我可以避免使用 plainPassword 属性 并且只在 Symfony 4 中使用密码吗?

Can I avoid using plainPassword property and only use password in Symfony 4?

Symfony 文档提到应该有两个密码属性(password 和 plainPassword)。 plainPassword 仅用于获取用户键入的密码(例如,通过注册表单),并且不按原则保留(因此不存储在数据库中)。另一方面,密码 属性 是在加密 plainPassword 之后设置的。是否不能使用相同的 属性 (密码)从用户那里收集 plainPassword 以避免具有两个密码属性?

这是我的控制器代码:

class SecurityController extends Controller
{
/**
 * @Route("/register", name="security_register")
 */
public function register(Request $request, 
UserPasswordEncoderInterface $passwordEncode)
{
    $user = new User();

    $form = $this->createForm(UserType::class, $user);

    $form->handleRequest($request);
    if ($form->isSubmitted() && $form->isValid()) {

        $email = $form->get('email')->getData();

        $password = $passwordEncoder->encodePassword($user, $user->getPlainPassword());
        $user->setPassword($password);

        $em = $this->getDoctrine()->getManager();
        $em->persist($user);
        $em->flush();

        return $this->redirectToRoute('admin');
    }

    return $this->render(
        'security/register.html.twig',
        array('form' => $form->createView())
    );
}

这是我的用户实体:

class User implements UserInterface
{
/**
 * @ORM\Id
 * @ORM\Column(type="integer")
 * @ORM\GeneratedValue(strategy="AUTO")
 */
private $id;

/**
 * @ORM\Column(type="string", unique=true)
 * @Assert\NotBlank()
 * @Assert\Email()
 */
private $email;

/**
 * @ORM\Column(type="string", unique=true)
 * @Assert\NotBlank()
 */
private $username;

/**
 * @Assert\NotBlank()
 * @Assert\Length(max=4096)
 */
private $plainPassword;

/**
 * The below length depends on the "algorithm" you use for encoding
 * the password, but this works well with bcrypt.
 *
 * @ORM\Column(type="string", length=64)
 */
private $password;


/**
 * @return mixed
 */
public function getId()
{
    return $this->id;
}

public function getEmail()
{
    return $this->email;
}

public function setEmail($email)
{
    $this->email = $email;
}

public function getUsername()
{
    return $this->username;
}

public function setUsername($username)
{
    $this->username = $username;
}

public function getPlainPassword()
{
    return $this->plainPassword;
}

public function setPlainPassword($password)
{
    $this->plainPassword = $password;
}

public function getPassword()
{
    return $this->password;
}

public function setPassword($password)
{
    $this->password = $password;
}

public function getSalt()
{
    // The bcrypt and argon2i algorithms don't require a separate salt.
    // You *may* need a real salt if you choose a different encoder.
    return null;
}

// other methods, including security methods like getRoles()

public function getRoles()
{
    return array('ROLE_ADMIN');
}

public function eraseCredentials()
{
}

/** @see \Serializable::serialize() */
public function serialize()
{
    return serialize(array(
        $this->id,
        $this->username,
        $this->password,
        // see section on salt below
        // $this->salt,
    ));
}

/** @see \Serializable::unserialize() */
public function unserialize($serialized)
{
    list (
        $this->id,
        $this->username,
        $this->password,
        // see section on salt below
        // $this->salt
        ) = unserialize($serialized, ['allowed_classes' => false]);
}
}

Symfony 建议使用 plainPassword 字段的唯一原因是,通过直接使用注册表中的密码字段,如果您没有正确实施加密过程,您最终可能会在数据库中得到一个未加密的密码在存储用户之前。这将是一个巨大的安全问题。