Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[SecurityBundle] Throw on using both "id" and "migrate_from" option in hasher config#51670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Conversation

@ogizanagi
Copy link
Contributor

QA
Branch?6.4
Bug fix?no
New feature?yes
Deprecations?no
TicketsN/A...
LicenseMIT
Doc PRN/A

I stumbled upon this DX issue lately when trying to definea custom hasher service while handling password migration with a legacy one usingmigrate_from.

Such a config:

security:# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwordspassword_hashers:legacy:md5App\User\Identity:id:App\Security\CustomHashermigrate_from:                -legacy

will not indicate any issue to the developper, while themigrate_from is completely ignored and will not wrap theCustomHasher into aMigratingPasswordHasher with thelegacy extra hasher ; which means the password migration will not work as expected.

➜ This PR suggests to throw a configuration exception with a hint regarding this.

Perhaps it would be great to make this possible for Symfony 7.1?

@carsonbotcarsonbot added Status: Needs Review DXDX = Developer eXperience (anything that improves the experience of using Symfony) Feature SecurityBundle labelsSep 15, 2023
@carsonbotcarsonbot added this to the6.4 milestoneSep 15, 2023
@carsonbotcarsonbot changed the title[SecurityBundle][DX] Throw on using both "id" and "migrate_from" option in hasher config[SecurityBundle] Throw on using both "id" and "migrate_from" option in hasher configSep 15, 2023
->beforeNormalization()->ifString()->then(fn ($v) => ['algorithm' =>$v])->end()
->validate()
->ifTrue(fn ($v) =>isset($v['migrate_from'],$v['id']) &&0 !==\count($v['migrate_from']))
->thenInvalid('You cannot use "migrate_from" when using a custom service id.')
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

As it was silently ignored before, it would be better to trigger a deprecation than throwing an error, to avoid breaking projects in 6.4

Copy link
ContributorAuthor

@ogizanagiogizanagiSep 18, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Since it would mean such projects are configured in a way the developers think it'll handle the password migration properly, but is not, making them aware of the issue the hard way during upgrade might be better?

The fix for removing this exception is straightforward enough, unless this config is hidden somehow in a dependency or whatever (but I would expect the issue would have been already spotted in such a case).

@chalasr
Copy link
Member

What issue could arise if we just make it work as a bugfix instead?

@ogizanagi
Copy link
ContributorAuthor

What issue could arise if we just make it work as a bugfix instead?

@chalasr : Do you mean applying this patch to lower branches as well, or making the configuration work with custom hasher ids?

@chalasr
Copy link
Member

@ogizanagi I mean making it work as it is the expected behavior to me. Even if we just didn’t think about it, if making it work doesn’t have much potential to break userland code then I think we should do it instead of deprecating to make it work later.

ogizanagi reacted with thumbs up emoji

@ogizanagi
Copy link
ContributorAuthor

ogizanagi commentedSep 18, 2023
edited by nicolas-grekas
Loading

@chalasr : Alright, done in#51686

chalasr reacted with rocket emoji

nicolas-grekas added a commit that referenced this pull requestSep 19, 2023
…th custom hasher service with security bundle config (ogizanagi)This PR was merged into the 5.4 branch.Discussion----------[SecurityBundle][PasswordHasher] Fix password migration with custom hasher service with security bundle config| Q             | A| ------------- | ---| Branch?       | 5.4| Bug fix?      | yes| New feature?  | no| Deprecations? | no| Tickets       |Fix#51670 (alternative)| License       | MIT| Doc PR        | N/ASupersedes#51670 as a bug fix, so the security config properly uses a for the `migrate_from` when a `MigratingPasswordHasher` when a custom hasher service id is used:```yamlsecurity:    password_hashers:        legacy: md5        App\User\Identity:            id: App\Security\CustomHasher            migrate_from:                - legacy```---> **Note**> 6.3 patch :6.3...ogizanagi:63-security-custom-hasher-migrateCommits-------4d65f30 [SecurityBundle][PasswordHasher] Fix password migration with custom hasher service with security bundle config
@ogizanagiogizanagi deleted the throw-on-both-hasher-id-migrate branchSeptember 19, 2023 13:57
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@stofstofstof left review comments

@chalasrchalasrAwaiting requested review from chalasrchalasr is a code owner

Assignees

No one assigned

Labels

DXDX = Developer eXperience (anything that improves the experience of using Symfony)FeatureSecurityBundleStatus: Needs Review

Projects

None yet

Milestone

6.4

Development

Successfully merging this pull request may close these issues.

5 participants

@ogizanagi@chalasr@stof@nicolas-grekas@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp