[Security] Extract password hashing from security-core - using the right naming

Author: chalasr

Authentication/AuthenticationProviderManager.php

@@ -11,13 +11,15 @@
 
 namespace Symfony\Component\Security\Core\Authentication;
 
+use Symfony\Component\PasswordHasher\Exception\InvalidPasswordException;
 use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\AuthenticationEvents;
 use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
 use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
 use Symfony\Component\Security\Core\Exception\AccountStatusException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\ProviderNotFoundException;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 
@@ -89,6 +91,8 @@ public function authenticate(TokenInterface $token)
                 break;
             } catch (AuthenticationException $e) {
                 $lastException = $e;
+            } catch (InvalidPasswordException $e) {
+                $lastException = new BadCredentialsException('Bad credentials.', 0, $e);
             }
         }
 

Authentication/Provider/DaoAuthenticationProvider.php

@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;
 
 /**
  * DaoAuthenticationProvider uses a UserProviderInterface to retrieve the user
@@ -29,14 +30,21 @@
  */
 class DaoAuthenticationProvider extends UserAuthenticationProvider
 {
-    private $encoderFactory;
+    private $hasherFactory;
     private $userProvider;
 
-    public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, string $providerKey, EncoderFactoryInterface $encoderFactory, bool $hideUserNotFoundExceptions = true)
+    /**
+     * @param PasswordHasherFactoryInterface $hasherFactory
+     */
+    public function __construct(UserProviderInterface $userProvider, UserCheckerInterface $userChecker, string $providerKey, $hasherFactory, bool $hideUserNotFoundExceptions = true)
     {
         parent::__construct($userChecker, $providerKey, $hideUserNotFoundExceptions);
 
-        $this->encoderFactory = $encoderFactory;
+        if ($hasherFactory instanceof EncoderFactoryInterface) {
+            trigger_deprecation('symfony/security-core', '5.3', 'Passing a "%s" instance to the "%s" constructor is deprecated, use "%s" instead.', EncoderFactoryInterface::class, __CLASS__, PasswordHasherFactoryInterface::class);
+        }
+
+        $this->hasherFactory = $hasherFactory;
         $this->userProvider = $userProvider;
     }
 
@@ -59,14 +67,29 @@ protected function checkAuthentication(UserInterface $user, UsernamePasswordToke
                 throw new BadCredentialsException('The presented password is invalid.');
             }
 
-            $encoder = $this->encoderFactory->getEncoder($user);
+            // deprecated since Symfony 5.3
+            if ($this->hasherFactory instanceof EncoderFactoryInterface) {
+                $encoder = $this->hasherFactory->getEncoder($user);
+
+                if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+                    throw new BadCredentialsException('The presented password is invalid.');
+                }
+
+                if ($this->userProvider instanceof PasswordUpgraderInterface && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {
+                    $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));
+                }
+
+                return;
+            }
+
+            $hasher = $this->hasherFactory->getPasswordHasher($user);
 
-            if (!$encoder->isPasswordValid($user->getPassword(), $presentedPassword, $user->getSalt())) {
+            if (!$hasher->verify($user->getPassword(), $presentedPassword, $user->getSalt())) {
                 throw new BadCredentialsException('The presented password is invalid.');
             }
 
-            if ($this->userProvider instanceof PasswordUpgraderInterface && method_exists($encoder, 'needsRehash') && $encoder->needsRehash($user->getPassword())) {
-                $this->userProvider->upgradePassword($user, $encoder->encodePassword($presentedPassword, $user->getSalt()));
+            if ($this->userProvider instanceof PasswordUpgraderInterface && $hasher->needsRehash($user->getPassword())) {
+                $this->userProvider->upgradePassword($user, $hasher->hash($presentedPassword, $user->getSalt()));
             }
         }
     }

