Chapters

47 Chapters | 4:41:51 |

01

composer require security

5:07
02

make:user

5:57
03

Customizing the User Class

3:08
04

Building a Login Form

3:07
05

Firewalls & Authenticators

6:39
06

Authenticator & The Passport

6:24
07

Custom User Query & Credentials

6:04
08

Authentication Success & Refreshing the User

6:33
09

When Authentication Fails

7:19
10

Customize Error Messages & Adding Logout

7:33
11

Giving Users Passwords

5:26
12

Hashing Plain Passwords & PasswordCredentials

4:22
13

Security Listener System & Csrf Protection

6:40
14

Remember Me System

7:07
15

Always Remember Me & "signature_properties"

6:28
16

Denying Access, access_control & Roles

5:22
17

The Entry Point: Inviting Users to Log In

6:45
18

AbstractLoginFormAuthenticator & Redirecting to Previous URL

5:13
19

form_login: The Built-in Authenticator

5:42
20

More form_login Config

3:25
21

Denying Access in a Controller

4:57
22

Dynamic Roles

4:28
23

The Special IS_AUTHENTICATED_ Strings

9:18
24

Fetching the User Object

6:38
25

Custom User Methods & the User in a Service

7:21
26

Role Hierarchy

5:37
27

Impersonation: switch_user

5:27
28

User API & the Serializer

5:37
29

To use API Token Authentication or Not?

4:09
30

Registration Form

5:25
31

Manual Authentication

6:12
32

Making Questions owned by Users

5:13
33

Leveraging the Question Owner

6:09
34

Voters

6:27
35

Custom Voter

6:52
36

Verify Email after Registration

7:57
37

Verifying the Signed Confirm Email URL

7:18
38

Login Throttling & Events

6:11
39

Security Events & Listeners

4:00
40

Creating a Security Event Subscriber

8:47
41

Custom Redirect when "Email Not Verified"

7:16
42

2 Factor Authentication & Authentication Tokens

8:33
43

2fa with TOTP (Time-Based One Time Password)

5:20
44

Activating 2FA

5:34
45

Rendering the QR Code

6:14
46

QR Data & Scanning with an Authenticator App

4:35
47

Customize The 2-Factor Auth Form

5:53

> Symfony 5 > Symfony 5 Security: Authenticators

Buy Access to Course

12.

Hashing Plain Passwords & PasswordCredentials

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Challenge

With a Subscription, click any sentence in the script to jump to that part of the video!

The process of saving a user's password always looks like this: start with a plain-text password, hash that, then save the hashed version onto the User. This is something we're going to do in the fixtures... but we'll also do this on a registration form later... and you would also need it on a change password form.

Adding a plainPassword Field

To make this easier, I'm going to do something optional. In User, up on top, add a new private $plainPassword property:

            Copy Code

                            Show All Lines

                        156 lines
            |
            src/Entity/User.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class User implements UserInterface, PasswordAuthenticatedUserInterface
        
            {
        
                Show Lines

                                                    // ... lines 15 - 41
                            
                private $plainPassword;
        
                Show Lines

                                                    // ... lines 43 - 154
                            
            }

The key thing is that this property will not be persisted to the database: it's just a temporary property that we can use during, for example, registration, to store the plain password.

Below, I'll go to "Code"->"Generate" - or Command+N on a Mac - to generate the getter and setter for this. The getter will return a nullable string:

            Copy Code

                            Show All Lines

                        156 lines
            |
            src/Entity/User.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class User implements UserInterface, PasswordAuthenticatedUserInterface
        
            {
        
                Show Lines

                                                    // ... lines 15 - 143
                            
                public function getPlainPassword(): ?string
        
                {
        
                    return $this->plainPassword;
        
                }
        
                public function setPlainPassword(string $plainPassword): self
        
                {
        
                    $this->plainPassword = $plainPassword;
        
                    return $this;
        
                }
        
            }

Now, if you do have a plainPassword property, you'll want to find eraseCredentials() and set $this->plainPassword to null:

            Copy Code

                            Show All Lines

                        156 lines
            |
            src/Entity/User.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            class User implements UserInterface, PasswordAuthenticatedUserInterface
        
            {
        
                Show Lines

                                                    // ... lines 15 - 118
                            
                public function eraseCredentials()
        
                {
        
                    // If you store any temporary, sensitive data on the user, clear it here
        
                    $this->plainPassword = null;
        
                }
        
                Show Lines

                                                    // ... lines 124 - 154
                            
            }

This... is not really that important. After authentication is successful, Symfony calls eraseCredentials(). It's... just a way for you to "clear out any sensitive information" on your User object once authentication is done. Technically we will never set plainPassword during authentication... so it doesn't matter. But, again, it's a safe thing to do.

