Regex validator in annotation is inconsistent with the one in PHP

[lashae]

I'm building an application on Symfony 3.2

On one part of the application I'm providing an interface my users to change their passwords. For this task, I have a simple form which is bound to my ChangePasword entity as follows.

Form class:

    <?php
    
    namespace MasterBundle\Form;
    
    use Symfony\Component\Form\AbstractType;
    use Symfony\Component\Form\Extension\Core\Type\PasswordType;
    use Symfony\Component\Form\FormBuilderInterface;
    use Symfony\Component\OptionsResolver\OptionsResolver;
    
    class ChangePasswordType extends AbstractType
    {
        public function buildForm(FormBuilderInterface $builder, array $options)
        {
            $builder
                ->add('oldPassword', PasswordType::class)
                ->add('newPassword', PasswordType::class);
        }
    
        /**
         * @param OptionsResolver $resolver
         */
        public function configureOptions(OptionsResolver $resolver)
        {
            $resolver->setDefaults(
                array(
                    'data_class' => 'MasterBundle\Entity\ChangePassword'
                )
            );
        }
    
        public function getBlockPrefix()
        {
            return 'change_password';
        }
    } 

And the model:

    <?php
    
    namespace MasterBundle\Entity;
    
    use Symfony\Component\Validator\Constraints as Assert;
    use Symfony\Component\Security\Core\Validator\Constraints\UserPassword;
    
    class ChangePassword
    {
    
        /**
         * @UserPassword(message="Your current password is not correct.")
         */
        private $oldPassword;
    
        /**
         * @Assert\NotBlank(message="New password can not be blank.")
         * @Assert\Regex(pattern="/^(?=.*[a-z])(?=.*\\d).{6,}$/i", message="New password is required to be minimum 6 chars in length and to include at least one letter and one number.")
         */
        private $newPassword;
    
    // other setter and getter stuff.
    }

Now, the problem is the regex validator doesn't work. It doesn't match with anything.

However, if I modify the model as below; it works flawlessly:

    <?php
    
    namespace MasterBundle\Entity;
    
    use Symfony\Component\Validator\Constraints as Assert;
    use Symfony\Component\Security\Core\Validator\Constraints\UserPassword;
    use Symfony\Component\Validator\Mapping\ClassMetadata;
    
    class ChangePassword
    {
    
        private $oldPassword;
    
        private $newPassword;
    
    public static function loadValidatorMetadata(ClassMetadata $metadata)
    {
        $metadata->addPropertyConstraint('oldPassword', new Userpassword(array(
            'message' => 'Your current password is not correct.',
        )));

        $metadata->addPropertyConstraint('newPassword', new Assert\NotBlank(array(
            'message' => 'New password can not be blank.',
        )));

        $metadata->addPropertyConstraint('newPassword', new Assert\Regex(array(
            'pattern' => '/^(?=.*[a-z])(?=.*\\d).{6,}$/i',
            'message' => 'New password is required to be minimum 6 chars in length and to include at least one letter and one number.'
        )));
    }

    // other setter and getter stuff.
    }

Further debugging yield that:

For this specific regular expression, the one in the annotation should not escape \d bit, however in the PHP implementation (ie using loadValidatorMetadata) we need to escape it.

If I edit the model which implemented the constraint in annotation as follows, it works:

    /**
     * @Assert\NotBlank(message="New password can not be blank.")
     * @Assert\Regex(pattern="/^(?=.*[a-z])(?=.*\d).{6,}$/i", message="New password is required to be minimum 6 chars in length and to include at least one letter and one number.")
     */
    private $newPassword;

Just edit /^(?=.*[a-z])(?=.*\\d).{6,}$/i to /^(?=.*[a-z])(?=.*\d).{6,}$/i

This seems to inconsistent. If the regex within the annotation is escaped by Symfony than the one in PHP have to be escaped as well or vice versa.

I think the annotation, yaml, xml and PHP implementations need to be identical whereas possible (except for platform limitations) and the documentation should emphasize all of the inconsistencies as verbose as possible.

[sstok]

FYI, there is also a bundle that validate the strength of your https://github.com/rollerworks/PasswordStrengthBundle

And there is a repeated type for Passwords in Symfony that displays two password fields (that must be the same). https://symfony.com/doc/current/reference/forms/types/repeated.html#main

[xabbuh]

I may be missing something, but why do you need to escape the backslash in the regex in your PHP example?

[lashae]

@xabbuh I don't know either. It works as expected only when it is escaped, in PHP.

[javiereguiluz]

I agree with @xabbuh. I can't understand why \d must be \\d to work. I must be missing something 😕

[sstok]

Maybe it's related to how Doctrine parses the string, properly new-lines \n should still be supported. Not to mention special characters.

[xabbuh]

@lashae I was not able to reproduce your issue. Can you please create a small example project that show the bug you are experiencing?

[lashae]

@xabbuh I created an example isolated project and (un)fortunately I cannot reproduce the error either. Interestingly, both validation rules (annotation and php) works with no-escape and unlimited number of escapes...

We can close the issue, sorry for the noise.