Description
#30955 is proposing adding a new event to hook into the password verification process and allow listeners to deal with clear text passwords. Thinking a bit about this approach, I have a different one to propose here.
The most important drawback of #30955 is that it's still up to the application to implement some custom code to run a "needs rehash" logic then a "persist new encoded password" one. The 2nd drawback is that this gives a trivial way to hook into the process to leak clear text passwords (inadvertently or not).
The boilerplate of a listener shouldn't be needed: security should be first class by default, and this means progressive migration of passwords should be built in and the default behavior.
Instead of adding this hook, I'd suggest adding two new interfaces (names/etc are draft):
interface UpgradablePasswordInterface
{
public function upgradePassword(string $encoded): void;
}
interface RehashAwarePasswordEncoderInterface extends PasswordEncoderInterface
{
public function needsRehash(string $encoded): bool;
}Then, a UserPasswordEncoder could call both methods when applicable inside its isPasswordValid method, and done.
WDYT?