CODEWITHSUNDEEP
phpsymfonyfosuserbundlebcryptpassword-hash
user3746259
user3746259

Reputation: 1581

FOSUserBundle BCryptPasswordEncoder salting

After an upgrade to php7, the BCryptPasswordEncoder throws the following error, e.g. on registration when using FOSUserBundle standard registration page:

"Use of the 'salt' option to password_hash is deprecated in C:\xampp\htdocs\ascentary \vendor\symfony\symfony\src\Symfony\Component\Security\Core\Encoder\BCryptPasswordEncoder.php line 81 " at C:\xampp\htdocs\testproject\vendor\behat\behat\src\Behat\Testwork\Call\Handler\RuntimeCallHandler."

I've tracked down this issue, and the problem is the FOS UserManager class, that calls:

/**
 * {@inheritDoc}
 */
public function updatePassword(UserInterface $user)
{
    if (0 !== strlen($password = $user->getPlainPassword())) {
        $encoder = $this->getEncoder($user);
        $user->setPassword($encoder->encodePassword($password, $user->getSalt()));
        $user->eraseCredentials();
    }
}

Passing here $user->getSalt() throws the error, because at php7, you are not allowed anymore to pass a custom salt to bcrypt encoding / password_hash function. In addition, I see a problem in the base fos user entity, because in its constructor, the salt is set like:

$this->salt = base_convert(sha1(uniqid(mt_rand(), true)), 16, 36);

Questions:

(1) How to solve the error I posted above? Maybe overriding the UserManager, or is there a solution provided by fos?

(2) How to properly safe the salt, that is automatically being generated?

(3) Are there any other updates required, like updating the ircmaxell lib?

Upvotes: 5

Views: 2193

Answers (2)

Huy
Huy

Reputation: 11

you can set $salt attribute is null by overriding FOS\UserBundle\Model\User

namespace YourNamespace\UserBundle\Entity;

use FOS\UserBundle\Model\User as BaseUser;
use Doctrine\ORM\Mapping as ORM;

/**
 * @ORM\Entity(repositoryClass="YourNamespace\UserBundle\Repository\UserRepository")
 * @ORM\Table(name="`user`")
 * @ORM\AttributeOverrides({
            @ORM\AttributeOverride(
 *              name="salt",
 *              column=@ORM\Column(name="salt", type="string", nullable=true)
 *          )
 *     })
 *
 */
class User extends BaseUser
{

    /**
     * User constructor.
     */
    public function __construct()
    {
        parent::__construct();
        $this->salt = null;
    }

    //another codes
}

Upvotes: 1

malcolm
malcolm

Reputation: 5542

Upgrade to Symfony3.

BCryptPasswordEncoder.php line 75:

if ($salt) {
    // Ignore $salt, the auto-generated one is always the best
}

Upvotes: 2

Related Questions