Skip to content

[Security] add PasswordEncoderInterface::needsRehash() #31594

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jun 4, 2019
Merged

[Security] add PasswordEncoderInterface::needsRehash() #31594

merged 1 commit into from
Jun 4, 2019

Conversation

nicolas-grekas
Copy link
Member

Q A
Branch? master
Bug fix? no
New feature? yes
BC breaks? no
Deprecations? yes
Tests pass? yes
Fixed tickets -
License MIT
Doc PR -

Split from #31153, with tests.

@nicolas-grekas nicolas-grekas added this to the next milestone May 23, 2019
chalasr
chalasr approved these changes May 23, 2019
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could be worth an UPGRADE entry as not implementing them will break in 5.0

@nicolas-grekas nicolas-grekas force-pushed the sec-needs-rehash branch 3 times, most recently from d91d302 to 25c197b Compare May 24, 2019 08:02
@nicolas-grekas nicolas-grekas changed the base branch from master to 4.4 June 2, 2019 20:02
@nicolas-grekas
Copy link
Member Author

friendly ping @symfony/deciders

xabbuh
xabbuh reviewed Jun 3, 2019
View reviewed changes
src/Symfony/Component/Security/Core/Encoder/SodiumPasswordEncoder.php
/**
* {@inheritdoc}
*/
public function needsRehash(string $encoded): bool
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add a check for BCrypt passwords too?

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's deprecated so I don't think we should improve it further.

Tobion
Tobion approved these changes Jun 3, 2019
View reviewed changes
Copy link
Contributor

@Tobion Tobion left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Agree with this. It's best practice to have the hash contain the algo, salt, and options and then determine based on this if a rehash is needed.
But going this way contradics the old way of doing that using a salt parameter and UserPasswordEncoderInterface. So I think we should deprecate

@chalasr
Copy link
Member

chalasr commented Jun 4, 2019

Thank you @nicolas-grekas.

@chalasr chalasr mentioned this pull request Jun 4, 2019
Closed
@chalasr chalasr merged commit 50590dc into symfony:4.4 Jun 4, 2019
chalasr pushed a commit that referenced this pull request Jun 4, 2019
feature #31594 [Security] add PasswordEncoderInterface::needsRehash()…
1768c93 
… (nicolas-grekas)

This PR was merged into the 4.4 branch.

Discussion
----------

[Security] add PasswordEncoderInterface::needsRehash()

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | yes
| Tests pass?   | yes
| Fixed tickets | -
| License       | MIT
| Doc PR        | -

Split from #31153, with tests.

Commits
-------

50590dc [Security] add PasswordEncoderInterface::needsRehash()
@nicolas-grekas nicolas-grekas deleted the sec-needs-rehash branch June 4, 2019 06:29
@ro0NL ro0NL mentioned this pull request Aug 6, 2019
Closed
35 tasks
@nicolas-grekas nicolas-grekas modified the milestones: next, 4.4 Oct 27, 2019
This was referenced Nov 12, 2019
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@xabbuh xabbuh xabbuh left review comments

@Tobion Tobion Tobion approved these changes

@Simperfit Simperfit Simperfit approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Deprecation Feature Security Status: Reviewed
Projects
None yet
Milestone
4.4
Development

Successfully merging this pull request may close these issues.
6 participants
@nicolas-grekas @chalasr @Tobion @xabbuh @Simperfit @carsonbot