[make:user] Use password_hashers instead of encoders

And also improve the position of this config when "enable_authenticator_manager" is the first option.

Author: wouterj

src/Maker/MakeUser.php

@@ -31,6 +31,7 @@
 use Symfony\Component\Console\Input\InputArgument;
 use Symfony\Component\Console\Input\InputInterface;
 use Symfony\Component\Console\Input\InputOption;
+use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
 use Symfony\Component\Security\Core\Encoder\Argon2iPasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Exception\UserNotFoundException;
@@ -116,6 +117,11 @@ class_exists(DoctrineBundle::class)
         $userWillHavePassword = $io->confirm('Does this app need to hash/check user passwords?');
         $input->setOption('with-password', $userWillHavePassword);
 
+        $symfonyGte53 = class_exists(NativePasswordHasher::class);
+        if ($symfonyGte53) {
+            return;
+        }
+
         if ($userWillHavePassword && !class_exists(NativePasswordEncoder::class) && Argon2iPasswordEncoder::isSupported()) {
             $io->writeln('The newer <comment>Argon2i</comment> password hasher requires PHP 7.2, libsodium or paragonie/sodium_compat. Your system DOES support this algorithm.');
             $io->writeln('You should use <comment>Argon2i</comment> unless your production system will not support it.');

src/Resources/skeleton/security/UserProvider.tpl.php

@@ -62,13 +62,13 @@ public function supportsClass($class)
 <?php if ($password_upgrader): ?>
 
     /**
-     * Upgrades the encoded password of a user, typically for using a better hash algorithm.
+     * Upgrades the hashed password of a user, typically for using a better hash algorithm.
      */
-    public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
+    public function upgradePassword(UserInterface $user, string $newHashedPassword): void
     {
-        // TODO: when encoded passwords are in use, this method should:
+        // TODO: when hashed passwords are in use, this method should:
         // 1. persist the new password in the user storage
-        // 2. update the $user object with $user->setPassword($newEncodedPassword);
+        // 2. update the $user object with $user->setPassword($newHashedPassword);
     }
 <?php endif ?>
 }

src/Security/SecurityConfigUpdater.php

@@ -13,7 +13,9 @@
 
 use Symfony\Bundle\MakerBundle\Util\YamlSourceManipulator;
 use Symfony\Component\HttpKernel\Log\Logger;
+use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
+use function array_key_first;
 
 /**
  * @author Ryan Weaver   <ryan@symfonycasts.com>
@@ -50,7 +52,8 @@ public function updateForUserClass(string $yamlSource, UserClassConfiguration $u
         $this->updateProviders($userConfig, $userClass);
 
         if ($userConfig->hasPassword()) {
-            $this->updateEncoders($userConfig, $userClass);
+            $symfonyGte53 = class_exists(NativePasswordHasher::class);
+            $this->updatePasswordHashers($userConfig, $userClass, $symfonyGte53 ? 'password_hashers' : 'encoders');
         }
 
         $contents = $this->manipulator->getContents();
@@ -175,18 +178,34 @@ private function updateProviders(UserClassConfiguration $userConfig, string $use
         $this->manipulator->setData($newData);
     }
 
-    private function updateEncoders(UserClassConfiguration $userConfig, string $userClass)
+    private function updatePasswordHashers(UserClassConfiguration $userConfig, string $userClass, string $keyName = 'password_hashers')
     {
         $newData = $this->manipulator->getData();
-        if (!isset($newData['security']['encoders'])) {
-            // encoders is usually the first key, by convention
-            $newData['security'] = ['encoders' => []] + $newData['security'];
+        if ('password_hashers' === $keyName && isset($newData['security']['encoders'])) {
+            // fallback to "encoders" if the user already defined encoder config
+            $this->updatePasswordHashers($userClass, $userClass, 'encoders');
+
+            return;
+        }
+
+        if (!isset($newData['security'][$keyName])) {
+            // by convention, password_hashers are put before the user provider option
+            $providersIndex = array_search('providers', array_keys($newData['security']));
+            if (false === $providersIndex) {
+                $newData['security'] = [$keyName => []] + $newData['security'];
+            } else {
+                $newData['security'] = array_merge(
+                    array_slice($newData['security'], 0, $providersIndex),
+                    [$keyName => []],
+                    array_slice($newData['security'], $providersIndex)
+                );
+            }
         }
 