Hashing the Password in the Fixtures

Back inside UserFactory, instead of setting the password property, set plainPassword to "tada":

            Copy Code

                            Show All Lines

                        60 lines
            |
            src/Factory/UserFactory.php
        
                Show Lines

                                                    // ... lines 1 - 28
                            
            final class UserFactory extends ModelFactory
        
            {
        
                Show Lines

                                                    // ... lines 31 - 37
                            
                protected function getDefaults(): array
        
                {
        
                    return [
        
                Show Lines

                                                    // ... lines 41 - 42
                            
                        'plainPassword' => 'tada',
        
                    ];
        
                }
        
                Show Lines

                                                    // ... lines 46 - 58
                            
            }

If we just stopped now, it would set this property... but then the password property would stay null... and it would explode in the database because that column is required.

So after Foundry has finished instantiating the object, we need to run some extra code that reads the plainPassword and hashes it. We can do that down here in the initialize() method... via an "after instantiation" hook:

            Copy Code

                            Show All Lines

                        60 lines
            |
            src/Factory/UserFactory.php
        
                Show Lines

                                                    // ... lines 1 - 28
                            
            final class UserFactory extends ModelFactory
        
            {
        
                Show Lines

                                                    // ... lines 31 - 46
                            
                protected function initialize(): self
        
                {
        
                    // see https://symfony.com/bundles/ZenstruckFoundryBundle/current/index.html#initialization
        
                    return $this
        
                        // ->afterInstantiate(function(User $user) {})
        
                    ;
        
                }
        
                Show Lines

                                                    // ... lines 54 - 58
                            
            }

This is pretty cool: call $this->afterInstantiate(), pass it a callback and, inside say if $user->getPlainPassword() - just in case we override that to null - then $user->setPassword(). Generate the hash with $this->passwordHasher->hashPassword() passing the user that we're trying to hash - so $user - and then whatever the plain password is: $user->getPlainPassword():

            Copy Code

                            Show All Lines

                        69 lines
            |
            src/Factory/UserFactory.php
        
                Show Lines

                                                    // ... lines 1 - 29
                            
            final class UserFactory extends ModelFactory
        
            {
        
                Show Lines

                                                    // ... lines 32 - 49
                            
                protected function initialize(): self
        
                {
        
                    // see https://symfony.com/bundles/ZenstruckFoundryBundle/current/index.html#initialization
        
                    return $this
        
                        ->afterInstantiate(function(User $user) {
        
                            if ($user->getPlainPassword()) {
        
                                $user->setPassword(
        
                                    $this->passwordHasher->hashPassword($user, $user->getPlainPassword())
        
                                );
        
                            }
        
                        })
        
                    ;
        
                }
        
                Show Lines

                                                    // ... lines 63 - 67
                            
            }

Done! Let's try this. Find your terminal and run:

symfony console doctrine:fixtures:load

This will take a bit longer than before because hashing passwords is actually CPU intensive. But... it works! Check the user table:

symfony console doctrine:query:sql 'SELECT * FROM user'

And... got it! Every user has a hashed version of the password!

Validating the Password: PasswordCredentials

Finally we're ready to check the user's password inside our authenticator. To do this, we need to hash the submitted plain password then safely compare that with the hash in the database.

