[security-bundle/5.3] Configure auto password hasher
#981
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
ghost
deployed
to
Diff between recipe versionsThanks for the PR 😍 In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes. symfony/security-bundle3.3 vs 4.4diff --git a/symfony/security-bundle/3.3/config/packages/security.yaml b/symfony/security-bundle/4.4/config/packages/security.yaml
index f7ae4b7..811681e 100644
--- a/symfony/security-bundle/3.3/config/packages/security.yaml
+++ b/symfony/security-bundle/4.4/config/packages/security.yaml
@@ -7,7 +7,7 @@ security:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
- anonymous: true
+ anonymous: lazy
provider: users_in_memory
# activate different ways to authenticate4.4 vs 5.1diff --git a/symfony/security-bundle/4.4/config/packages/security.yaml b/symfony/security-bundle/5.1/config/packages/security.yaml
index 811681e..0e4cf3d 100644
--- a/symfony/security-bundle/4.4/config/packages/security.yaml
+++ b/symfony/security-bundle/5.1/config/packages/security.yaml
@@ -7,7 +7,8 @@ security:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
- anonymous: lazy
+ anonymous: true
+ lazy: true
provider: users_in_memory
# activate different ways to authenticate5.1 vs 5.3diff --git a/symfony/security-bundle/5.1/config/packages/security.yaml b/symfony/security-bundle/5.3/config/packages/security.yaml
index 0e4cf3d..7510cc1 100644
--- a/symfony/security-bundle/5.1/config/packages/security.yaml
+++ b/symfony/security-bundle/5.3/config/packages/security.yaml
@@ -1,4 +1,9 @@
security:
+ # https://symfony.com/doc/current/security/experimental_authenticators.html
+ enable_authenticator_manager: true
+ # https://symfony.com/doc/current/security.html#c-hashing-passwords
+ password_hashers:
+ Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
users_in_memory: { memory: null }
@@ -7,7 +12,6 @@ security:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
- anonymous: true
lazy: true
provider: users_in_memory
|
derrabus
approved these changes
Aug 11, 2021
wouterj
approved these changes
Aug 11, 2021
Tobion
approved these changes
Aug 11, 2021
fabpot
approved these changes
Aug 12, 2021
leofeyer
pushed a commit
to contao/contao
that referenced
this pull request
Aug 24, 2023
Description ----------- In Symfony 5.3 this config was added to the default security config in order to enable the `auto` password hasher for all user classes that implement this interface (see symfony/recipes#981) - which `Contao\User` also implements. I think we should do the same in the `contao/managed-edition`. This way you don't have to define this yourself in case you are using HTTP Basic Authentication for some controller outside Contao's own firewalls. For instance, in [this example](#6220 (comment)) the line ```php $extensionConfig['password_hashers'][InMemoryUser::class] = 'auto'; ``` could be omitted then. Commits ------- 84c6d47 set auto password hasher to auto for all ab0a671 also set password hasher for Contao\User specifically 593d244 update README and test config
leofeyer
pushed a commit
to contao/core-bundle
that referenced
this pull request
Aug 24, 2023
Description ----------- In Symfony 5.3 this config was added to the default security config in order to enable the `auto` password hasher for all user classes that implement this interface (see symfony/recipes#981) - which `Contao\User` also implements. I think we should do the same in the `contao/managed-edition`. This way you don't have to define this yourself in case you are using HTTP Basic Authentication for some controller outside Contao's own firewalls. For instance, in [this example](contao/contao#6220 (comment)) the line ```php $extensionConfig['password_hashers'][InMemoryUser::class] = 'auto'; ``` could be omitted then. Commits ------- 84c6d47a set auto password hasher to auto for all ab0a6719 also set password hasher for Contao\User specifically 593d2448 update README and test config
leofeyer
pushed a commit
to contao/manager-bundle
that referenced
this pull request
Aug 24, 2023
Description ----------- In Symfony 5.3 this config was added to the default security config in order to enable the `auto` password hasher for all user classes that implement this interface (see symfony/recipes#981) - which `Contao\User` also implements. I think we should do the same in the `contao/managed-edition`. This way you don't have to define this yourself in case you are using HTTP Basic Authentication for some controller outside Contao's own firewalls. For instance, in [this example](contao/contao#6220 (comment)) the line ```php $extensionConfig['password_hashers'][InMemoryUser::class] = 'auto'; ``` could be omitted then. Commits ------- 84c6d47a set auto password hasher to auto for all ab0a6719 also set password hasher for Contao\User specifically 593d2448 update README and test config
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR configures a default "auto" password hasher on 5.3.
If one creates a user class implementing
PasswordAuthenticatedUserInterface(i.e. authenticated via password), then one just has to use the password-hashing related services that are wired from this config.In case these services are not used anywhere, they are just removed from the container as usual.
Fixes symfony/symfony#42071