Chapters
47 Chapters
|
4:41:51
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!
Subscribe to download the code!
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
¡Este tutorial también funciona muy bien para Symfony 6!
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": ">=8.2",
"ext-ctype": "*",
"ext-iconv": "*",
"babdev/pagerfanta-bundle": "^3.3", // v3.3.0
"composer/package-versions-deprecated": "^1.11", // 1.11.99.4
"doctrine/annotations": "^1.0", // 1.13.2
"doctrine/doctrine-bundle": "^2.1", // 2.6.3
"doctrine/doctrine-migrations-bundle": "^3.0", // 3.1.1
"doctrine/orm": "^2.7", // 2.10.1
"knplabs/knp-markdown-bundle": "^1.8", // 1.9.0
"knplabs/knp-time-bundle": "^1.11", // v1.16.1
"pagerfanta/doctrine-orm-adapter": "^3.3", // v3.3.0
"pagerfanta/twig": "^3.3", // v3.3.0
"phpdocumentor/reflection-docblock": "^5.2", // 5.2.2
"scheb/2fa-bundle": "^5.12", // v5.12.1
"scheb/2fa-qr-code": "^5.12", // v5.12.1
"scheb/2fa-totp": "^5.12", // v5.12.1
"sensio/framework-extra-bundle": "^6.0", // v6.2.0
"stof/doctrine-extensions-bundle": "^1.4", // v1.6.0
"symfony/asset": "5.3.*", // v5.3.4
"symfony/console": "5.3.*", // v5.3.7
"symfony/dotenv": "5.3.*", // v5.3.8
"symfony/flex": "^1.3.1", // v1.21.6
"symfony/form": "5.3.*", // v5.3.8
"symfony/framework-bundle": "5.3.*", // v5.3.8
"symfony/monolog-bundle": "^3.0", // v3.7.0
"symfony/property-access": "5.3.*", // v5.3.8
"symfony/property-info": "5.3.*", // v5.3.8
"symfony/rate-limiter": "5.3.*", // v5.3.4
"symfony/runtime": "5.3.*", // v5.3.4
"symfony/security-bundle": "5.3.*", // v5.3.8
"symfony/serializer": "5.3.*", // v5.3.8
"symfony/stopwatch": "5.3.*", // v5.3.4
"symfony/twig-bundle": "5.3.*", // v5.3.4
"symfony/ux-chartjs": "^1.3", // v1.3.0
"symfony/validator": "5.3.*", // v5.3.8
"symfony/webpack-encore-bundle": "^1.7", // v1.12.0
"symfony/yaml": "5.3.*", // v5.3.6
"symfonycasts/verify-email-bundle": "^1.5", // v1.5.0
"twig/extra-bundle": "^2.12|^3.0", // v3.3.3
"twig/string-extra": "^3.3", // v3.3.3
"twig/twig": "^2.12|^3.0" // v3.3.3
},
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.3", // 3.4.0
"symfony/debug-bundle": "5.3.*", // v5.3.4
"symfony/maker-bundle": "^1.15", // v1.34.0
"symfony/var-dumper": "5.3.*", // v5.3.8
"symfony/web-profiler-bundle": "5.3.*", // v5.3.8
"zenstruck/foundry": "^1.1" // v1.13.3
}
}
23 Comments
Why do I hash the password in the fixtures and on the registration form and on the change password form instead of just in the User entity:
Hey @odds
Great question! The short answer is: entities are plain data objects, not services. Doctrine instantiates them via reflection, so you can't inject
UserPasswordHasherInterfaceinto them. That$this->passwordHasherwould never exist.But your instinct to centralize the hashing is totally valid! The most common approach is a Doctrine entity listener. The idea is:
Every code path (fixtures, registration, change password) just calls
$user->setPlainPassword('the-plain-password')instead of hashing manually.A listener on
prePersistandpreUpdatechecks ifplainPasswordis set, hashes it, and stores the result in password.One gotcha: since
plainPasswordis not a mapped field, Doctrine won't detect a change on update. A common trick is to alsonullout$this->passwordinsidesetPlainPassword()to force Doctrine's change tracking to pick it up.Or, you can dispatch a custom event in every place you update the password, which is not as helpful as Doctrine events, but there would be less magic going on.
We keep things simple in this tutorial to avoid introducing too many concepts at once. Cheers!
I am refreshing my konwledge and when run fixture load it shows errror:
No password hasher has been configured for account "App\Entity\User".In scurity.yaml when I added
App\Entity\User: 'auto'in password_hashers section before
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'It works but with code in tutorial it works without App\Entity\User: 'auto'
Hey @kakhaber
What Symfony version are you using? Does your user entity implement the
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterfaceinterface?Cheers!
