Skip to content

[Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator #39213

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fabpot merged 1 commit into from
Nov 30, 2020
Merged

[Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator #39213

fabpot merged 1 commit into from
Nov 30, 2020

Conversation

@wouterj
Copy link
Member

@wouterj wouterj commented Nov 28, 2020
edited
Loading

Q A
Branch? 5.2 (hopefully? sorry to keep pushing the barrier here)
Bug fix? no
New feature? yes (sort of)
Deprecations? no
Tickets -
License MIT
Doc PR -

These are 2 suggestions we found while implementing make:auth for the new system (symfony/maker-bundle#736):

Impact on a custom login form authenticator (as generated by the new maker):

  • Automatically add PasswordUpgradeBadge if there is a user password with valid password credentials. 
     // ...
 return new Passport(
     new UserBadge($userIdentifier),
     new PasswordCredentials($password),
     [
-        new PasswordUpgradeBadge($password),
         new CsrfTokenBadge('authenticate', $csrf),
     ]
 )
    Note that this does not automatically migrate all passwords: it still relies on PasswordUpgraderInterface to be implemented on the user loader/provider.
  • Add default implementation of AbstractFormLoginAuthenticator::support() 
    - public function supports(Request $request): ?bool
-  {
-      return self::LOGIN_ROUTE === $request->attributes->get('_route')
-          && $request->isMethod('POST');
- }

cc @weaverryan @jrushlow

@wouterj wouterj requested a review from chalasr as a code owner November 28, 2020 16:29
@carsonbot carsonbot added Status: Needs Review Security DX DX = Developer eXperience (anything that improves the experience of using Symfony) Feature labels Nov 28, 2020
@carsonbot carsonbot changed the title [Security][DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator [Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator Nov 28, 2020
@wouterj wouterj changed the base branch from 5.x to 5.2 November 28, 2020 16:30
derrabus
derrabus requested changes Nov 28, 2020
View reviewed changes
Copy link
Member

@derrabus derrabus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you have a look at the fabbot failures?

@wouterj wouterj force-pushed the security/maker-dx-improvements branch from afb08dd to b6f52f7 Compare November 28, 2020 19:21
@wouterj
Copy link
Member Author

wouterj commented Nov 28, 2020

Done! Sorry, I forgot to check the PR status after creating it.

@derrabus derrabus added this to the 5.2 milestone Nov 29, 2020
@fabpot
Copy link
Member

fabpot commented Nov 30, 2020

Thank you @wouterj.

@fabpot fabpot force-pushed the security/maker-dx-improvements branch from a50bdbc to 27450c0 Compare November 30, 2020 05:47
@fabpot fabpot merged commit ffd365b into symfony:5.2 Nov 30, 2020
This was referenced Nov 30, 2020
Closed
Merged
@jrushlow jrushlow mentioned this pull request Nov 30, 2020
Merged
@romaricdrigon romaricdrigon mentioned this pull request Dec 1, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabpot fabpot fabpot approved these changes

@derrabus derrabus derrabus approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

+3 more reviewers

@maxhelias maxhelias maxhelias approved these changes

@noniagriconomie noniagriconomie noniagriconomie approved these changes

@jrushlow jrushlow jrushlow approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

DX DX = Developer eXperience (anything that improves the experience of using Symfony) Feature Security Status: Reviewed

Projects

None yet

Milestone

5.2

Development

Successfully merging this pull request may close these issues.

7 participants

@wouterj @fabpot @derrabus @maxhelias @noniagriconomie @jrushlow @carsonbot