuff be removed in 6.0 :) |
…for "native" and "auto" (chalasr)This PR was merged into the 5.3-dev branch.Discussion----------[PasswordHasher] Use bcrypt as default hash algorithm for "native" and "auto"| Q | A| ------------- | ---| Branch? | 5.x| Bug fix? | no| New feature? | yes| Deprecations? | no| Tickets | -| License | MIT| Doc PR | -As suggested in#39802 (comment), based onhttps://twitter.com/TerahashCorp/status/1155129705034653698Commits-------332817a Use bcrypt as default password hash algorithm for "native" and "auto"
…for "native" and "auto" (chalasr)This PR was merged into the 5.3-dev branch.Discussion----------[PasswordHasher] Use bcrypt as default hash algorithm for "native" and "auto"| Q | A| ------------- | ---| Branch? | 5.x| Bug fix? | no| New feature? | yes| Deprecations? | no| Tickets | -| License | MIT| Doc PR | -As suggested insymfony/symfony#39802 (comment), based onhttps://twitter.com/TerahashCorp/status/1155129705034653698Commits-------332817ac29 Use bcrypt as default password hash algorithm for "native" and "auto"
…ions (chalasr)This PR was merged into the 5.3-dev branch.Discussion----------[Security] Re-add accidentally removed property declarations| Q | A| ------------- | ---| Branch? | 5.x| Bug fix? | no| New feature? | no| Deprecations? | no| Tickets | -| License | MIT| Doc PR | -spotted while playing with psalm locally, mistake made in#39802Commits-------bccf736 [Security] Readd accidentally removed property declarations
…dEncoder (derrabus)This PR was merged into the 5.3 branch.Discussion----------[Security] Restore extension point in MessageDigestPasswordEncoder| Q | A| ------------- | ---| Branch? | 5.3| Bug fix? | yes| New feature? | no| Deprecations? | no| Tickets |#41696 (comment)| License | MIT| Doc PR | N/AUntil Symfony 5.2, it was possible to extend `MessageDigestPasswordEncoder` and override the way password and salt are merged. This broke with#39802. I've restored the old logic and added a test case to cover that scenario.Commits-------4568876 [Security] Restore extension point in MessageDigestPasswordEncoder
Uh oh!
There was an error while loading.Please reload this page.
This PR renames password "encoders" to passwordhashers (naming widely used, see e.g. django or laravel).
This also takes the opportunity to extract the logic related to password hashing from security-core, moving it to a new password-hasher component.
Nowadays, many modern web apps and APIs don't deal with passwords at all, that's why splitting makes sense as a step towards making security-core not tied to the password concept.
For upgrading, applications will have to use
passwords_hashersinstead ofencodersin their security configuration, and type-hint againstPasswordHasherInterface(and related) instead ofPasswordEncoderInterface.The proposed API is not much different from the encoder one regarding behavior and signatures, and it is slightly more close to the PHP built-in password hashing API: