This PR was squashed before being merged into the 4.3-dev branch (closes#27738).
Discussion
----------
[Validator] Add a HaveIBeenPwned password validator
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | n/a <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | todo
This PR adds a new `Pwned` validation constraint to prevent users to choose passwords that have been leaked in public data breaches.
The validator uses the https://haveibeenpwned.com/ API. The implementation is similar to the one used by [Firefox Monitor](https://blog.mozilla.org/futurereleases/2018/06/25/testing-firefox-monitor-a-new-security-tool/). It allows to not expose the password hash using a k-anonymity model. The specific implementation for HaveIBeenPwned has been [described in depth by Cloudflare](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/).
Usage:
```php
// Rejects the password if is present in any number of times in any data breach
class User
{
/** @Pwned */
public $plainPassword;
}
// Rejects the password if is present more than 5 times in data breaches
class User
{
/** @Pwned(maxCount=5) */
public $plainPassword;
}
// Customize the error message
class User
{
/** @Pwned(message='Please select another password, this one has already been hacked.') */
public $plainPassword;
}
```
Commits
-------
ec1ded898a [Validator] Add a HaveIBeenPwned password validator
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Validator][DoctrineBridge][FWBundle] Automatic data validation
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes<!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | n/a <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/11132
This feature automatically adds some validation constraints by inferring existing metadata. To do so, it uses the PropertyInfo component and Doctrine metadata, but it has been designed to be easily extendable.
Example:
```php
use Doctrine\ORM\Mapping as ORM;
/**
* @ORM\Entity
*/
class Dummy
{
/**
* @ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
* @ORM\Column(type="integer")
*/
public $id;
/**
* @ORM\Column(nullable=true)
*/
public $columnNullable;
/**
* @ORM\Column(length=20)
*/
public $columnLength;
/**
* @ORM\Column(unique=true)
*/
public $columnUnique;
}
$manager = $this->managerRegistry->getManager();
$manager->getRepository(Dummy::class);
$firstOne = new Dummy();
$firstOne->columnUnique = 'unique';
$firstOne->columnLength = '0';
$manager->persist($firstOne);
$manager->flush();
$dummy = new Dummy();
$dummy->columnNullable = 1; // type mistmatch
$dummy->columnLength = '012345678901234567890'; // too long
$dummy->columnUnique = 'unique'; // not unique
$res = $this->validator->validate($dummy);
dump((string) $res);
/*
Object(App\Entity\Dummy).columnUnique:\n
This value is already used. (code 23bd9dbf-6b9b-41cd-a99e-4844bcf3077f)\n
Object(App\Entity\Dummy).columnLength:\n
This value is too long. It should have 20 characters or less. (code d94b19cc-114f-4f44-9cc4-4138e80a87b9)\n
Object(App\Entity\Dummy).id:\n
This value should not be null. (code ad32d13f-c3d4-423b-909a-857b961eb720)\n
Object(App\Entity\Dummy).columnNullable:\n
This value should be of type string. (code ba785a8c-82cb-4283-967c-3cf342181b40)\n
*/
```
It also works for DTOs:
```php
class MyDto
{
/** @var string */
public $name;
}
$dto = new MyDto();
$dto->name = 1; // type error
dump($validator->validate($dto));
/*
Object(MyDto).name:\n
This value should be of type string. (code ba785a8c-82cb-4283-967c-3cf342181b40)\n
*/
```
Supported constraints currently are:
* `@NotNull` (using PropertyInfo type extractor, so supports Doctrine metadata, getters/setters and PHPDoc)
* `@Type` (using PropertyInfo type extractor, so supports Doctrine metadata, getters/setters and PHPDoc)
* `@UniqueEntity` (using Doctrine's `unique` metadata)
* `@Length` (using Doctrine's `length` metadata)
Many users don't understand that the Doctrine mapping doesn't validate anything (it's just a hint for the schema generator). It leads to usability and security issues (that are not entirely fixed by this PR!!).
Even the ones who add constraints often omit important ones like `@Length`, or `@Type` (important when building web APIs).
