Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fresh encoded password is immediatelly not valid #35002

Closed
leik-software opened this issue Dec 17, 2019 · 2 comments
Closed

Fresh encoded password is immediatelly not valid #35002

leik-software opened this issue Dec 17, 2019 · 2 comments
Labels
Bug Security Status: Needs Review Unconfirmed

Comments

@leik-software
Copy link

leik-software commented Dec 17, 2019
edited by javiereguiluz

Symfony version(s) affected: v4.4.1 (symfony/security-bundle)

Description
I have an console import job, which creates new user objects with an insert query like this:

protected function createNewUser(array $partnerRow): void
{
    $userInsertSql =
        'INSERT INTO user (enabled, password, ...)
        VALUES (:enabled, :password, ...)';

    $stmt = $this->connection->prepare(
        $userInsertSql
    );
    $stmt->bindValue(':enabled', ('J' === $partnerRow['ACTIVE'] ? 1 : 0), \PDO::PARAM_INT);
    $stmt->bindValue(':password', $this->getHashedPassword($partnerRow['CLEARPASSWORD'] ?? '', new User()), \PDO::PARAM_STR);
    $stmt->execute();

}

protected function getHashedPassword(string $plainPassword, User $user): string
{
    return $this->passwordEncoder->encodePassword($user, $plainPassword);
}

Then I have a custom LoginFormAuthenticator which does this:

if (!$this->passwordEncoder->isPasswordValid($user, $credentials['password'])) {
    throw new CustomUserMessageAuthenticationException(
        $this->translator->trans('login wrong password')
    );
}

The passwordEncoder is Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface, which leads to MigratingPasswordEncoder which has NativePasswordEncoder as $bestEncoder - I dumped this while creating and in login process.

The created password is

$argon2id$v=19$m=10240,t=3,p=1$ai9tZ2JMbkpuazBNOGNnNg$UVqcmhAA/vqPJ88RfpKjJ3zYfaro/6YOGcLAUf7G/38

But the login only works if I change it to

$2y$13$gEXunMWrg5Rg14UkdzX23uvY6uPE8Whd5.EgmCbSnR/c2qSBjeTa2

security.yaml:

encoders:
      App\Entity\User:
        algorithm: auto
        cost: 4
        memory_cost: 10240
        time_cost: 3

We had an update from v4.3.2, this code worked for the last 2 years and now I don't know how to deal with it. I checked some related issues but found nothing what would match to my problem.

#31758
#32166
#34113
@chalasr
Copy link
Member

chalasr commented Dec 17, 2019

@leik-software Can you paste a clear password along with its (invalid) hash?

@leik-software
Copy link
Author

@chalasr you guided me to the solution. I found out that my user comes with null password value from source data. I am very sorry, I should have checked that. With not null passwords everything works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review Unconfirmed
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@javiereguiluz @chalasr @carsonbot @leik-software