symfony · wouterj · Feb 12, 2021 · Jan 5, 2021
diff --git a/UPGRADE-5.3.md b/UPGRADE-5.3.md
@@ -69,8 +69,19 @@ PropertyInfo
 Security
 --------
 
+ * Deprecate all classes in the `Core\Encoder\`  sub-namespace, use the `PasswordHasher` component instead
  * Deprecated voters that do not return a valid decision when calling the `vote` method
 
+SecurityBundle
+--------------
+
+ * Deprecate `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command,
+   use `UserPasswordHashCommand` and `user:hash-password` instead
+ * Deprecate the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases,
+   use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead
+ * Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
+   use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
+
 Serializer
 ----------
 

diff --git a/UPGRADE-6.0.md b/UPGRADE-6.0.md
@@ -166,6 +166,7 @@ Routing
 Security
 --------
 
+ * Drop all classes in the `Core\Encoder\`  sub-namespace, use the `PasswordHasher` component instead
  * Drop support for `SessionInterface $session` as constructor argument of `SessionTokenStorage`, inject a `\Symfony\Component\HttpFoundation\RequestStack $requestStack` instead
  * Drop support for `session` provided by the ServiceLocator injected in `UsageTrackingTokenStorage`, provide a `request_stack` service instead
  * Make `SessionTokenStorage` throw a `SessionNotFoundException` when called outside a request context
@@ -179,6 +180,16 @@ Security
  * Removed the `AbstractRememberMeServices::$providerKey` property in favor of `AbstractRememberMeServices::$firewallName`
  * `AccessDecisionManager` now throw an exception when a voter does not return a valid decision.
 
+SecurityBundle
+--------------
+
+ * Remove the `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command,
+   use `UserPasswordHashCommand` and `user:hash-password` instead
+ * Remove the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases,
+   use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead
+ * Remove the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
+   use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
+
 Serializer
 ----------
 

diff --git a/composer.json b/composer.json
@@ -86,6 +86,7 @@
         "symfony/monolog-bridge": "self.version",
         "symfony/notifier": "self.version",
         "symfony/options-resolver": "self.version",
+        "symfony/password-hasher": "self.version",
         "symfony/process": "self.version",
         "symfony/property-access": "self.version",
         "symfony/property-info": "self.version",

diff --git a/src/Symfony/Bundle/FrameworkBundle/composer.json b/src/Symfony/Bundle/FrameworkBundle/composer.json
@@ -51,7 +51,7 @@
         "symfony/messenger": "^5.2",
         "symfony/mime": "^4.4|^5.0",
         "symfony/process": "^4.4|^5.0",
-        "symfony/security-bundle": "^5.2",
+        "symfony/security-bundle": "^5.3",
         "symfony/serializer": "^5.2",
         "symfony/stopwatch": "^4.4|^5.0",
         "symfony/string": "^5.0",

diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -1,6 +1,16 @@
 CHANGELOG
 =========
 
+5.3
+---
+
+ * Deprecate `UserPasswordEncoderCommand` class and the corresponding `user:encode-password` command,
+   use `UserPasswordHashCommand` and `user:hash-password` instead
+ * Deprecate the `security.encoder_factory.generic` service, the `security.encoder_factory` and `Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface` aliases,
+   use `security.password_hasher_factory` and `Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface` instead
+ * Deprecate the `security.user_password_encoder.generic` service, the `security.password_encoder` and the `Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface` aliases,
+   use `security.user_password_hasher`, `security.password_hasher` and `Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface` instead
+
 5.2.0
 -----
 

diff --git a/src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php b/src/Symfony/Bundle/SecurityBundle/Command/UserPasswordEncoderCommand.php
@@ -21,6 +21,7 @@
 use Symfony\Component\Console\Output\OutputInterface;
 use Symfony\Component\Console\Question\Question;
 use Symfony\Component\Console\Style\SymfonyStyle;
+use Symfony\Component\PasswordHasher\Command\UserPasswordHashCommand;
 use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Security\Core\Encoder\SelfSaltingEncoderInterface;
 
