Reputation: 8459
How to override symfony password check to be able to check against multiple types of hashes
I have an old database of users which contains passwords hashed in a way I don't like. I'd like for those hashes to be updated to a new hash form (bcrypt) when they log in.
I am using FOSUserBundle to manage users and Elnur's bcrypt bundle as security encoder. Is there an easy way to plug into the password check mechanism to add this kind of algorithm:
if passwordHash is using old format
oldFormatHash := hash userGivenPassword in the old way
if oldFormatHash == passwordHash
login ok
update password in database with new hash format
else
login ko
else
use default
I thought about extending the current security encoder but the isPasswordValid method does not have the id of the account to check (or its canonical name) so the updating part is not available.
Upvotes: 2
Views: 455
Answers (1)
Reputation: 8459
In case it can help someone faced with this problem, here is the solution I used. The old way of storing the passwords in the database did not use salts. So I updated this column to contain the user's id.
Then it was easy to create my own security encoder using the salt parameter to update the user's password hashes.
Upvotes: 1
Related Questions
- How to check if a username/password combination is valid for FOS UserBundle
- Symfony Validator - Check password length and content BEFORE hashing
- FOS user bundle password validation
- FOSUserBundle password validation
- how to compare a password in symfony2 with fosuserbundle?
- Symfony2 FOS User password check callback constraint
- Symfony2 FosUser override login_check
- How to override password validation in FOSUserBundle
- In Symfony2 and FOSUserBundle, override the login_check
- FOSUserBundle - Symfony2 login with different encoded password