Chapters

37 Chapters | 3:43:31 |

01

¿Documentos API en producción?

8:22
02

¿Token API? ¿Cookies de sesión?

8:07
03

Formulario de inicio de sesión API con json_login

5:36
04

Manejo de errores de autenticación

3:47
05

En Autenticación correcta

6:03
06

Cerrar sesión y pasar datos de la API a JavaScript

5:45
07

Pasar valores a Stimulus

4:32
08

Tipos de token y la entidad ApiToken

5:59
09

Generar el token de la API y los accesorios

5:58
10

Autenticador de token de acceso

8:56
11

Personalizar los documentos de OpenAPI

7:31
12

Ámbitos de los tokens de la API

5:51
13

Denegar el acceso con la opción "seguridad

7:11
14

Poner en marcha un sistema de pruebas asesino

8:18
15

Aserciones de la prueba JSON y siembra de la base de datos

3:41
16

Aserciones de prueba JSON avanzadas y flexibles

4:04
17

Probar la autenticación

4:59
18

Personalizar el navegador globalmente

3:50
19

Probar la autenticación por token

3:24
20

Nuevo comportamiento PUT

4:46
21

Permitir editar sólo a los propietarios

7:49
22

Permitir que los usuarios administradores editen cualquier tesoro

4:11
23

Votante de seguridad

6:13
24

Campos condicionales por usuario: ApiProperty

5:13
25

Prueba de Usuario + Contraseña Simple

4:21
26

Procesadores de Estado: Hashing de la contraseña de usuario

6:55
27

Grupos de validación y formatos de parche

8:01
28

Grupos Dinámicos: Creador de Contextos

8:26
29

Normalizador personalizado

5:08
30

Decoración del normalizador y "Normalizer Aware" (consciente del normalizador)

6:29
31

Campos totalmente personalizados

3:24
32

Validador personalizado

7:58
33

Validar cómo cambian los valores

8:30
34

Configuración automática del "propietario

4:19
35

Extensión de consulta: Autofiltrar una colección

6:15
36

404 En Artículos No Publicados

8:00
37

Filtrar la colección de relaciones

5:39

> APIs > API Platform 3: Seguridad para tus tesoros

Buy Access to Course

26.

Procesadores de Estado: Hashing de la contraseña de usuario

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Cuando un cliente de la API crea un usuario, envía un campo password, que se establece en la propiedad plainPassword. Ahora tenemos que aplicar el hash a esa contraseña antes de que Userse guarde en la base de datos. Como demostramos al trabajar con Foundry, hashear una contraseña es sencillo: coge el servicio UserPasswordHasherInterface y llama a un método sobre él:

            Copy Code

                            Show All Lines

                        99 lines
            |
            src/Factory/UserFactory.php
        
                Show Lines

                                                    // ... lines 1 - 6
                            
            use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
        
                Show Lines

                                                    // ... lines 8 - 30
                            
            final class UserFactory extends ModelFactory
        
            {
        
                Show Lines

                                                    // ... lines 33 - 47
                            
                public function __construct(
        
                    private UserPasswordHasherInterface $passwordHasher
        
                )
        
                {
        
                Show Lines

                                                    // ... line 52
                            
                }
        
                Show Lines

                                                    // ... lines 54 - 81
                            
                protected function initialize(): self
        
                {
        
                    return $this
        
                        ->afterInstantiate(function(User $user): void {
        
                            $user->setPassword($this->passwordHasher->hashPassword(
        
                                $user,
        
                                $user->getPassword()
        
                            ));
        
                        })
        
                    ;
        
                }
        
                Show Lines

                                                    // ... lines 93 - 97
                            
            }

Pero para conseguirlo, necesitamos un "gancho" en la API Platform: necesitamos alguna forma de ejecutar código después de que nuestros datos se deserialicen en el objeto User, pero antes de que se guarden.

En nuestro tutorial sobre la API Platform 2, utilizamos para ello una escucha Doctrine, que seguiría funcionando. Sin embargo, tiene algunos aspectos negativos, como ser supermágico -es difícil depurar si no funciona- y tienes que hacer algunas cosas raras para asegurarte de que se ejecuta al editar la contraseña de un usuario.