This PR aims to improve things a bit, and ease the development process in RAD and when prototyping. It provides an upgrade path to use proper validation constraints.
I plan to make it opt-in, disabled by default, but enabled in the default Flex recipe. (= off by default when using components, on by default when using the full stack framework)
TODO:
* [x] Add configuration flags
* [x] Move the Doctrine-related DI logic from the extension to DoctrineBundle: doctrine/DoctrineBundle#831
* [x] Commit the tests
Commits
-------
2d64e703c2 [Validator][DoctrineBridge][FWBundle] Automatic data validation
This PR was merged into the 4.3-dev branch.
Discussion
----------
[Validator] Add constraint on unique elements collection(Assert\Unique)
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | no <!-- please add some, will be required by reviewers -->
| Fixed tickets | #26535
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
<!--
Write a short README entry for your feature/bugfix here (replace this comment block.)
This will help people understand your PR and can be used as a start of the Doc PR.
Additionally:
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
-->
Commits
-------
d0eb13e55a Rebase and update to latest CS
fc66683cf2 Add UniqueCollection constraint and validator
* 4.2:
[Phpunit] fixed support for PHP 5.3
Response prepare method update
[Workflow] Added missing license header
Fix case when multiple loaders are providing paths for the same namespace
Check if Client exists when test.client does not exist, to provide clearer exception message
throw TypeErrors to prepare for type hints in 5.0
[Form] Preventing validation of children if parent with Valid constraint has no validation groups
[Form] Added ResetInterface to CachingFactoryDecorator
Remove deprecated usage
[Tests] fixed compatbility of assertEquals(): void
Fixed usage of TranslatorInterface in form extension (fixes#30591)
[Intl][4.2] Fix test
[Intl] Fix test
[Validator] Add the missing translations for the Arabic (ar) locale
[Intl] Add compile binary
Fix DebugCommand when chain loader is involved
[Form] Fixed some phpdocs
* 3.4:
[Phpunit] fixed support for PHP 5.3
Response prepare method update
[Workflow] Added missing license header
Check if Client exists when test.client does not exist, to provide clearer exception message
[Form] Preventing validation of children if parent with Valid constraint has no validation groups
[Tests] fixed compatbility of assertEquals(): void
[Intl] Fix test
[Validator] Add the missing translations for the Arabic (ar) locale
[Intl] Add compile binary
[Form] Fixed some phpdocs
* 4.2:
Fix Cache error while using anonymous class
[Cache] fix LockRegistry
Update validators.cs.xlf
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
* 3.4:
Make translations consistent with other translations.
Correct language code for ukrainian language in security translations.
Fix return type of Request::getRequestFormat
[Cache] Fix perf when using RedisCluster by reducing roundtrips to the servers
* 4.2:
[Cache] Only delete one key at a time when on Predis + Cluster
[Validator] Add missing translations for Swedish locale
[Process] fix using argument $php of new PhpProcess()
[Routing] removed a useless var
[Routing] Fixed XML options resolution
* 3.4:
[Cache] Only delete one key at a time when on Predis + Cluster
[Validator] Add missing translations for Swedish locale
[Routing] removed a useless var
[Routing] Fixed XML options resolution
This PR was merged into the 3.4 branch.
Discussion
----------
[Validator] Add the missing translations for the Swedish ("sv") locale
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30190
| License | MIT
| Doc PR | -
Added the missing translations to the `src/Symfony/Component/Validator/Resources/translations/validators.sv.xlf` file.
Commits
-------
7e9f63da43 [Validator] Add missing translations for Swedish locale
* 4.2: (27 commits)
cs fix
cs fix
[PHPUnit-Bridge] override some environment variables
[TwigBridge] Remove use spaceless tag
Upgrade zookeeper ext
[translation] Update defaut format from yml to yaml
Change default log level for output streams
update docblock to match the actual behavior
Don't resolve the Deprecation error handler mode until a deprecation is triggered
compatibility with phpunit8
Make 'headers' key optional for encoded messages
[Debug][DebugClassLoader] Detect annotations before blank docblock lines on final and internal methods
Fix undefined variable fromConstructor when passing context to getTypes
Added translations for chineese language.