Hey there, The course is just magnificent.
Just one question in mind, why are we starting from login and going to register, were not it be easy to start from register and after login from the register credentials.
Thanks!
Hey Arman,
I'm not sure I completely understand you here. If you ask why we show the login feature first and after the registration feature instead of showing it in reverse order - well, that's not very important actually, but the login feature is easier because we use some data from the fixtures. Registration is a bit more complex, and it will require knowing how the login feature works eventually, so once again it's a good idea to meet with the login feature first. Last but not least, actually, the registration feature is not required for some websites, I mean, having a user registration on your website isn't a rule but is mostly an optional feature. There might be some websites where users just access the content without being able to authorize themselves because it's not necessary.
But your question is also valid, and showing it in the reverse order is kinda OK too. But as I said, it's not that important, and it was already recorded this way by the course author. I hope this answers your question :)
Cheers!
Yeah you got my question right, and now I understand you perfectly.
Thanks very much.
I am kind of frustrated because with this lesson I am not quite sure of what to do when processing an actual password that is submitted in a registration form.
Assuming that
$plaintextPasswordis the plain password string, can I use the password setter in theUserobject$useras follows:(this is from the doc). I assume, that, from the security yaml file,
hashPasswordknows it must use the email in$user; right?Hey @Francois
My apologies for the bad feeling, that's not the experience we want our users to have. After hashing the user password you can set it on the object, basically as you please, usually via a setter method.
About the hasher using the email as part of the password. It does not do that, the only field it gets from the user object is the
saltin case your app supports it, but it is not recommended when using modern hashing algorithmsI hope I managed to clarify things. Cheers!
Hi All,
I followed the tutorial but I can't connect via my email / tada
I'm on Symfony 5.3
LoginFormAuthenticator.php on line 83:<br />Symfony\Component\Security\Core\Exception\BadCredentialsException {#589 ▼<br /> #message: "The presented password is invalid."<br /> #code: 0<br /> #file: "/home/amine/Projets/Symfony/Symfony6/symfony-doctrine-formation/vendor/symfony/security-http/EventListener/CheckCredentialsListener.php"<br /> #line: 74<br /> -token: nullBest,
Amine
I foun the prob.
My methode getPAssword() in USer entity return null
Good night :)
Hey Amine,
I'm happy to hear you were able to find the problem yourself, well done! And thanks for sharing your solution with others ;)
Cheers!
Another question =) I thought the new hashing system always used sodium, and those hashed passwords always started with "$argon". If I use the
symfony console security:encode-passwordindeed passwords do, but when I use the password hasherI get a completely different string.
Both passwords work, just curious =)
Hey @MattWelander!
Hmm, that's interesting! The point of the "auto" is that you no longer need to really care what algorithm is being used, because it'll choose whatever the latest and greatest is. That being said, I would definitely expect that
security:encode-passwordand using theUserPasswordHasherInterfaceservice in PHP would use the same algorithm. The algorithm is chosen, iirc, entirely based on theUserclass (well, theUserclass is used to look up your hasher config - so basically, it's chosen based on your hasher config, which does not change between php and that console command). So I also would expect to see$argonstyle hashed passwords in both cases. When I just checked Symfonycasts, indeed, that IS what I see: both ways give me$argon2style hashed password.So... that's a mystery why doing that in PHP would result in a non-argon hasher being used - I can't explain that...
Cheers!
Hi!
Prior to sym4 (I believe) the config security - firewalls - main - form_login would make it so that any request to a page that required authentication automatically redirected to the login page.
I find that in sym5 instead the user gets an access denied exception. What would be the equivalent config to auto-redirect to the login page?
Nevermind - that question is answered a few lessons down the line =) https://symfonycasts.com/screencast/symfony-security/entry-point
This command does not work with PostgeSQL
symfony console doctrine:query:sql "SELECT * FROM user"returned just
`
user
postgres
`
Solved - need to add -->"
symfony console doctrine:query:sql 'SELECT * FROM "user"'<br />Hey Maxim,
Yeah, user might be a reserved keyword, usually we wrap table names with tick. Thank you for sharing your solution!
Cheers!
Hi, if this is correct way to set password without Factory ?
Hey Mepcuk!
Yes! But we can even do a bit less work:
A) You can skip setting the plain password and just do
$this->passwordHasher->hashPassword($user, 'tada')B) You only need one flush(). Remove the first one and just flush/save once after you set the real password. Also, you can then remove the
$user->setPassword('tada'). I'm guessing you had that just so that your database didn't throw an error during the first flush ;).Cheers!
"Houston: no signs of life"
Start the conversation!