Hola Procesadores de Estado

Afortunadamente, en API Platform 3 tenemos una nueva y brillante herramienta que podemos aprovechar: se llama procesador de estado. Y de hecho, ¡nuestra clase User ya utiliza un procesador de estado!

Encuentra la Guía de actualización de la API Platform 2 a la 3... y busca procesador. Veamos... aquí está. Tiene una sección llamada proveedores y procesadores. Hablaremos de proveedores más adelante.

Según esto, si tienes una clase ApiResource que es una entidad -como en nuestra aplicación-, entonces, por ejemplo, tu operación Put ya utiliza un procesador de estado llamado PersistProcessor La operación Post también lo utiliza, y Delete tiene uno llamado RemoveProcessor.

Los procesadores de estado son geniales. Después de que los datos enviados se deserialicen en el objeto, nosotros... ¡necesitamos hacer algo! La mayoría de las veces, ese "algo" es: guardar el objeto en la base de datos. ¡Y eso es precisamente lo que hace PersistProcessor! ¡Sí, nuestros cambios de entidad se guardan en la base de datos por completo gracias a ese procesador de estado incorporado!

Creación del procesador de estado personalizado

Así que éste es el plan: vamos a engancharnos al sistema de procesadores de estado y añadir el nuestro propio. Primer paso: ejecuta un nuevo comando desde la API Platform:

php ./bin/console make:state-processor

Llamémoslo UserHashPasswordProcessor. Perfecto.

Gira, entra en src/, abre el nuevo directorio State/ y echa un vistazo aUserHashPasswordStateProcessor:

            Copy Code

                            Show All Lines

                        15 lines
            |
            src/State/UserHashPasswordStateProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 2
                            
            namespace App\State;
        
            use ApiPlatform\Metadata\Operation;
        
            use ApiPlatform\State\ProcessorInterface;
        
            class UserHashPasswordStateProcessor implements ProcessorInterface
        
            {
        
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    // Handle the state
        
                }
        
            }

Es deliciosamente sencillo: API Platform llamará a este método, nos pasará datos, nos dirá qué operación está ocurriendo... y algunas cosas más. Luego... hacemos lo que queramos. Enviar correos electrónicos, guardar cosas en la base de datos, ¡o RickRollar a alguien viendo un screencast!

Activar este procesador es sencillo en teoría. Podríamos ir a la operación Post, añadir una opción processor y configurarla con nuestro id de servicio: UserHashPasswordStateProcessor::class.

Por desgracia... si hiciéramos eso, sustituiría al PersistProcessor que está utilizando ahora. Y... no queremos eso: queremos que se ejecute nuestro nuevo procesador... y también el existente PersistProcessor. Pero... cada operación sólo puede tener un procesador.

Configurar la decoración

¡No te preocupes! Podemos hacerlo decorando PersistProcessor. La decoración sigue siempre el mismo patrón. Primero, añade un constructor que acepte un argumento con la misma interfaz que nuestra clase: private ProcessorInterface y lo llamaré $innerProcessor:

            Copy Code

                            Show All Lines

                        23 lines
            |
            src/State/UserHashPasswordStateProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 5
                            
            use ApiPlatform\State\ProcessorInterface;
        
                Show Lines

                                                    // ... lines 7 - 9
                            
            class UserHashPasswordStateProcessor implements ProcessorInterface
        
            {
        
                public function __construct(private ProcessorInterface $innerProcessor)
        
                {
        
                }
        
                Show Lines

                                                    // ... lines 15 - 21
                            
            }

Después de añadir un dump() para ver si funciona, haremos el paso 2: llamar al método de servicio decorado: $this->innerProcessor->process() pasando $data, $operation,$uriVariables y... sí, $context:

            Copy Code

                            Show All Lines

                        23 lines
            |
            src/State/UserHashPasswordStateProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class UserHashPasswordStateProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 15
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    dump('ALIVE!');
        
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

Me encanta: nuestra clase está preparada para la decoración. Ahora tenemos que decirle a Symfony que la utilice. Internamente, PersistProcessor de API Platform es un servicio. Vamos a decirle a Symfony que siempre que algo necesite ese servicio PersistProcessor, le pase nuestro servicio en su lugar... pero también que Symfony nos pase el PersistProcessor original.

