diogo/symfony
Archived
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.
1b300985ff
symfony/src/Symfony/Bundle/SecurityBundle
History
Fabien Potencier 1b300985ff feature #21604 [Security] Argon2i Password Encoder (zanbaldwin) 
This PR was merged into the 3.4 branch.

Discussion
----------

[Security] Argon2i Password Encoder

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        | WIP

Since the [libsodium RFC](https://wiki.php.net/rfc/libsodium) passed with flying colours, I'd like to kick start a discussion about adding Argon2i as a password encoder to the security component. The initial code proposal in this PR supports both the upcoming public API confirmed for PHP 7.2, and the [libsodium PECL extension](https://pecl.php.net/package/libsodium) for those below 7.2 (available for PHP 5.4+).

#### Concerns

- Should the test cover hash length? At the moment the result of Argon2i is 96 characters, but because the hashing parameters are included in the result (`$argon2i$v=19$m=32768,t=4,p=1$...`) this is not guaranteed.
- I've used one password encoder class because the result *should* be the same whether running natively in 7.2 or from the PECL extension, but should the logic be split out into separate private methods (like `Argon2iPasswordEncoder::encodePassword()`) or not (like in `Argon2iPasswordEncoder::isPasswordValid()`)? Since I can't really find anything concrete on Symfony choosing one way over another I'm assuming it's down to personal preference?

#### The Future

Whilst the libsodium RFC has been approved and the public API confirmed, there has been no confirmation of Argon2i becoming an official algorithm for `passhword_hash()`. If that is confirmed, then the implementation should *absolutely* use the native `password_*` functions since the `sodium_*` functions do not have an equivalent to the `password_needs_rehash()` function.

Any feedback would be greatly appreciated 😃

Commits
-------

be093dd79a Argon2i Password Encoder
2017-09-29 07:04:03 -07:00
..
Command minor #21620 [Security] Saltless Encoder Interface (zanbaldwin) 2017-09-27 15:29:25 +02:00
DataCollector Merge branch '3.3' into 3.4 2017-06-24 11:47:31 +02:00
Debug Give info about called security listeners in profiler 2017-06-13 10:30:58 +02:00
DependencyInjection Argon2i Password Encoder 2017-09-29 14:21:29 +01:00
EventListener Fix AclSchemaListener deprecation 2017-09-27 23:42:53 +02:00
Resources Adding a shortcuts for the main security functionality 2017-09-28 17:13:10 +02:00
Security Merge branch '3.3' into 3.4 2017-09-11 14:23:16 -07:00
Templating/Helper Fix the logout path when not using the router 2015-12-17 13:54:40 +01:00
Tests feature #21604 [Security] Argon2i Password Encoder (zanbaldwin) 2017-09-29 07:04:03 -07:00
.gitignore Added missing files .gitignore 2013-07-21 14:12:18 +02:00
CHANGELOG.md feature #21604 [Security] Argon2i Password Encoder (zanbaldwin) 2017-09-29 07:04:03 -07:00
composer.json [DI] Resolve nested refs to aliases 2017-09-13 13:21:02 +02:00
LICENSE updated LICENSE year 2017-01-02 12:30:00 -08:00
phpunit.xml.dist fail when detecting risky tests 2017-04-12 09:39:27 +02:00
README.md add readme files where missing 2016-03-07 11:36:15 +01:00
SecurityBundle.php [Security][SecurityBundle] Deprecate the HTTP digest auth 2017-09-26 20:29:06 +02:00
SecurityUserValueResolver.php Added a SecurityUserValueResolver for controllers 2016-07-01 08:00:40 +02:00

README.md

SecurityBundle

Resources