Restore eraseCredentials() for Symfony 7.3 compatibility (until Symfony 8.0) and clear plainPassword manually #2186
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… clear plainPassword after hashing - Re-adds the eraseCredentials() method to the User entity, which is still required by the UserInterface in Symfony 7.3. Although deprecated since Symfony 7.1, it must remain until Symfony 8.0 for compatibility. - Adds a manual clearing of the plainPassword field in the password processor after hashing. Since eraseCredentials() is no longer called automatically, sensitive data must now be cleared explicitly to avoid leaving passwords in memory or logs.
|
thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR updates the user authentication example to ensure compatibility with Symfony 7.3 and apply current security best practices:
Restores the
eraseCredentials()method in theUserentity:Although deprecated since Symfony 7.1, the method is still required by the
UserInterfacein Symfony 7.3.It will be removed in Symfony 8.0, but must remain for now to avoid runtime errors.
Manually clears the
plainPasswordfield in the processor after hashing:Since
eraseCredentials()is no longer called automatically, it's now the developer’s responsibility to ensure sensitive data is cleared.This avoids leaving passwords in memory or exposing them via logs, exceptions, or debug tools.
These changes make the example code functional and secure across current Symfony versions.