Encoder/BasePasswordEncoder.php

@@ -11,10 +11,16 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+trigger_deprecation('symfony/security-core', '5.3', sprintf('The "%s" class is deprecated, use "%s" instead.', BasePasswordEncoder::class, CheckPasswordLengthTrait::class));
+
+use Symfony\Component\PasswordHasher\Hasher\CheckPasswordLengthTrait;
+
 /**
  * BasePasswordEncoder is the base class for all password encoders.
  *
  * @author Fabien Potencier <[email protected]>
+ *
+ * @deprecated since Symfony 5.3, use CheckPasswordLengthTrait instead
  */
 abstract class BasePasswordEncoder implements PasswordEncoderInterface
 {

Encoder/EncoderAwareInterface.php

@@ -11,8 +11,12 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherAwareInterface;
+
 /**
  * @author Christophe Coevoet <[email protected]>
+ *
+ * @deprecated since Symfony 5.3, use {@link PasswordHasherAwareInterface} instead.
  */
 interface EncoderAwareInterface
 {

Encoder/EncoderFactory.php

@@ -11,12 +11,18 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+trigger_deprecation('symfony/security-core', '5.3', sprintf('The "%s" class is deprecated, use "%s" instead.', EncoderFactory::class, PasswordHasherFactory::class));
+
 use Symfony\Component\Security\Core\Exception\LogicException;
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherAwareInterface;
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactory;
 
 /**
  * A generic encoder factory implementation.
  *
  * @author Johannes M. Schmitt <[email protected]>
+ *
+ * @deprecated since Symfony 5.3, use {@link PasswordHasherFactory} instead
  */
 class EncoderFactory implements EncoderFactoryInterface
 {
@@ -34,7 +40,7 @@ public function getEncoder($user)
     {
         $encoderKey = null;
 
-        if ($user instanceof EncoderAwareInterface && (null !== $encoderName = $user->getEncoderName())) {
+        if (($user instanceof PasswordHasherAwareInterface && null !== $encoderName = $user->getPasswordHasherName()) || ($user instanceof EncoderAwareInterface && null !== $encoderName = $user->getEncoderName())) {
             if (!\array_key_exists($encoderName, $this->encoders)) {
                 throw new \RuntimeException(sprintf('The encoder "%s" was not configured.', $encoderName));
             }

Encoder/EncoderFactoryInterface.php

@@ -11,12 +11,17 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+trigger_deprecation('symfony/security-core', '5.3', sprintf('The "%s" class is deprecated, use "%s" instead.', EncoderFactoryInterface::class, PasswordHasherFactoryInterface::class));
+
 use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;
 
 /**
  * EncoderFactoryInterface to support different encoders for different accounts.
  *
  * @author Johannes M. Schmitt <[email protected]>
+ *
+ * @deprecated since Symfony 5.3, use {@link PasswordHasherFactoryInterface} instead
  */
 interface EncoderFactoryInterface
 {

Encoder/LegacyEncoderTrait.php

@@ -0,0 +1,56 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Encoder;
+
+use Symfony\Component\PasswordHasher\Exception\InvalidPasswordException;
+use Symfony\Component\PasswordHasher\LegacyPasswordHasherInterface;
+use Symfony\Component\PasswordHasher\PasswordHasherInterface;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+
+/**
+ * @internal
+ */
+trait LegacyEncoderTrait
+{
+    /**
+     * @var PasswordHasherInterface|LegacyPasswordHasherInterface
+     */
+    private $hasher;
+
+    /**
+     * {@inheritdoc}
+     */
+    public function encodePassword(string $raw, ?string $salt): string
+    {
+        try {
+            return $this->hasher->hash($raw, $salt);
+        } catch (InvalidPasswordException $e) {
+            throw new BadCredentialsException('Bad credentials.');
+        }
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function isPasswordValid(string $encoded, string $raw, ?string $salt): bool
+    {
+        return $this->hasher->verify($encoded, $raw, $salt);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function needsRehash(string $encoded): bool
+    {
+        return $this->hasher->needsRehash($encoded);
+    }
+}

