8de664d4f3
This PR was merged into the 5.3-dev branch.
Discussion
----------
[Security] Decouple passwords from UserInterface
| Q | A
| ------------- | ---
| Branch? | 5.x
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes
| Tickets | #23081, helps with #39308
| License | MIT
| Doc PR | todo
This PR addresses a long-standing issue of the Security component: UserInterface is coupled to passwords.
It does it by moving the `getPassword()` method from `UserInterface` to a `PasswordAuthenticatedUserInterface`, and the `getSalt()` method to a `LegacyPasswordAuthenticatedUserInterface`.
Steps:
- In 5.3, we add the new interface and, at places where password-based authentication happens, trigger deprecation notices when a `UserInterface` object does not implement the new interface(s). The UserInterface is kept as-is until 6.0.
- In 6.0, we can remove the methods from `UserInterface` as well as support for using password authentication with user objects not implementing the new interface(s).
As a side-effect, some password-related interfaces (`UserPasswordHasherInterface` and `PasswordUpgraderInterface`) must change their signatures to type-hint against the new interface.
That is done in a BC way, which is to make the concerned methods virtual until 6.0, with deprecation notices triggered from callers and concrete implementations.
Benefits:
In 6.0, applications that use password-less authentication (e.g. login links) won't need to write no-op `getPassword()` and `getSalt()` in order to fulfil the `UserInterface` contract.
For applications that do use password-based authentication, they will need to opt-in explicitly by implementing the relevant interface(s).
This build on great discussions with @wouterj and @nicolas-grekas, and it is part of the overall rework of the Security component.
Commits
-------
|
||
---|---|---|
.. | ||
Asset | ||
BrowserKit | ||
Cache | ||
Config | ||
Console | ||
CssSelector | ||
DependencyInjection | ||
DomCrawler | ||
Dotenv | ||
ErrorHandler | ||
EventDispatcher | ||
ExpressionLanguage | ||
Filesystem | ||
Finder | ||
Form | ||
HttpClient | ||
HttpFoundation | ||
HttpKernel | ||
Inflector | ||
Intl | ||
Ldap | ||
Lock | ||
Mailer | ||
Messenger | ||
Mime | ||
Notifier | ||
OptionsResolver | ||
PasswordHasher | ||
Process | ||
PropertyAccess | ||
PropertyInfo | ||
RateLimiter | ||
Routing | ||
Security | ||
Semaphore | ||
Serializer | ||
Stopwatch | ||
String | ||
Templating | ||
Translation | ||
Uid | ||
Validator | ||
VarDumper | ||
VarExporter | ||
WebLink | ||
Workflow | ||
Yaml |