@@ -30,6 +31,8 @@
  * @author Sarah Khalil <mkhalil.sarah@gmail.com>
  *
  * @final
+ *
+ * @deprecated since Symfony 5.3, use {@link UserPasswordHashCommand} instead
  */
 class UserPasswordEncoderCommand extends Command
 {
@@ -107,6 +110,8 @@ protected function execute(InputInterface $input, OutputInterface $output): int
         $io = new SymfonyStyle($input, $output);
         $errorIo = $output instanceof ConsoleOutputInterface ? new SymfonyStyle($input, $output->getErrorOutput()) : $io;
 
+        $errorIo->caution('The use of the "security:encode-password" command is deprecated since version 5.3 and will be removed in 6.0. Use "security:hash-password" instead.');
+
         $input->isInteractive() ? $errorIo->title('Symfony Password Encoder Utility') : $errorIo->newLine();
 
         $password = $input->getArgument('password');

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php
@@ -65,6 +65,23 @@ public function getConfigTreeBuilder()
                     return $v;
                 })
             ->end()
+            ->beforeNormalization()
+                ->ifTrue(function ($v) {
+                    if ($v['encoders'] ?? false) {
+                        trigger_deprecation('symfony/security-bundle', '5.3', 'The child node "encoders" at path "security" is deprecated, use "password_hashers" instead.');
+
+                        return true;
+                    }
+
+                    return $v['password_hashers'] ?? false;
+                })
+                ->then(function ($v) {
+                    $v['password_hashers'] = array_merge($v['password_hashers'] ?? [], $v['encoders'] ?? []);
+                    $v['encoders'] = $v['password_hashers'];
+
+                    return $v;
+                })
+            ->end()
             ->children()
                 ->scalarNode('access_denied_url')->defaultNull()->example('/foo/error403')->end()
                 ->enumNode('session_fixation_strategy')
@@ -94,6 +111,7 @@ public function getConfigTreeBuilder()
         ;
 
         $this->addEncodersSection($rootNode);
+        $this->addPasswordHashersSection($rootNode);
         $this->addProvidersSection($rootNode);
         $this->addFirewallsSection($rootNode, $this->factories);
         $this->addAccessControlSection($rootNode);
@@ -401,6 +419,57 @@ private function addEncodersSection(ArrayNodeDefinition $rootNode)
         ;
     }
 
+    private function addPasswordHashersSection(ArrayNodeDefinition $rootNode)
+    {
+        $rootNode
+            ->fixXmlConfig('password_hasher')
+            ->children()
+                ->arrayNode('password_hashers')
+                    ->example([
+                        'App\Entity\User1' => 'auto',
+                        'App\Entity\User2' => [
+                            'algorithm' => 'auto',
+                            'time_cost' => 8,
+                            'cost' => 13,
+                        ],
+                    ])
+                    ->requiresAtLeastOneElement()
+                    ->useAttributeAsKey('class')
+                    ->prototype('array')
+                        ->canBeUnset()
+                        ->performNoDeepMerging()
+                        ->beforeNormalization()->ifString()->then(function ($v) { return ['algorithm' => $v]; })->end()
+                        ->children()
+                            ->scalarNode('algorithm')
+                                ->cannotBeEmpty()
+                                ->validate()
+                                    ->ifTrue(function ($v) { return !\is_string($v); })
+                                    ->thenInvalid('You must provide a string value.')
+                                ->end()
+                            ->end()
+                            ->arrayNode('migrate_from')
+                                ->prototype('scalar')->end()
+                                ->beforeNormalization()->castToArray()->end()
+                            ->end()
+                            ->scalarNode('hash_algorithm')->info('Name of hashing algorithm for PBKDF2 (i.e. sha256, sha512, etc..) See hash_algos() for a list of supported algorithms.')->defaultValue('sha512')->end()
+                            ->scalarNode('key_length')->defaultValue(40)->end()
+                            ->booleanNode('ignore_case')->defaultFalse()->end()
+                            ->booleanNode('encode_as_base64')->defaultTrue()->end()
+                            ->scalarNode('iterations')->defaultValue(5000)->end()
+                            ->integerNode('cost')
+                                ->min(4)
+                                ->max(31)
+                                ->defaultNull()
+                            ->end()
+                            ->scalarNode('memory_cost')->defaultNull()->end()
+                            ->scalarNode('time_cost')->defaultNull()->end()
+                            ->scalarNode('id')->end()
+                        ->end()
+                    ->end()
+                ->end()
+        ->end();
+    }
+
     private function getAccessDecisionStrategies()
     {
         $strategies = [