Support security encoder and added support for argon2 and co. #536
Conversation
…d support argon2 and others
That's not true. It continues using
They don't. We can only implement that when Symfony 4.4 is released. But we're talking about |
|
That's clever 🦊 Then the only thing that we need to discuss is the class usage. There are still a lot of |
|
Yeah in fact it doesn't really matter. It's just "more correct" the way it is now 😄 |
|
Note to myself: After merging this, create a ticket for Contao 4.9 reminding us to implement the |
b270ec6 to
62b6531
Compare
|
Thank you @Toflar. |
|
Reminder issue: #538 |
|
contao/core-bundle/src/Resources/contao/library/Contao/Encryption.php Lines 183 to 185 in f5748db Encryption::test() provides a method to test if a given string is a hash.
Recently I've been using
|
Why do you need that anyway? :) |
In the |
|
I don't understand that use case, sorry :) But maybe you could do this in PHP when using the password hashing API using |
|
|
|
Yeah so there's no way to do so as of today. Time for a SF PR if you need that ;) |
Doing this is probably be a security issue because a password that looks like a hash must not be handled differently. What if my actual password starts with I think you have to design your code so that you know in advance if you are working with a hash or with a plaintext password. |
In Symfony 4.3, a new security encoder named
autowas introduced. It will choose the best password hashing algorithm based on what Symfony and/or the PHP community decides.Currently this would mean as of PHP 7.2 if you did compile your PHP using libsodium, you'll have argon2 available. I wanted to make sure my setup benefits from the strongest algorithms available so I've implemented the
autoconfiguration by default and it will fall back to the currentbcryptconfiguration in case you are not yet on Symfony 4.3. Of courseautomay still takebcryptin case your system does not support libsodium.While implementing I noticed that we still use the password hashing API directly instead of relying on the Symfony components. This means you can configure a different algorithm in the security configuration but it will never work 😄 So I fixed this by replacing all our direct password hashing API calls with the underlying Symfony security components.
BTW: I had to remove the usage of
password_needs_rehash()to completely rely on the Symfony encoder configured. This means right now you cannot automatically upgrade which is why currently theSodiumPasswordEncoderwill also verify bcrypt passwords. Symfony will address this in 4.4 so we can (symfony/symfony#31843) completely rely on what Symfony is doing very soon. As of now, there are onlybcryptandargon2anyway and those will be handled properly.