Next Major Release - A Suggestion #22
Conversation
Pull Request Test Coverage Report for Build 126
💛 - Coveralls |
Pull Request Test Coverage Report for Build 143
💛 - Coveralls |
|
Hello. Thanks for the PR. However, I'm a little concerned that this seems very complex for just allowing developers to use a custom client and cache. I have implemented the ability to use a custom PSR-6 cache library in #23. I think this is somewhat simpler. In regards to allowing a customer client, I was thinking of just allowing a PSR-18 compliant client to be passed into the constructor, rather than a guzzle client. We could that create a small PSR-18 adapter for guzzle, that the package would use if a custom client was not provided. What are you thoughts? |
|
Hey, thanks for your reply
It's not as complicated as it looks. I just added PHP7 typing, implemented an abstract class, added an interface, and implemented getter methods.
Thats good but...
.. I've already done all that. I used PSR-6 and PSR-18 for the constructor as well as the getter methods and PSR-7/PSR-17 for request generation. The Guzzle-Client-Adapter based on PSR-18 and your own cache implementation based on PSR-6 will only be created if you don't pass your own in the constructor. The abstract class is for other developers to make their own customizations and implementations.
Since the changes seem to be multi-layered, the PHP version will be raised and various PSR standards will be introduced, I would suggest to make version 3.0 out of it. The PHP Unit tests are all successful. The public methods are the same. Only the signature of the constructor has changed slightly. Otherwise, all changes only affect the inner workings of the classes. What do you say? |
|
Hi. Thanks for your detailed reply. Much appreciated. I'll re-review your code, hopefully this weekend, and get back to you. 👍 Thanks again. |
|
I have to thank you ;) |
|
I've noticed in the Even without this benefit, the current approach is using a Would you be okay to tweak your code to adopt the existing caching system (the response body, rather than the password exposed status)? Hope this makes sense. |
|
Hey, I get what you mean. Changed it so that the status is stored to the hash in the cache and additionally hashed the cache key again. I just want to avoid unnecessary overhead. Do you agree? |
|
Hi there, I'm afraid I'd still prefer the API body response to be cached rather than the status. Although I understand that the way you've implemented this reduces the overhead of parsing the response into a status, it also means that you are creating a directory containing the SHA1 hashes of every password attempted. I'd consider this to be something of a security risk, as it exposes the passwords in a far less secure manner than the hash formats most web applications will store their passwords (usually with bcrypt or similar). SHA1 password hashes, especially those without salts, are very easy to crack or lookup in rainbow table. Although somewhat less optimised, this was a deliberate implementation decision for security. Does this make sense? |
|
Hey, okay :) At the moment I can't think of any other option. Do you have any other comments? |
|
This looks great, thank you. My only two additional suggestion, which are not critical, but would be nice to have are the following.
However, if you could resolve the Travis CI and StyleCI issues, I will look at getting this merged. Thanks again. |
|
Take a look. If you allow it, please open a new repository called "DivineOmega/password-exposed-bundle" and give me write permission. Would like to write a Symfony bundle. |
|
I'll get this merged in shortly. I might have to tweak a few things related to the tests before release, but other than that looks great. Thank you for your work on this. I've created a repo for the Symfony bundle and provided you with write access. https://github.com/DivineOmega/symfony-password-exposed-bundle |
|
v3.0.0 now released. 🎉 https://github.com/DivineOmega/password_exposed/releases/tag/v3.0.0 |
|
Yeah, cool :) |
Hello,
It's me again ;)
Actually this PR shouldn't be so big, but somehow it happened.
I would implement this library into my own projects, but wanted to use my own HTTP client and cache provider. This was not possible in the original version. So I made some changes to make it possible. Some new dependencies need PHP7 to run. That's why I increased the minimum version to 7.1 in this PR. Additionally I added some help functions and an abstract class and interface. This allows developers to make their own implementations as needed.
Think of it as a kind of beta for version 3. I haven't adapted the Readme yet.
Just check it out and give me feedback.
If you would accept the PR i would write a Symfony bridge to ;)
Best regards.