This repository has been archived on 2023-08-20. You can view files and clone it, but cannot push or open issues or pull requests.
Go to file
Fabien Potencier b01fd5f370 feature #27738 [Validator] Add a HaveIBeenPwned password validator (dunglas)
This PR was squashed before being merged into the 4.3-dev branch (closes #27738).

Discussion
----------

[Validator] Add a HaveIBeenPwned password validator

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes <!-- don't forget to update src/**/CHANGELOG.md files -->
| BC breaks?    | no     <!-- see https://symfony.com/bc -->
| Deprecations? | no <!-- don't forget to update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tests pass?   | yes    <!-- please add some, will be required by reviewers -->
| Fixed tickets | n/a   <!-- #-prefixed issue number(s), if any -->
| License       | MIT
| Doc PR        | todo

This PR adds a new `Pwned` validation constraint to prevent users to choose passwords that have been leaked in public data breaches.
The validator uses the https://haveibeenpwned.com/ API. The implementation is similar to the one used by [Firefox Monitor](https://blog.mozilla.org/futurereleases/2018/06/25/testing-firefox-monitor-a-new-security-tool/). It allows to not expose the password hash using a k-anonymity model. The specific implementation for HaveIBeenPwned has been [described in depth by Cloudflare](https://blog.cloudflare.com/validating-leaked-passwords-with-k-anonymity/).

Usage:

```php
// Rejects the password if is present in any number of times in any data breach
class User
{
    /** @Pwned */
    public $plainPassword;
}

// Rejects the password if is present more than 5 times in data breaches
class User
{
    /** @Pwned(maxCount=5) */
    public $plainPassword;
}

// Customize the error message
class User
{
    /** @Pwned(message='Please select another password, this one has already been hacked.') */
    public $plainPassword;
}
```

Commits
-------

ec1ded898a [Validator] Add a HaveIBeenPwned password validator
2019-04-01 18:48:04 +02:00
.composer Drop hirak/prestissimo 2016-05-12 07:44:15 -05:00
.github Merge branch '3.4' into 4.2 2019-02-12 21:06:11 +01:00
src/Symfony feature #27738 [Validator] Add a HaveIBeenPwned password validator (dunglas) 2019-04-01 18:48:04 +02:00
.appveyor.yml Merge branch '4.1' 2018-09-05 14:00:05 +02:00
.editorconfig Update .editorconfig 2018-09-06 16:22:56 +02:00
.gitignore Add appveyor.yml for C.I. on Windows 2015-08-25 23:41:37 +02:00
.php_cs.dist fixed CS 2019-01-16 21:35:37 +01:00
.travis.yml feature #29495 [Ldap] Implement pagination (kevans91) 2019-03-31 10:40:08 +02:00
CHANGELOG-4.0.md Merge branch '3.4' into 4.1 2018-08-01 18:22:14 +02:00
CHANGELOG-4.1.md updated CHANGELOG for 4.1.10 2019-01-06 17:16:07 +01:00
CHANGELOG-4.2.md updated CHANGELOG for 4.2.4 2019-03-03 20:38:00 +01:00
CODE_OF_CONDUCT.md Added the Code of Conduct file 2018-10-10 03:13:30 -07:00
composer.json [HttpClient] add ResponseInterface::toArray() 2019-03-09 17:49:48 +01:00
CONTRIBUTING.md Mention the community review guide 2016-12-18 22:02:35 +01:00
CONTRIBUTORS.md update CONTRIBUTORS for 3.4.23 2019-03-03 19:52:33 +01:00
LICENSE update year in license files 2019-01-01 14:45:19 +01:00
link appending root of Contracts dir (where composer.json is located) 2018-07-31 21:19:26 +03:00
phpunit Bump phpunit bridge cache id 2019-01-24 22:33:33 +01:00
phpunit.xml.dist #27345 Added Lock/Store/MongoDbStore 2019-03-29 23:39:57 +10:00
README.md Merge branch '2.8' into 3.4 2018-05-25 16:50:57 +02:00
UPGRADE-4.0.md Merge branch '3.4' into 4.2 2019-02-23 16:17:42 +01:00
UPGRADE-4.1.md Merge branch '4.0' into 4.1 2018-05-31 12:17:53 +02:00
UPGRADE-4.2.md [Contracts] extract LocaleAwareInterface out of TranslatorInterface 2018-12-05 08:06:11 +00:00
UPGRADE-4.3.md [Contracts][EventDispatcher] move the Event class to symfony/contracts 2019-03-29 19:47:03 +01:00
UPGRADE-5.0.md [Contracts][EventDispatcher] move the Event class to symfony/contracts 2019-03-29 19:47:03 +01:00

Symfony is a PHP framework for web applications and a set of reusable PHP components. Symfony is used by thousands of web applications (including BlaBlaCar.com and Spotify.com) and most of the popular PHP projects (including Drupal and Magento).

Installation

Documentation

Community

Contributing

Symfony is an Open Source, community-driven project with thousands of contributors. Join them contributing code or contributing documentation.

Security Issues

If you discover a security vulnerability within Symfony, please follow our disclosure procedure.

About Us

Symfony development is sponsored by SensioLabs, led by the Symfony Core Team and supported by Symfony contributors.