Encoder/MessageDigestPasswordEncoder.php

@@ -11,19 +11,20 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
-use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+trigger_deprecation('symfony/security-core', '5.3', sprintf('The "%s" class is deprecated, use "%s" instead.', MessageDigestPasswordEncoder::class, MessageDigestPasswordHasher::class));
+
+use Symfony\Component\PasswordHasher\Hasher\MessageDigestPasswordHasher;
 
 /**
  * MessageDigestPasswordEncoder uses a message digest algorithm.
  *
  * @author Fabien Potencier <[email protected]>
+ *
+ * @deprecated since Symfony 5.3, use {@link MessageDigestPasswordHasher} instead
  */
 class MessageDigestPasswordEncoder extends BasePasswordEncoder
 {
-    private $algorithm;
-    private $encodeHashAsBase64;
-    private $iterations = 1;
-    private $encodedLength = -1;
+    use LegacyEncoderTrait;
 
     /**
      * @param string $algorithm          The digest algorithm to use
@@ -32,51 +33,6 @@ class MessageDigestPasswordEncoder extends BasePasswordEncoder
      */
     public function __construct(string $algorithm = 'sha512', bool $encodeHashAsBase64 = true, int $iterations = 5000)
     {
-        $this->algorithm = $algorithm;
-        $this->encodeHashAsBase64 = $encodeHashAsBase64;
-
-        try {
-            $this->encodedLength = \strlen($this->encodePassword('', 'salt'));
-        } catch (\LogicException $e) {
-            // ignore algorithm not supported
-        }
-
-        $this->iterations = $iterations;
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function encodePassword(string $raw, ?string $salt)
-    {
-        if ($this->isPasswordTooLong($raw)) {
-            throw new BadCredentialsException('Invalid password.');
-        }
-
-        if (!\in_array($this->algorithm, hash_algos(), true)) {
-            throw new \LogicException(sprintf('The algorithm "%s" is not supported.', $this->algorithm));
-        }
-
-        $salted = $this->mergePasswordAndSalt($raw, $salt);
-        $digest = hash($this->algorithm, $salted, true);
-
-        // "stretch" hash
-        for ($i = 1; $i < $this->iterations; ++$i) {
-            $digest = hash($this->algorithm, $digest.$salted, true);
-        }
-
-        return $this->encodeHashAsBase64 ? base64_encode($digest) : bin2hex($digest);
-    }
-
-    /**
-     * {@inheritdoc}
-     */
-    public function isPasswordValid(string $encoded, string $raw, ?string $salt)
-    {
-        if (\strlen($encoded) !== $this->encodedLength || false !== strpos($encoded, '$')) {
-            return false;
-        }
-
-        return !$this->isPasswordTooLong($raw) && $this->comparePasswords($encoded, $this->encodePassword($raw, $salt));
+        $this->hasher = new MessageDigestPasswordHasher($algorithm, $encodeHashAsBase64, $iterations);
     }
 }

Encoder/MigratingPasswordEncoder.php

@@ -11,6 +11,10 @@
 
 namespace Symfony\Component\Security\Core\Encoder;
 
+trigger_deprecation('symfony/security-core', '5.3', sprintf('The "%s" class is deprecated, use "%s" instead.', MigratingPasswordEncoder::class, MigratingPasswordHasher::class));
+
+use Symfony\Component\PasswordHasher\Hasher\MigratingPasswordHasher;
+
 /**
  * Hashes passwords using the best available encoder.
  * Validates them using a chain of encoders.
@@ -19,12 +23,11 @@
  * could be used to authenticate successfully without knowing the cleartext password.
  *
  * @author Nicolas Grekas <[email protected]>
+ *
+ * @deprecated since Symfony 5.3, use {@link MigratingPasswordHasher} instead
  */
 final class MigratingPasswordEncoder extends BasePasswordEncoder implements SelfSaltingEncoderInterface
 {
-    private $bestEncoder;
-    private $extraEncoders;
-
     public function __construct(PasswordEncoderInterface $bestEncoder, PasswordEncoderInterface ...$extraEncoders)
     {
         $this->bestEncoder = $bestEncoder;