Well we don't need to do this... because Symfony is going to do it automatically. Check it out: replace CustomCredentials with a new PasswordCredentials and pass it the plain-text submitted password:

            Copy Code

                            Show All Lines

                        85 lines
            |
            src/Security/LoginFormAuthenticator.php
        
                Show Lines

                                                    // ... lines 1 - 17
                            
            use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
        
                Show Lines

                                                    // ... lines 19 - 21
                            
            class LoginFormAuthenticator extends AbstractAuthenticator
        
            {
        
                Show Lines

                                                    // ... lines 24 - 37
                            
                public function authenticate(Request $request): PassportInterface
        
                {
        
                Show Lines

                                                    // ... lines 40 - 42
                            
                    return new Passport(
        
                Show Lines

                                                    // ... lines 44 - 53
                            
                        new PasswordCredentials($password)
        
                    );
        
                }
        
                Show Lines

                                                    // ... lines 57 - 83
                            
            }

That's it! Try it. Log in using our real user - abraca_admin@example.com - I'll copy that, then some wrong password. Nice! Invalid password! Now enter the real password tada. It works!

That's awesome! When you put a PasswordCredentials inside your Passport, Symfony automatically uses that to compare the submitted password to the hashed password of the user in the database. I love that.

This is all possible thanks to a powerful event listener system inside of security. Let's learn more about that next and see how we can leverage it to add CSRF protection to our login form... with about two lines of code.

19 Comments

Sort By

Arman 1 month ago

Hey there, The course is just magnificent.
Just one question in mind, why are we starting from login and going to register, were not it be easy to start from register and after login from the register credentials.
Thanks!

| Reply |

Victor SFCASTS Arman 1 month ago edited

Hey Arman,

I'm not sure I completely understand you here. If you ask why we show the login feature first and after the registration feature instead of showing it in reverse order - well, that's not very important actually, but the login feature is easier because we use some data from the fixtures. Registration is a bit more complex, and it will require knowing how the login feature works eventually, so once again it's a good idea to meet with the login feature first. Last but not least, actually, the registration feature is not required for some websites, I mean, having a user registration on your website isn't a rule but is mostly an optional feature. There might be some websites where users just access the content without being able to authorize themselves because it's not necessary.

But your question is also valid, and showing it in the reverse order is kinda OK too. But as I said, it's not that important, and it was already recorded this way by the course author. I hope this answers your question :)

Cheers!

| Reply |

Arman Victor 1 month ago

Yeah you got my question right, and now I understand you perfectly.
Thanks very much.

| Reply |

Francois 10 months ago

I am kind of frustrated because with this lesson I am not quite sure of what to do when processing an actual password that is submitted in a registration form.

Assuming that $plaintextPassword is the plain password string, can I use the password setter in the User object $user as follows:

$hashedPassword = $passwordHasher->hashPassword($user,$plaintextPassword);
$user->setPassword($hashedPassword);

(this is from the doc). I assume, that, from the security yaml file, hashPassword knows it must use the email in $user; right?

| Reply |

MolloKhan SFCASTS Francois 10 months ago edited

Hey @Francois

My apologies for the bad feeling, that's not the experience we want our users to have. After hashing the user password you can set it on the object, basically as you please, usually via a setter method.
About the hasher using the email as part of the password. It does not do that, the only field it gets from the user object is the salt in case your app supports it, but it is not recommended when using modern hashing algorithms

I hope I managed to clarify things. Cheers!

| Reply |

Amine 2 years ago edited

Hi All,

I followed the tutorial but I can't connect via my email / tada

I'm on Symfony 5.3

LoginFormAuthenticator.php on line 83: Symfony\Component\Security\Core\Exception\BadCredentialsException {#589 ▼ #message: "The presented password is invalid." #code: 0 #file: "/home/amine/Projets/Symfony/Symfony6/symfony-doctrine-formation/vendor/symfony/security-http/EventListener/CheckCredentialsListener.php" #line: 74 -token: null

Best,
Amine

| Reply |

Amine Amine 2 years ago

I foun the prob.

My methode getPAssword() in USer entity return null

Good night :)

1 | Reply |

Victor SFCASTS Amine 2 years ago

Hey Amine,

I'm happy to hear you were able to find the problem yourself, well done! And thanks for sharing your solution with others ;)

Cheers!

| Reply |

MattWelander 2 years ago

Another question =) I thought the new hashing system always used sodium, and those hashed passwords always started with "$argon". If I use the symfony console security:encode-password indeed passwords do, but when I use the password hasher

$user->setPassword($this->passwordHasher->hashPassword($user, $user->getPlainPassword()));

I get a completely different string.