Para ello, añade #[AsDecorator()] y pásale el id del servicio. Normalmente puedes encontrarlo en la documentación, o puedes utilizar el comando debug:container para buscarlo. La documentación dice que es api_platform.doctrine.orm.state.persist_processor:

            Copy Code

                            Show All Lines

                        23 lines
            |
            src/State/UserHashPasswordStateProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 6
                            
            use Symfony\Component\DependencyInjection\Attribute\AsDecorator;
        
            #[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
        
            class UserHashPasswordStateProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 21
                            
            }

¡Decoración realizada! Todavía no estamos haciendo nada, ¡pero vamos a ver si llega a nuestro volcado! Ejecuta la prueba:

symfony php bin/phpunit tests/Functional/UserResourceTest.php

Y... ¡ahí está! Sigue siendo un 500, ¡pero está utilizando nuestro procesador!

Añadir la lógica Hashing

Ahora podemos ponernos manos a la obra. Debido a cómo hicimos la decoración del servicio, nuestro nuevo procesador será llamado siempre que se procese cualquier entidad... ya sea un User, un DragonTreasure o cualquier otra cosa. Así que, empieza por comprobar si $data es un instanceof User... y si $data->getPlainPassword()... porque si estamos editando un usuario, y no se envía ningún password, no hace falta que hagamos nada:

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/UserHashPasswordStateProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class UserHashPasswordStateProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 14 - 17
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    if ($data instanceof User && $data->getPlainPassword()) {
        
                Show Lines

                                                    // ... line 21
                            
                    }
        
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

Por cierto, la documentación oficial de los procesadores de estados de decoración es ligeramente diferente. A mí me parece más complejo, pero el resultado final es un procesador que sólo se llama para una entidad, no para todas.

Para hacer hash de la contraseña, añade un segundo argumento al constructor:private UserPasswordHasherInterface llamado $userPasswordHasher:

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/UserHashPasswordStateProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 8
                            
            use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
        
                Show Lines

                                                    // ... lines 10 - 11
                            
            class UserHashPasswordStateProcessor implements ProcessorInterface
        
            {
        
                public function __construct(private ProcessorInterface $innerProcessor, private UserPasswordHasherInterface $userPasswordHasher)
        
                {
        
                }
        
                Show Lines

                                                    // ... lines 17 - 25
                            
            }

A continuación, digamos que $data->setPassword() se establece en $this->userPasswordHasher->hashPassword()pasándole el User, que es $data y la contraseña simple: $data->getPlainPassword():

            Copy Code

                            Show All Lines

                        27 lines
            |
            src/State/UserHashPasswordStateProcessor.php
        
                Show Lines

                                                    // ... lines 1 - 11
                            
            class UserHashPasswordStateProcessor implements ProcessorInterface
        
            {
        
                Show Lines

                                                    // ... lines 14 - 17
                            
                public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
        
                {
        
                    if ($data instanceof User && $data->getPlainPassword()) {
        
                        $data->setPassword($this->userPasswordHasher->hashPassword($data, $data->getPlainPassword()));
        
                    }
        
                    $this->innerProcessor->process($data, $operation, $uriVariables, $context);
        
                }
        
            }

Y todo esto ocurre antes de que llamemos al procesador interno que guarda realmente el objeto.

¡Vamos a probar esto! Ejecuta la prueba:

symfony php bin/phpunit tests/Functional/UserResourceTest.php

¡Victoria! Después de crear un usuario en nuestra API, podemos iniciar sesión como ese usuario.

Usuario.borrarCredenciales()

Ah, y es algo sin importancia, pero una vez que tienes una propiedad plainPassword, dentro de User, hay un método llamado eraseCredentials(). Descomenta $this->plainPassword = null:

            Copy Code

                            Show All Lines

                        294 lines
            |
            src/Entity/User.php
        
                Show Lines

                                                    // ... lines 1 - 67
                            
            class User implements UserInterface, PasswordAuthenticatedUserInterface
        
            {
        
                Show Lines

                                                    // ... lines 70 - 186
                            
                public function eraseCredentials()
        
                {
        
                    // If you store any temporary, sensitive data on the user, clear it here
        
                    $this->plainPassword = null;
        
                }
        
                Show Lines

                                                    // ... lines 192 - 292
                            
            }

Esto asegura que si el objeto se serializa en la sesión, se borre primero el plainPassword sensible.