-        $newData['security']['encoders'][$userClass] = [
-            'algorithm' => $userConfig->shouldUseArgon2() ? 'argon2i' : (class_exists(NativePasswordEncoder::class) ? 'auto' : 'bcrypt'),
+        $newData['security'][$keyName][$userClass] = [
+            'algorithm' => $userConfig->shouldUseArgon2() ? 'argon2i' : ((class_exists(NativePasswordHasher::class) || class_exists(NativePasswordEncoder::class)) ? 'auto' : 'bcrypt'),
         ];
-        $newData['security']['encoders']['_'] = $this->manipulator->createEmptyLine();
+        $newData['security'][$keyName]['_'] = $this->manipulator->createEmptyLine();
 
         $this->manipulator->setData($newData);
     }

tests/Security/SecurityConfigUpdaterTest.php

@@ -16,6 +16,7 @@
 use Symfony\Bundle\MakerBundle\Security\SecurityConfigUpdater;
 use Symfony\Bundle\MakerBundle\Security\UserClassConfiguration;
 use Symfony\Component\HttpKernel\Log\Logger;
+use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 
 class SecurityConfigUpdaterTest extends TestCase
@@ -48,9 +49,10 @@ public function testUpdateForUserClass(UserClassConfiguration $userConfig, strin
         $updater = new SecurityConfigUpdater($this->ysmLogger);
         $source = file_get_contents(__DIR__.'/yaml_fixtures/source/'.$startingSourceFilename);
         $actualSource = $updater->updateForUserClass($source, $userConfig, $userClass);
-        $expectedSource = file_get_contents(__DIR__.'/yaml_fixtures/expected_user_class/'.$expectedSourceFilename);
+        $symfonyVersion = class_exists(NativePasswordHasher::class) ? '5.3' : 'legacy';
+        $expectedSource = file_get_contents(__DIR__.'/yaml_fixtures/expected_user_class/'.$symfonyVersion.'/'.$expectedSourceFilename);
 
-        $bcryptOrAuto = class_exists(NativePasswordEncoder::class) ? 'auto' : 'bcrypt';
+        $bcryptOrAuto = ('5.3' === $symfonyVersion || class_exists(NativePasswordEncoder::class)) ? 'auto' : 'bcrypt';
         $expectedSource = str_replace('{BCRYPT_OR_AUTO}', $bcryptOrAuto, $expectedSource);
 
         $this->assertSame($expectedSource, $actualSource);
@@ -95,6 +97,18 @@ public function getUserClassTests()
             'simple_security_with_single_memory_provider_configured.yaml',
             'simple_security_with_single_memory_provider_configured.yaml',
         ];
+
+        yield 'security_52_empty_security' => [
+            new UserClassConfiguration(true, 'email', true),
+            'security_52_entity_email_with_password.yaml',
+            'security_52_empty_security.yaml',
+        ];
+
+        yield 'security_52_with_firewalls_and_logout' => [
+            new UserClassConfiguration(true, 'email', true),
+            'security_52_complex_entity_email_with_password.yaml',
+            'security_52_with_firewalls_and_logout.yaml',
+        ];
     }
 
     /**

tests/Security/yaml_fixtures/expected_authenticator/empty_source.yaml

@@ -3,4 +3,4 @@ security:
         main:
             anonymous: lazy
             guard:
-                authenticators: [App\Security\AppCustomAuthenticator]
+                authenticators: [App\Security\AppCustomAuthenticator]

tests/Security/yaml_fixtures/expected_user_class/5.3/empty_source_model_email_with_password.yaml

@@ -0,0 +1,9 @@
+security:
+    password_hashers:
+        App\Security\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            id: App\Security\UserProvider

tests/Security/yaml_fixtures/expected_user_class/5.3/entity_email_with_password.yaml

@@ -0,0 +1,16 @@
+security:
+    password_hashers:
+        App\Entity\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            entity:
+                class: App\Entity\User
+                property: email
+
+    firewalls:
+        dev: ~
+        main: ~

tests/Security/yaml_fixtures/expected_user_class/entity_username_no_password.yaml renamed to tests/Security/yaml_fixtures/expected_user_class/5.3/entity_username_no_password.yaml

