Skip to content

[PasswordHasher] Use sodium as "best" hasher if with algorithm=auto #41646

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[PasswordHasher] Use sodium as "best" hasher if with algorithm=auto #41646

wants to merge 1 commit into from

Conversation

pableu
Copy link
Contributor

@pableu pableu commented Jun 9, 2021
edited
Loading

Q A
Branch? 5.3
Bug fix? yes
New feature? no
Deprecations? no
License MIT

According to the docs, setting password_hashers.xxx.algorithm=auto should prefer Sodium to native (bcrypt) if available:

it tries to use Sodium by default and falls back to the bcrypt password hashing function if not possible.

But this is not what's actually happening. New passwords are hashed with bcrypt ($2y$) instead of Argon2ID ($argon2id$). The MigratingPasswordHasher gets an instance of NativePasswordHasher instead of SodiumPasswordHasher as first parameter ($bestHasher).

I think this is a simple mixup and the fix seems easy enough.

But I haven't found a good way to write a test for it:

  • I can't get the "best hasher" out of the MigratingPasswordHasherto run an assertion on it
  • PasswordHasherFactory::getHasherConfigFromAlgorithm is private, otherwise I could simply test its output

I'm open for ideas. Or can we merge the fix without a test?

@pableu pableu requested a review from chalasr as a code owner June 9, 2021 18:46
@carsonbot carsonbot added this to the 5.3 milestone Jun 9, 2021
@chalasr
Copy link
Member

chalasr commented Jun 9, 2021

Thank you for the PR.

New passwords are hashed with bcrypt ($2y$) instead of Argon2ID ($argon2id$).

I'm sorry but this is intended, we switched back to bcrypt as default algorithm in 5.3 (see rationale in #40176) so I'm going to close this PR.

The bug seems to be in the docs, which is weird as it was changed in symfony/symfony-docs#14992. That's probably a merge that went wrong.

Fixing the docs again would be great if you can.
Thanks for your understanding.

@chalasr chalasr closed this Jun 9, 2021
@pableu pableu deleted the sodium-default-auto branch June 9, 2021 19:36
@pableu
Copy link
Contributor Author

pableu commented Jun 9, 2021

Oh, the docs are wrong. Okay, I didn't realize that, thanks for the explanation. #40176 sent me down an interesting rabbit hole ;-)

I'll try to create a PR for the docs in the next few days. I'll basically just have to re-apply symfony/symfony-docs#14992, seems easy enough.

@chalasr
Copy link
Member

chalasr commented Jun 9, 2021

Thanks! In case you struggle with something, just ping me on the symfony-devs slack :)

@pableu pableu mentioned this pull request Jun 10, 2021
Merged
javiereguiluz added a commit to symfony/symfony-docs that referenced this pull request Jun 11, 2021
@javiereguiluz
minor #15430 [Security] Update description of password hasher config …
74e53fb 
…(pableu)

This PR was merged into the 5.3 branch.

Discussion
----------

[Security] Update description of password hasher config

The description of the password hashers in the reference isn't up to date for Symfony 5.3.

"Auto" now always uses bcrypt (see #14980 and #14992), but it  wasn't reflected here. I initially thought this was a bug in the password hasher component itself and created a symfony/symfony#41646, but I've since learned that the switch to bcrypt was intentional :-)

I updated all the hasher descriptions a bit and removed the part about sodium before PHP 7.2 because Symfony 5.3 requires PHP >= 7.2. I also added an extra paragraph for the bcrypt hasher because it was a bit mixed into the description of the "auto" hasher.

Commits
-------

d404d19 [Security] update description of password hasher config
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
PasswordHasher Status: Needs Review
Projects
None yet
Milestone
5.3
Development

Successfully merging this pull request may close these issues.
3 participants
@pableu @chalasr @carsonbot