Kategorien
Symfony

Symfony Security Passwörter hashen mit dem PasswordEncoder

Der PasswordEncoder des Symfony Frameworks ist sehr gut geeignet auch in Zukunft sichere Hashes von Passwörtern in der Datenbank zu speichern und zentral zu konfigurieren.

Das SecurityBundle muss ggf. nachinstalliert werden:

composer require symfony/security-bundle

Man legt dazu in der security.yaml fest, welchen Hashing Algorithmus man verwenden will für welche Entität:

security:
    encoders:
        App\Entity\User: bcrypt

Die Entität muss das UserInterface implementieren:

namespace App\Entity;

use Symfony\Component\Security\Core\Encoder\UserPasswordEncoder; 
use Symfony\Component\Security\Core\User\UserInterface;

class User implements UserInterface{

/**
 * @param string
 *
 * @ORM\Column(type="string", length=100)
 */
protected $password;

/**
 * @return string
 */
public function getPassword()
{
    return $this->password;
}

/**
 * Returns the roles granted to the user.
 *
 * <code>
 * public function getRoles()
 * {
 * return array('ROLE_USER');
 * }
 * </code>
 *
 * Alternatively, the roles might be stored on a ``roles`` property,
 * and populated in any number of different ways when the user object
 * is created.
 *
 * @return (Role|string)[] The user roles
 */
public function getRoles()
{
 return array('ROLE_USER');
}

/**
 * Returns the salt that was originally used to encode the password.
 *
 * This can return null if the password was not encoded using a salt.
 *
 * @return string|null The salt
 */
public function getSalt()
{
 return null;
}

/**
 * Removes sensitive data from the user.
 *
 * This is important if, at any given point, sensitive information like
 * the plain-text password is stored on this object.
 */
public function eraseCredentials()
{

}

Dann kann man den PasswordEncoder injezieren per Dependency Injektion:

App\Repository\UserRepository:
      - '@security.password_encoder'

und zum speichern von Passwörtern in der Datenbank benutzen (ohne Dependency Injektion):

/**
 * @param User $user
 * @param string $password
 *
 * @return string
 */
protected function encodePassword($user, $password): string
{
    /** @var UserPasswordEncoder $passwordEncoder */
    $passwordEncoder = $this->container->get('security.password_encoder');
    return $passwordEncoder->encodePassword($user, $password);
}

und zum Überprüfen von Passwörtern beim Login (mit Dependency Injektion:

if(!$this->passwordEncoder->isPasswordValid($user, $password)) {
    throw new UnauthorizedHttpException('invalid login');
}