A continuación: arreglemos algunos problemas de validación mediante validationGroups y descubramos algo especial sobre la operación Patch.

18 Comments

Sort By

Hugues 2 years ago HIGHLIGHTED

Hi ! when I use the process method I need to return the result of the process method of the decorated class. else my POST call return an empty string.

#[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
class UserHashPasswordProcessor implements ProcessorInterface
{
    public function __construct(private ProcessorInterface $innerProcessor, private UserPasswordHasherInterface $passwordHasher)
    {
    }

    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
    {
        if ($data instanceof User && $data->getPlainPassword()) {
            $data->setPassword($this->passwordHasher->hashPassword(
                $data,
                $data->getPlainPassword()
            ));
            $data->eraseCredentials();
        }

        return $this->innerProcessor->process($data, $operation, $uriVariables, $context);
    }
}

2 | Reply |

weaverryan SFCASTS Hugues 2 years ago

Hey @Hugues!

Hmm, interesting! Let's think about this. If you don't return something from your processor, then API Platform will ultimately serialize the $data argument that you passed in. In your case, unless something else is going on, the inner processor, after saving, returns $data right back to you. So... there shouldn't be any difference: if you return nothing, then $data (your entity) is serialized. But by returning $this->innerProcessor->process()... that should result in returning the same object! If you dump $data and $this->innerProcessor->process(), they must be different. Are they? If so, what are the differences? I would be interested to know - it smells like a mystery :).

Cheers!

| Reply |

Hugues weaverryan 2 years ago

Hi @weaverryan,
Thank you for your answer !
You're totally right $data and $this->innerProcessor->process() return the same entity.
I use Symfony 6.4 with api-platform/core v3.2.7.
If I debug my UserHashPasswordProcessor method I have this call stack :

App\State\UserHashPasswordProcessor->process (~my-project/src/State/UserHashPasswordProcessor.php:34)
ApiPlatform\State\CallableProcessor->process (~my-project/vendor/api-platform/core/src/State/CallableProcessor.php:46)
ApiPlatform\State\Processor\WriteProcessor->process (~my-project/vendor/api-platform/core/src/State/Processor/WriteProcessor.php:45)
...

// vendor/api-platform/core/src/State/Processor/WriteProcessor.php
final class WriteProcessor implements ProcessorInterface
{
    // ...

    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = [])
    {
        // some code ...
        
        // $this->processor is an instance of SerializeProcessor
        // $this->callableProcessor is an instance of our UserHashPasswordProcessor
 +       return $this->processor->process($this->callableProcessor->process($data, $operation, $uriVariables, $context), $operation, $uriVariables, $context);
    }
}

if I've not returned anything from my processor $data will be null in the process method of SerializeProcessor.

// vendor/api-platform/core/src/State/Processor/SerializeProcessor.php
final class SerializeProcessor implements ProcessorInterface
{
    // ...

    public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = [])
    {
        // ...
    
        $serialized = $this->serializer->serialize($data, $request->getRequestFormat(), $serializerContext);
        // aie I don't have anything...    
        // ...
        
        return $this->processor->process($serialized, $operation, $uriVariables, $context);
    }
}

perhaps the code has changed in the meantime?
have a good weekend and I hope the conferences in Brussels were fascinating...

1 | Reply |

weaverryan SFCASTS Hugues 2 years ago edited

Hey @Hugues!

Hmm, indeed! The WriteProcessor stuff is new in API Platform 3.2... and while its addition shouldn't have changed anything, by looking at your debugging, it seems like you're right. If you don't return anything, nothing gets serialized. Well, actually, this is likely because you're using the new "mode" of API Platform without event listeners - https://api-platform.com/docs/core/upgrade-guide/#event-listeners - I'm guessing the "old" mode still works. But really, returning something from your processor is more correct anyway. I'll add a note to the tutorial to help others.