@@ -0,0 +1,16 @@
+security:
+    password_hashers:
+        App\Security\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        in_memory: { memory: ~ }
+        other_provider: { foo: true }
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            id: App\Security\UserProvider
+
+    firewalls:
+        dev: ~
+        main: ~

tests/Security/yaml_fixtures/expected_user_class/5.3/model_email_password_existing_providers.yaml

@@ -0,0 +1,14 @@
+security:
+    password_hashers:
+        App\Security\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            id: App\Security\UserProvider
+
+    firewalls:
+        dev: ~
+        main: ~

tests/Security/yaml_fixtures/expected_user_class/5.3/model_email_with_password.yaml

@@ -0,0 +1,21 @@
+security:
+    enable_authenticator_manager: true
+
+    password_hashers:
+        App\Entity\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            entity:
+                class: App\Entity\User
+                property: email
+
+    firewalls:
+        dev:
+            pattern: ^/(_(profiler|wdt)|css|images|js)/
+            security: false
+        main:
+            lazy: true

tests/Security/yaml_fixtures/expected_user_class/model_username_no_password.yaml renamed to tests/Security/yaml_fixtures/expected_user_class/5.3/model_username_no_password.yaml

@@ -0,0 +1,13 @@
+security:
+    enable_authenticator_manager: true
+
+    password_hashers:
+        App\Entity\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            entity:
+                class: App\Entity\User
+                property: email

tests/Security/yaml_fixtures/expected_user_class/5.3/security_52_complex_entity_email_with_password.yaml

@@ -0,0 +1,18 @@
+security:
+    password_hashers:
+        App\Entity\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            entity:
+                class: App\Entity\User
+                property: email
+
+    firewalls:
+        dev: ~
+        main:
+            anonymous: lazy
+            provider: app_user_provider

tests/Security/yaml_fixtures/expected_user_class/5.3/security_52_entity_email_with_password.yaml

@@ -6,4 +6,4 @@ security:
     providers:
         # used to reload user from session & other features (e.g. switch_user)
         app_user_provider:
-            id: App\Security\UserProvider
+            id: App\Security\UserProvider

tests/Security/yaml_fixtures/expected_user_class/5.3/simple_security_with_single_memory_provider_configured.yaml

@@ -0,0 +1,12 @@
+security:
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            entity:
+                class: App\Entity\User
+                property: username
+
+    firewalls:
+        dev: ~
+        main: ~

tests/Security/yaml_fixtures/expected_user_class/empty_source_model_email_with_password.yaml renamed to tests/Security/yaml_fixtures/expected_user_class/legacy/empty_source_model_email_with_password.yaml

@@ -0,0 +1,10 @@
+security:
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            id: App\Security\UserProvider
+
+    firewalls:
+        dev: ~
+        main: ~

tests/Security/yaml_fixtures/expected_user_class/entity_email_with_password.yaml renamed to tests/Security/yaml_fixtures/expected_user_class/legacy/entity_email_with_password.yaml

@@ -0,0 +1,21 @@
+security:
+    enable_authenticator_manager: true
+
+    encoders:
+        App\Entity\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            entity:
+                class: App\Entity\User
+                property: email
+
+    firewalls:
+        dev:
+            pattern: ^/(_(profiler|wdt)|css|images|js)/
+            security: false
+        main:
+            lazy: true

tests/Security/yaml_fixtures/expected_user_class/legacy/entity_username_no_password.yaml

@@ -0,0 +1,13 @@
+security:
+    enable_authenticator_manager: true
+
+    encoders:
+        App\Entity\User:
+            algorithm: {BCRYPT_OR_AUTO}
+
+    providers:
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            entity:
+                class: App\Entity\User
+                property: email

tests/Security/yaml_fixtures/expected_user_class/model_email_password_existing_providers.yaml renamed to tests/Security/yaml_fixtures/expected_user_class/legacy/model_email_password_existing_providers.yaml

@@ -1 +1 @@
-security: {}
+security: {}