Automatically upgrade new password hashes (see #1027)

Description ----------- This will automatically upgrade bcrypt passwords to argon2 passwords when users log in (or whatever we will have in the future). Symfony FTW :) Implements #538. Commits ------- 729ae5d Automatically upgrade new password hashes 0a0b575 Add the is_a() check and fix the unit tests
contao · Nov 27, 2019 · 1a0bfef · 1a0bfef
1 parent 4dd809e
commit 1a0bfef
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 1 deletion.
diff --git a/core-bundle/src/Security/User/ContaoUserProvider.php b/core-bundle/src/Security/User/ContaoUserProvider.php
@@ -23,10 +23,11 @@
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 
-class ContaoUserProvider implements UserProviderInterface
+class ContaoUserProvider implements UserProviderInterface, PasswordUpgraderInterface
 {
     /**
      * @var ContaoFramework
@@ -106,6 +107,19 @@ public function supportsClass($class): bool
         return $this->userClass === $class;
     }
 
+    /**
+     * @param User $user
+     */
+    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    {
+        if (!is_a($user, $this->userClass)) {
+            throw new UnsupportedUserException(sprintf('Unsupported class "%s".', \get_class($user)));
+        }
+
+        $user->password = $newEncodedPassword;
+        $user->save();
+    }
+
     /**
      * Validates the session lifetime and logs the user out if the session has expired.
      *

diff --git a/core-bundle/tests/Security/User/ContaoUserProviderTest.php b/core-bundle/tests/Security/User/ContaoUserProviderTest.php
@@ -207,6 +207,35 @@ public function testDoesNotHandleUnknownUserClasses(): void
         $this->getProvider(null, 'LdapUser');
     }
 
+    public function testUpgradesPasswords(): void
+    {
+        /** @var BackendUser&MockObject $user */
+        $user = $this->mockClassWithProperties(BackendUser::class);
+        $user->username = 'foobar';
+        $user->password = 'superhash';
+
+        $user
+            ->expects($this->once())
+            ->method('save')
+        ;
+
+        $userProvider = $this->getProvider(null, BackendUser::class);
+        $userProvider->upgradePassword($user, 'newsuperhash');
+
+        $this->assertSame('newsuperhash', $user->password);
+    }
+
+    public function testFailsToUpgradePasswordsOfUnsupportedUsers(): void
+    {
+        $user = $this->createMock(UserInterface::class);
+        $provider = $this->getProvider();
+
+        $this->expectException(UnsupportedUserException::class);
+        $this->expectExceptionMessage(sprintf('Unsupported class "%s".', \get_class($user)));
+
+        $provider->upgradePassword($user, 'newsuperhash');
+    }
+
     /**
      * @group legacy
      *