I hope the conferences in Brussels were fascinating...

It was GREAT. Many friends, many great conversations and ideas. Excited about the future :)

Cheers!

1 | Reply |

keesystem_it weaverryan 1 year ago edited

Hi @weaverryan,
I suspect a regression in API Platform 3.3.
If I run the tests in the "finish" folder after upgrading Symfony to 6.4 and API Platform to 3.3, then the patch() calls return null again.
If I revert only API Platform to 3.2 and keep Symfony to 6.4, the tests pass flawlessly.
In 3.2, event_listeners_backward_compatibility_layer: false breaks the tests, while when set to true they pass.
In 3.3, either value breaks the tests, so I guess the issue comes from somewhere else.

1) App\Tests\Functional\DragonTreasureResourceTest::testPostToCreateTreasure<br />Expected "(null)" to be the same as "A shiny thing".

2) App\Tests\Functional\DragonTreasureResourceTest::testPatchToUpdateTreasure<br />Expected "(null)" to be the same as "12345".

... 3 more errors like these. Do you have any suggestion to debug the source of the issue ? Thanks!

EDIT : fixed
The issue was that I added the return of $this->innerProcessor->process() only to one of the two StateProcessors, adding the return to all of them, changing the method return type to mixed solves the bug. event_listeners_backward_compatibility_layer is not concerned.

| Reply |

SKlocke 2 years ago

Is there a way to process additional fields from the request?
For example, for the registration, I send, email, password and firstname.
email and password goes to the User entity and the firstname in the Profile entity (that's created in a StateProcessor, but there, I don't have access to the original POST request/data

1 | Reply |

weaverryan SFCASTS SKlocke 2 years ago

Hey @Sebastian-K!

Hmmm. How have you set things up so that the "registration" endpoint has a firstName field but without User having a firstName property? Usually I WOULD have this as a property on User, or I might make a DTO for this specific operation if you've got things split up.

But anyway, this is an interesting problem! The JSON is ready from the request and passed directly to the serializer here: https://github.com/api-platform/core/blob/main/src/Symfony/EventListener/DeserializeListener.php#L98-L101

The problem is that, if your "resource class" for this operation is User and it doesn't have a firstName property, then that field from the JSON is simply ignored. I think the only way to get the firstName field would be to grab the $request->getContent() and json_decode() it manually. But... I really hope we can find a better way :).

Cheers!

| Reply |

Tobias-B 2 years ago

Does it really make sense to set up decoration for the UserHashPasswordProcessor via #[AsDecorator()]? As I understand it the decorating service is then involved in every call of the PersistProcessor?

In the API Platform docs they use a "bind" in the services to bind the $persistProcessor as an argument to the "UserPasswordHasher".
This way I guess it is only decorating the service when it is used (e.g. defining the "processor" on operation level)...

1 | Reply |

weaverryan SFCASTS Tobias-B 2 years ago

Hey @Tobias-B!

Your thinking on this is absolutely correct. For me, it was a trade-off between complexity (the API Platform official way is more complex) vs potential performance problems. So, the final decision is subjective, but since PersistProcessor is only called during POST/PUT/PATCH operations and it will only be called once (I would be more concerned if PersistProessor were called many times during a single request) and the logic inside of UserHashPasswordProcessor is really simple in those cases (if not User, it exits immediately), I think the performance issue is non-material. So, I went for simplicity :). But I think the other approach is 110% valid - so you can choose your favorite.

Cheers!

1 | Reply |

David-S Tobias-B 2 years ago edited

I'm building this tutorial not in the project but in a custom bundle.
Since it took me some time to find the solution for my case, I'd like to post it here for others that might struggle with that.