Both passwords work, just curious =)

| Reply |

weaverryan SFCASTS MattWelander 2 years ago

Hey @MattWelander!

Hmm, that's interesting! The point of the "auto" is that you no longer need to really care what algorithm is being used, because it'll choose whatever the latest and greatest is. That being said, I would definitely expect that security:encode-password and using the UserPasswordHasherInterface service in PHP would use the same algorithm. The algorithm is chosen, iirc, entirely based on the User class (well, the User class is used to look up your hasher config - so basically, it's chosen based on your hasher config, which does not change between php and that console command). So I also would expect to see $argon style hashed passwords in both cases. When I just checked Symfonycasts, indeed, that IS what I see: both ways give me $argon2 style hashed password.

So... that's a mystery why doing that in PHP would result in a non-argon hasher being used - I can't explain that...

Cheers!

| Reply |

MattWelander 2 years ago

Hi!
Prior to sym4 (I believe) the config security - firewalls - main - form_login would make it so that any request to a page that required authentication automatically redirected to the login page.

I find that in sym5 instead the user gets an access denied exception. What would be the equivalent config to auto-redirect to the login page?

| Reply |

MattWelander MattWelander 2 years ago

Nevermind - that question is answered a few lessons down the line =) https://symfonycasts.com/screencast/symfony-security/entry-point

2 | Reply |

Mepcuk 2 years ago edited

This command does not work with PostgeSQL
symfony console doctrine:query:sql "SELECT * FROM user"

returned just
`

user

postgres

| Reply |

Mepcuk Mepcuk 2 years ago edited

Solved - need to add -->"
symfony console doctrine:query:sql 'SELECT * FROM "user"' 

| Reply |

Victor SFCASTS Mepcuk 2 years ago

Hey Maxim,

Yeah, user might be a reserved keyword, usually we wrap table names with tick. Thank you for sharing your solution!

Cheers!

| Reply |

Mepcuk 2 years ago edited

Hi, if this is correct way to set password without Factory ?


class UserFixtures extends Fixture
{
    private UserPasswordHasherInterface $passwordHasher;

    public function __construct(UserPasswordHasherInterface $passwordHasher)
    {
        $this->passwordHasher = $passwordHasher;
    }

    public function load(ObjectManager $manager): void
    {
         $user = new User();
         $user->setEmail('panda@example.com');
         $user->setRoles(['ROLE_ADMIN', 'ROLE_SUPERADMIN', 'ROLE_USER']);
         $user->setPlainPassword('tada');
         $user->setPassword('tada');

         $manager->persist($user);
         $manager->flush();

         $user->setPassword($this->passwordHasher->hashPassword($user, $user->getPlainPassword()));

         $manager->persist($user);
         $manager->flush();
    }
}

| Reply |

weaverryan SFCASTS Mepcuk 2 years ago edited

Hey Mepcuk!

Yes! But we can even do a bit less work:

A) You can skip setting the plain password and just do $this->passwordHasher->hashPassword($user, 'tada')

B) You only need one flush(). Remove the first one and just flush/save once after you set the real password. Also, you can then remove the $user->setPassword('tada'). I'm guessing you had that just so that your database didn't throw an error during the first flush ;).

Cheers!

| Reply |

This tutorial also works great for Symfony 6!