Allow 3rd argument to be null
Remove whitespace (tab on blank line)
[Monolog] Really reset logger when calling logger::reset()
[Form] Fixes debug:form appears many times as type extensions configured with new getExtendedTypes method
Update src/Symfony/Component/PropertyInfo/Tests/Extractor/ReflectionExtractorTest.php
Update src/Symfony/Component/PropertyInfo/Tests/Extractor/ReflectionExtractorTest.php
...
* 3.4:
cs fix
cs fix
[PHPUnit-Bridge] override some environment variables
[TwigBridge] Remove use spaceless tag
[translation] Update defaut format from yml to yaml
Change default log level for output streams
update docblock to match the actual behavior
compatibility with phpunit8
[Debug][DebugClassLoader] Detect annotations before blank docblock lines on final and internal methods
Added translations for chineese language.
This PR was squashed before being merged into the 4.3-dev branch (closes#30377).
Discussion
----------
[Validator] add MIR card scheme
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | no
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #30376
| License | MIT
Commits
-------
aecb33a620 [Validator] add MIR card scheme
* 4.2:
Removed non-existing parameters for LogoutUrlGenerator calls
[WebProfilerBundle] toolbar: invisible route name in Firefox
Drop spurious execution bit
[HttpKernel] Correctly merging cache directives in HttpCache/ResponseCacheStrategy
[Validator] Add the missing translations for the Latvian ("lv") locale
Fixed the DebugClassLoader compatibility with eval()'d code on Darwin
[Validator] Update Serbian translation file
* 3.4:
Removed non-existing parameters for LogoutUrlGenerator calls
[HttpKernel] Correctly merging cache directives in HttpCache/ResponseCacheStrategy
[Validator] Add the missing translations for the Latvian ("lv") locale
Fixed the DebugClassLoader compatibility with eval()'d code on Darwin
[Validator] Update Serbian translation file
This PR was merged into the 3.4 branch.
Discussion
----------
[Validator] Update Serbian translation file
| Q | A
| ------------- | ---
| Branch? | 3.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks? | no <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass? | yes <!-- please add some, will be required by reviewers -->
| Fixed tickets | #30189 <!-- #-prefixed issue number(s), if any -->
| License | MIT
| Doc PR | / <!-- required for new features -->
<!--
Write a short README entry for your feature/bugfix here (replace this comment block.)
This will help people understand your PR and can be used as a start of the Doc PR.
Additionally:
- Bug fixes must be submitted against the lowest branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too).
- Features and deprecations must be submitted against the master branch.
-->
I am not sure about some translations, if someone could check these, I would appreciate it.
Also, I've found that singular/plural translations have 3 translations. I am not sure if that's a mistake or not. I removed the third translation, but if I was wrong, I'll be happy to put it back.
Commits
-------
9e9a57a544 [Validator] Update Serbian translation file
* 4.2: (26 commits)
Apply php-cs-fixer rule for array_key_exists()
[Cache] fix warming up cache.system and apcu
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
...
* 3.4: (24 commits)
Apply php-cs-fixer rule for array_key_exists()
[Security] Change FormAuthenticator if condition
handles multi-byte characters in autocomplete
speed up tests running them without debug flag
[Translations] added missing Croatian validators
Fix getItems() performance issue with RedisCluster (php-redis)
[VarDumper] Keep a ref to objects to ensure their handle cannot be reused while cloning
IntegerType: reject submitted non-integer numbers
be keen to newcomers
[HttpKernel] Fix possible infinite loop of exceptions
fixed CS
[Validator] Added missing translations for Afrikaans
do not validate non-submitted form fields in PATCH requests
Update usage example in ArrayInput doc block.
[Console] Prevent ArgvInput::getFirstArgument() from returning an option value
[Validator] Fixed duplicate UUID
fixed CS
[EventDispatcher] Fix unknown priority
Avoid mutating the Finder when building the iterator
[Validator] Add the missing translations for the Greek (el) locale
...