[symfony/security-bundle] set encoder to "auto" for all UserInterface by default #576
Conversation
| in_memory: { memory: ~ } | ||
| encoders: | ||
| Symfony\Component\Security\Core\User\UserInterface: | ||
| algorithm: auto |
There was a problem hiding this comment.
# configure password encoding logic (if your app needs to encode passwords)
encoders:
# Any User class will automatically use the best-available password hashing algorithm
Symfony\Component\Security\Core\User\UserInterface:
algorithm: autoThis requires a bit more explanation than I like. First, adding this section for everyone, even if it's pretty common not to need a hashing algo, isn't ideal. But, I think it's not too big of a deal.
The bigger thing is that the Symfony\Component\Security\Core\User\UserInterface config isn't immediately obvious... it's not terrible, but I need to explain to you that "Hey! All classes implement this interface, and because this is a class-based map that respects interfaces, all user classes will use this algorithm". Of course... the user might think "what do you mean about all user classES, should I have multiple"?
A few possible ideas:
- Add a special
defaultkey under encoders
and/or
- Let MakerBundle / the docs add this section for the user. I don't think causes a real security issue, as MakerBundle and the docs will recommend auto.
and my unrelated point (3)... rename encoders to password_encoders ;)
There was a problem hiding this comment.
well, if we do a renaming in 5.0, we should actually move away from encoder. We are hashing password hopefully, not encoding them.
There was a problem hiding this comment.
Probably better to leave it now, properly think about things for 4.4/5.0
|
Renaming encoders to something else is another story someone needs to pursue. Thanks for the feedback: maker + doc will do the trick, no need for the recipe. I like it :) |
Needs symfony/symfony#31140
ping @weaverryan WDYT?