symfony 5.3

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "babdev/pagerfanta-bundle": "^3.3", // v3.3.0
        "composer/package-versions-deprecated": "^1.11", // 1.11.99.4
        "doctrine/annotations": "^1.0", // 1.13.2
        "doctrine/doctrine-bundle": "^2.1", // 2.6.3
        "doctrine/doctrine-migrations-bundle": "^3.0", // 3.1.1
        "doctrine/orm": "^2.7", // 2.10.1
        "knplabs/knp-markdown-bundle": "^1.8", // 1.9.0
        "knplabs/knp-time-bundle": "^1.11", // v1.16.1
        "pagerfanta/doctrine-orm-adapter": "^3.3", // v3.3.0
        "pagerfanta/twig": "^3.3", // v3.3.0
        "phpdocumentor/reflection-docblock": "^5.2", // 5.2.2
        "scheb/2fa-bundle": "^5.12", // v5.12.1
        "scheb/2fa-qr-code": "^5.12", // v5.12.1
        "scheb/2fa-totp": "^5.12", // v5.12.1
        "sensio/framework-extra-bundle": "^6.0", // v6.2.0
        "stof/doctrine-extensions-bundle": "^1.4", // v1.6.0
        "symfony/asset": "5.3.*", // v5.3.4
        "symfony/console": "5.3.*", // v5.3.7
        "symfony/dotenv": "5.3.*", // v5.3.8
        "symfony/flex": "^1.3.1", // v1.21.6
        "symfony/form": "5.3.*", // v5.3.8
        "symfony/framework-bundle": "5.3.*", // v5.3.8
        "symfony/monolog-bundle": "^3.0", // v3.7.0
        "symfony/property-access": "5.3.*", // v5.3.8
        "symfony/property-info": "5.3.*", // v5.3.8
        "symfony/rate-limiter": "5.3.*", // v5.3.4
        "symfony/runtime": "5.3.*", // v5.3.4
        "symfony/security-bundle": "5.3.*", // v5.3.8
        "symfony/serializer": "5.3.*", // v5.3.8
        "symfony/stopwatch": "5.3.*", // v5.3.4
        "symfony/twig-bundle": "5.3.*", // v5.3.4
        "symfony/ux-chartjs": "^1.3", // v1.3.0
        "symfony/validator": "5.3.*", // v5.3.8
        "symfony/webpack-encore-bundle": "^1.7", // v1.12.0
        "symfony/yaml": "5.3.*", // v5.3.6
        "symfonycasts/verify-email-bundle": "^1.5", // v1.5.0
        "twig/extra-bundle": "^2.12|^3.0", // v3.3.3
        "twig/string-extra": "^3.3", // v3.3.3
        "twig/twig": "^2.12|^3.0" // v3.3.3
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.3", // 3.4.0
        "symfony/debug-bundle": "5.3.*", // v5.3.4
        "symfony/maker-bundle": "^1.15", // v1.34.0
        "symfony/var-dumper": "5.3.*", // v5.3.8
        "symfony/web-profiler-bundle": "5.3.*", // v5.3.8
        "zenstruck/foundry": "^1.1" // v1.13.3
    }
}

Previous Chapter

Next Challenge

Hashing Plain Passwords & PasswordCredentials

Share this awesome video!

Keep on Learning!

Adding a plainPassword Field

Hashing the Password in the Fixtures

Validating the Password: PasswordCredentials

19 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 12
	class User implements UserInterface, PasswordAuthenticatedUserInterface
	{
Show Lines	// ... lines 15 - 41
	private $plainPassword;
Show Lines	// ... lines 43 - 154
	}

Show Lines	// ... lines 1 - 28
	final class UserFactory extends ModelFactory
	{
Show Lines	// ... lines 31 - 37
	protected function getDefaults(): array
	{
	return [
Show Lines	// ... lines 41 - 42
	'plainPassword' => 'tada',
	];
	}
Show Lines	// ... lines 46 - 58
	}

Show Lines	// ... lines 1 - 29
	final class UserFactory extends ModelFactory
	{
Show Lines	// ... lines 32 - 49
	protected function initialize(): self
	{
	// see https://symfony.com/bundles/ZenstruckFoundryBundle/current/index.html#initialization
	return $this
	->afterInstantiate(function(User $user) {
	if ($user->getPlainPassword()) {
	$user->setPassword(
	$this->passwordHasher->hashPassword($user, $user->getPlainPassword())
	);
	}
	})
	;
	}
Show Lines	// ... lines 63 - 67
	}

Show Lines	// ... lines 1 - 17
	use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
Show Lines	// ... lines 19 - 21
	class LoginFormAuthenticator extends AbstractAuthenticator
	{
Show Lines	// ... lines 24 - 37
	public function authenticate(Request $request): PassportInterface
	{
Show Lines	// ... lines 40 - 42
	return new Passport(
Show Lines	// ... lines 44 - 53
	new PasswordCredentials($password)
	);
	}
Show Lines	// ... lines 57 - 83
	}