[Security] Decoupling password from UserInterface #23081
Comments
|
i find your idea interesting but i would have used the UserName with the Password in the Password history like: for that i would have used a UserToken that just implements hm with that you can also use it to tell the user that he already used a password like that (with same hash) |
|
@Vinorcola : The Instead of using services:
Symfony\Component\Security\Core\Encoder\PasswordEncoderInterface:
factory: 'Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface:getEncoder'
# or
factory: 'security.encoder_factory:getEncoder'
arguments: ['AppBundle\Entity\User'] |
|
Personally, I'd rather see the |
|
@Vinorcola for that do you currently plan to use "PasswordHistory"? because i would be interested in such thing too |
|
@Hanmac Yes that's excatly why I want to use it. I don't need the username since PasswordHistory has a relation with the user account entity. It is not that diffcult: when the user change his password, before registering it, you just try to match it to all its password history. If one match, then you refuse the given password. @ogizanagi Thanks, good idea to create a service with a factory! |
|
@Vinorcola interesting, would like to see if its ready to bundle would it work with FOSUserbundle too? |
|
Big upvote in general, and highly agree with @iltar that In a modern application with OAuth or other SSO mechanisms the Symfony authentication layer is enforcing way too much crap on the developer that should be opt-in. |
|
Hi, I fully agree with @curry684 and @iltar. There are more and more cases today where users are no longer authenticated via username/password pair anymore.
|
|
I would also like to see |
|
Please don't orient the usage of the |
|
@linaori so you are saying should not follow Symfony's own docs on how to create a user? Seems like an odd recommendation. as for an intermediate DTO, that may be a fine solution for a new app, but I am working with a very old code base with existing users and changing to add a new "layer" is much harder than simply implementing an interface on an existing Entity. It just seems silly that to do so, I would need to leave Password/Salt/eraseCredentials blank! |
Yes.
Shortcuts are usually easier and take more time on the long run, and often cause a headache in the process. |
I have never implemented those functions in any project. I just copy/paste these lines along: /**
* {@inheritdoc}
*/
public function getPassword()
{
return '';
}
/**
* {@inheritdoc}
*/
public function getSalt()
{
return '';
}
/**
* {@inheritdoc}
*/
public function eraseCredentials()
{
// Noop
}In the end, Symfony's docs are correctly documenting an authentication layer that worked fine during the early Symfony 2.x days but hasn't really kept up recently with the world of OAuth, federated identities et al. So yes, deviate from them by all means, the beauty of a flexible framework is that it lets you. And the beauty of open source is that this issue is about removing this obsolete boilerplate stuff. |
|
Not sure if this has been proposed before. I think we should rather have
|
|
I prefer the generic term |
|
Thank you for this suggestion. |
|
Note that although this is closed, work is being done here. A PR is coming soonish! |
|
See #40267 |
…asr) This PR was merged into the 5.3-dev branch. Discussion ---------- [Security] Decouple passwords from UserInterface | Q | A | ------------- | --- | Branch? | 5.x | Bug fix? | no | New feature? | yes | Deprecations? | yes | Tickets | #23081, helps with #39308 | License | MIT | Doc PR | todo This PR addresses a long-standing issue of the Security component: UserInterface is coupled to passwords. It does it by moving the `getPassword()` method from `UserInterface` to a `PasswordAuthenticatedUserInterface`, and the `getSalt()` method to a `LegacyPasswordAuthenticatedUserInterface`. Steps: - In 5.3, we add the new interface and, at places where password-based authentication happens, trigger deprecation notices when a `UserInterface` object does not implement the new interface(s). The UserInterface is kept as-is until 6.0. - In 6.0, we can remove the methods from `UserInterface` as well as support for using password authentication with user objects not implementing the new interface(s). As a side-effect, some password-related interfaces (`UserPasswordHasherInterface` and `PasswordUpgraderInterface`) must change their signatures to type-hint against the new interface. That is done in a BC way, which is to make the concerned methods virtual until 6.0, with deprecation notices triggered from callers and concrete implementations. Benefits: In 6.0, applications that use password-less authentication (e.g. login links) won't need to write no-op `getPassword()` and `getSalt()` in order to fulfil the `UserInterface` contract. For applications that do use password-based authentication, they will need to opt-in explicitly by implementing the relevant interface(s). This build on great discussions with @wouterj and @nicolas-grekas, and it is part of the overall rework of the Security component. Commits ------- 2764225 [Security] Decouple passwords from UserInterface
I think we should decouple password from UserInterface (having a PasswordInterface for example) in order to be able to use them with the password encoding system. Currently, you need to pass a whole UserInterface for encoding password, while a simple password/salt is enough.
This would be usefull to implement some system where you manager password history. Right now, you need the "PasswordHistory" object to implement UserInterface in order to be used with the PasswordEncoder. But having a username or roles into a PasswordHistory object doesn't make any sense...
The text was updated successfully, but these errors were encountered: