Chapters
29 Chapters
|
3:14:24
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!Compatible PHP versions: ^7.1.3
Subscribe to download the code!Compatible PHP versions: ^7.1.3
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
27.
Migrate Password Hashing
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": "^7.3.0",
"ext-iconv": "*",
"antishov/doctrine-extensions-bundle": "^1.4", // v1.4.2
"aws/aws-sdk-php": "^3.87", // 3.110.11
"composer/package-versions-deprecated": "^1.11", // 1.11.99
"doctrine/annotations": "^1.0", // 1.10.1
"doctrine/doctrine-bundle": "^2.0", // 2.0.6
"doctrine/doctrine-migrations-bundle": "^1.3|^2.0", // 2.1.2
"doctrine/orm": "^2.5.11", // v2.7.2
"doctrine/persistence": "^1.3.7", // 1.3.8
"easycorp/easy-log-handler": "^1.0", // v1.0.9
"http-interop/http-factory-guzzle": "^1.0", // 1.0.0
"knplabs/knp-markdown-bundle": "^1.7", // 1.8.1
"knplabs/knp-paginator-bundle": "^5.0", // v5.0.0
"knplabs/knp-snappy-bundle": "^1.6", // v1.7.0
"knplabs/knp-time-bundle": "^1.8", // v1.11.0
"league/flysystem-aws-s3-v3": "^1.0", // 1.0.23
"league/flysystem-cached-adapter": "^1.0", // 1.0.9
"league/html-to-markdown": "^4.8", // 4.8.2
"liip/imagine-bundle": "^2.1", // 2.3.0
"nexylan/slack-bundle": "^2.1", // v2.2.1
"oneup/flysystem-bundle": "^3.0", // 3.3.0
"php-http/guzzle6-adapter": "^2.0", // v2.0.1
"phpdocumentor/reflection-docblock": "^3.0|^4.0", // 4.3.4
"sensio/framework-extra-bundle": "^5.1", // v5.5.3
"symfony/asset": "5.0.*", // v5.0.2
"symfony/console": "5.0.*", // v5.0.2
"symfony/dotenv": "5.0.*", // v5.0.2
"symfony/flex": "^1.0", // v1.21.6
"symfony/form": "5.0.*", // v5.0.2
"symfony/framework-bundle": "5.0.*", // v5.0.2
"symfony/mailer": "5.0.*", // v5.0.2
"symfony/messenger": "5.0.*", // v5.0.2
"symfony/monolog-bundle": "^3.5", // v3.5.0
"symfony/property-access": "4.4.*|5.0.*", // v5.0.2
"symfony/property-info": "4.4.*|5.0.*", // v5.0.2
"symfony/security-bundle": "5.0.*", // v5.0.2
"symfony/sendgrid-mailer": "5.0.*", // v5.0.2
"symfony/serializer": "4.4.*|5.0.*", // v5.0.2
"symfony/twig-bundle": "5.0.*", // v5.0.2
"symfony/validator": "5.0.*", // v5.0.2
"symfony/webpack-encore-bundle": "^1.4", // v1.7.2
"symfony/yaml": "5.0.*", // v5.0.2
"twig/cssinliner-extra": "^2.12", // v2.12.0
"twig/extensions": "^1.5", // v1.5.4
"twig/extra-bundle": "^2.12|^3.0", // v3.0.1
"twig/inky-extra": "^2.12", // v2.12.0
"twig/twig": "^2.12|^3.0" // v2.14.4
},
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.0", // 3.3.0
"fzaninotto/faker": "^1.7", // v1.8.0
"symfony/browser-kit": "5.0.*", // v5.0.2
"symfony/debug-bundle": "5.0.*", // v5.0.2
"symfony/maker-bundle": "^1.0", // v1.14.3
"symfony/phpunit-bridge": "5.0.*", // v5.0.2
"symfony/stopwatch": "4.4.*|5.0.*", // v5.0.2
"symfony/var-dumper": "5.0.*", // v5.0.2
"symfony/web-profiler-bundle": "4.4.*|5.0.*" // v5.0.2
}
}
8 Comments
Hi,
Taking a look at my git repository, since Sep 29, 2019 I have selected the option 'algorithm: auto' in my security.yaml (previously had bcrypt),
Should I write sodium instead of auto to migrate the password algorithm, or would the auto option still work?
I'm also curious about this. https://symfony.com/blog/ne... shows using "algorithm: auto". Which one should I use?
Hey Kevin B. and @Kevin Bond!
Great question - I should have mentioned that! Algorithm auto is perfect to use. I was focusing more on the case of "how do I upgrade my old algorithm (auto is not an old algorithm) to a new one" and the migrate_from is perfect for that.
To be clear, a few points:
A) auto should be used for new projects... as it manages everything for you. As a bonus, it comes migrate_from "built-in" - but only for a few, specific encoders/algorithms. You can specify another algorithm it should include in its built-in migrate_from via the
hash_algorithmoption... but basically I find that "auto" is confusing if you're trying to use it to migrate from an old encoder. But it's perfect for new projects.B) auto and the migrate_from option are incompatible with each other: you can only use one of them, not both together. If you're migrating passwords from an old algorithm/encoder, the migrate_from is much clearer to use.
Btw, credit to Nicolas Grekas who was answering my original questions about all of this for the tutorial :).
Cheers!
I hate symfony for this "auto and the migrate_from option are incompatible with each other:" I have spent so many hours for simple password hash migration. It should give error. I just does nothing and I have no idea why it is not working. I am just lukcy that I found this comment. I have wasted so many hours for such a simple thing which become not simple when it does not give errors :(
Thanks Ryan,
My app currently uses bcrypt for all users. I want to migrate them to the latest but also never have to worry about upgrading them to the latest again. This is why auto was so appealing to me.
I looked into this a bit further and did some testing. Turns out simply switching my algo from "bcrypt" to "auto" works out of the box. Existing users with bcrypt passwords can still login. Once I implemented the appropriate migration interfaces passwords are properly migrated to "argon2id" on login. I assume, in the future, if a better algo is available, they will be seamlessly migrated to it.
Yo Kevin B.!
You got it - bcrypt works with argon, which is what auto is using right now anyways.
That's my impression as well :). Though, I believe (this is from talking with Nicolas) that even if you chose Sodium, if you needed to change to something else in the future, that change should be seamless as well. They key thing is that modern encoders embed the algorithm details into the hash, which means that future hashers can handle them. That's precisely why sodium (which uses argon) is able to handle your bcrypt passwords without any issue.
A tl;dr on this might be:
A) Try switching to auto! Can you still log in using your older users! Coolio! Use that - the "migrate_from" is built-in.
B) If not, use
migrate_fromso that you can explicitly tell Symfony how to handle your old users.Cheers!
was not able to migrate with auto. But at least with setting migrate_from and exact new algo it works.
I have waited for this feature for years.
"Houston: no signs of life"
Start the conversation!