I did NOT set the #[AsDecorator(PersistProcessor::class)] attribute in UserHashPasswordProcessor

In the User Entity I added processor: UserHashPasswordProcessor::class to Put, Post and Patch.
Example:

new Put(
            security: 'is_granted("ROLE_USER_EDIT")',
            processor: UserHashPasswordProcessor::class
)

In the bundles services.xml I added:

<service id="Acme\MyBundle\State\UserHashPasswordProcessor" autowire="true" autoconfigure="true">
            <bind key="$processor" id="api_platform.doctrine.orm.state.persist_processor" type="service"/>
</service>

Since this Processor is called from the User Entity now, I also modified the process method in UserHashPasswordProcessor a litte:

public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
    {
        if ($data->getPlainPassword()) {
            $hashedPassword = $this->userPasswordHasher->hashPassword($data, $data->getPlainPassword());
            $data->setPassword($hashedPassword);
            $data->eraseCredentials();
        }

        $this->processor->process($data, $operation, $uriVariables, $context);
    }

If this isn't smart, please correct me :-)

| Reply |

Frederic 2 years ago

Hi @weaverryan,

When using your method of declaring the state processor on the post operation, I get an error :
Processor \"App\\State\\UserHashPasswordStateProcessor\" not found on operation \"_api_/users{._format}_post\"

Don't know why it happens, I just figured out I'd let you know, and maybe you could help me understand

To solve the issue, I use the documentation's method, binding the persist processor to my own using the service.yaml config file, and it works fine.

https://api-platform.com/docs/core/user/

| Reply |

MolloKhan SFCASTS Frederic 2 years ago edited

Hey @Frederic

How did you set up the UserHashPasswordStateProcessor? What Ryan did was to decorate the main "persist" processor service, which would surprise me to throw an error. But anyway, the docs way seems better to me because you don't want to check the object's type every time

Cheers!

| Reply |

Frederic MolloKhan 2 years ago

I can't confirm I did exactly the same as Ryan, I followed the script (no video, because not paid membership (yet...)), maybe I missed something in the video that isn't shown in the script and I might also just have missed something obvious on my part.

I manage to make it work the Ryan's way. Don't know what went wrong the first time
But I noticed something else, I let the dump('ALIVE') statement at the beginning of my process() method, and I discovered it behaves differently between both ways of wiring :
using AsDecorator, "ALIVE" gets dump to the console during test,
using the service config file, it doesn't.
Everything else happens the same (post, patch, hash, persist)

| Reply |

MolloKhan SFCASTS Frederic 2 years ago

I see, if it is working now it's very likely that you missed something.
The difference between the config file and using PHP attributes is that attributes are not environment-specific, they will work on any your app is running, but config files are bound to an environment (dev, test, prod). If you configure the decorator service in a config/services_test.yaml file, does it work?

Cheers!

| Reply |

Sylvain-B 2 years ago

Hi Ryan,
Thnaks for your amazing work.
I follow exactly the tutorial.
When I use #[AsDecorator('api_platform.doctrine.orm.state.persist_processor')] it's working.
But if I try (as you wrote in the tip) with

use ApiPlatform\Doctrine\Common\State\PersistProcessor;
#[AsDecorator(PersistProcessor::class)]

I get an error when launching tests

"An exception occurred while executing a query: SQLSTATE[23502]: Not null violation: 7 ERROR:  null value in column \"password\" of relation \"user\" violates not-null constraint\nDETAIL:  Failing row contains (1, draggin_in_the_morning@coffee.com, [], draggin_in_the_morning, null).",

Any Idea ? Thanks

| Reply |

weaverryan SFCASTS Sylvain-B 2 years ago

Hey @Sylvain-B!

Hmm, yea, I think I know what's going on - and my tip was misleading! If you wanted to simply inject/autowire the api_platform.doctrine.orm.state.persist_processor into some other service, using PersistProcessor::class (which is a service alias) would work great. But with decoration, it doesn't - and that's my fault. Explanation:

The actual id of the core service is api_platform.doctrine.orm.state.persist_processor. Other services specifically reference this id to have this service injected into them.
When you decorate api_platform.doctrine.orm.state.persist_processor, you effectively "replace" this service with your own. So anyone that was previously asking for this service id to be passed to them, will now be passed your service.
But when you decorate PersistProcessor::class, you are decorating a service alias. So IF anyone asked for PersistProcessor::class to be passed to them, they would receive your service. But in reality, everyone asks for api_platform.doctrine.orm.state.persist_processor... which remains the original, core service.

Thanks for mentioning this - I wanted people to be aware of the new, shorter way of referencing the service - but in decoration, it's incorrect! I'm going to remove the note.

Cheers!

| Reply |

Fedale 2 years ago

Hi team, my question is: if I use Symfony with Api Platform and Easy Admin, where I have to write "unified" logic to hash the password for both applications?
I think that in that case a listener/subscriber is better, right?

| Reply |

weaverryan SFCASTS Fedale 2 years ago

Hey @Fedale!

That's a great question. I can think of 2 options, and they're both totally fine imo:

1) A doctrine listener/subscriber as you were mentioning. These are a bit magic and they're hard to debug if you make a mistake while setting them up (they might just "not work" but no errors). But they work great and are very robust (once you get them working, it's not going to suddenly break).
2) Duplicate the hashing logic: do it in ApiPlatform like we do, then do it in EasyAdmin by, for example, overriding persistEntity() in your controller. Duplication sounds lame... but password hashing logic is already SO simple (it's just 1 line basically) that you are not really duplicating much.

Cheers!

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Chapter

Next Chapter

Procesadores de Estado: Hashing de la contraseña de usuario

Share this awesome video!

Keep on Learning!

Hola Procesadores de Estado

Creación del procesador de estado personalizado

Configurar la decoración

Añadir la lógica Hashing

Usuario.borrarCredenciales()

18 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 6
	use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
Show Lines	// ... lines 8 - 30
	final class UserFactory extends ModelFactory
	{
Show Lines	// ... lines 33 - 47
	public function __construct(
	private UserPasswordHasherInterface $passwordHasher
	)
	{
Show Lines	// ... line 52
	}
Show Lines	// ... lines 54 - 81
	protected function initialize(): self
	{
	return $this
	->afterInstantiate(function(User $user): void {
	$user->setPassword($this->passwordHasher->hashPassword(
	$user,
	$user->getPassword()
	));
	})
	;
	}
Show Lines	// ... lines 93 - 97
	}

Show Lines	// ... lines 1 - 2
	namespace App\State;

	use ApiPlatform\Metadata\Operation;
	use ApiPlatform\State\ProcessorInterface;

	class UserHashPasswordStateProcessor implements ProcessorInterface
	{
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	// Handle the state
	}
	}

Show Lines	// ... lines 1 - 5
	use ApiPlatform\State\ProcessorInterface;
Show Lines	// ... lines 7 - 9
	class UserHashPasswordStateProcessor implements ProcessorInterface
	{
	public function __construct(private ProcessorInterface $innerProcessor)
	{
	}
Show Lines	// ... lines 15 - 21
	}

Show Lines	// ... lines 1 - 9
	class UserHashPasswordStateProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 12 - 15
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	dump('ALIVE!');

	$this->innerProcessor->process($data, $operation, $uriVariables, $context);
	}
	}

Show Lines	// ... lines 1 - 6
	use Symfony\Component\DependencyInjection\Attribute\AsDecorator;

	#[AsDecorator('api_platform.doctrine.orm.state.persist_processor')]
	class UserHashPasswordStateProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 12 - 21
	}

Show Lines	// ... lines 1 - 11
	class UserHashPasswordStateProcessor implements ProcessorInterface
	{
Show Lines	// ... lines 14 - 17
	public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): void
	{
	if ($data instanceof User && $data->getPlainPassword()) {
Show Lines	// ... line 21
	}

	$this->innerProcessor->process($data, $operation, $uriVariables, $context);
	}
	}

Show Lines	// ... lines 1 - 8
	use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
Show Lines	// ... lines 10 - 11
	class UserHashPasswordStateProcessor implements ProcessorInterface
	{
	public function __construct(private ProcessorInterface $innerProcessor, private UserPasswordHasherInterface $userPasswordHasher)
	{
	}
Show Lines	// ... lines 17 - 25
	}

Show Lines	// ... lines 1 - 67
	class User implements UserInterface, PasswordAuthenticatedUserInterface
	{
Show Lines	// ... lines 70 - 186
	public function eraseCredentials()
	{
	// If you store any temporary, sensitive data on the user, clear it here
	$this->plainPassword = null;
	}
Show Lines	// ... lines 192 - 292
	}