我可以避免使用 plainPassword 属性 并且只在 Symfony 4 中使用密码吗?
Can I avoid using plainPassword property and only use password in Symfony 4?
Symfony 文档提到应该有两个密码属性(password 和 plainPassword)。 plainPassword 仅用于获取用户键入的密码(例如,通过注册表单),并且不按原则保留(因此不存储在数据库中)。另一方面,密码 属性 是在加密 plainPassword 之后设置的。是否不能使用相同的 属性 (密码)从用户那里收集 plainPassword 以避免具有两个密码属性?
这是我的控制器代码:
class SecurityController extends Controller
{
/**
* @Route("/register", name="security_register")
*/
public function register(Request $request,
UserPasswordEncoderInterface $passwordEncode)
{
$user = new User();
$form = $this->createForm(UserType::class, $user);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
$email = $form->get('email')->getData();
$password = $passwordEncoder->encodePassword($user, $user->getPlainPassword());
$user->setPassword($password);
$em = $this->getDoctrine()->getManager();
$em->persist($user);
$em->flush();
return $this->redirectToRoute('admin');
}
return $this->render(
'security/register.html.twig',
array('form' => $form->createView())
);
}
这是我的用户实体:
class User implements UserInterface
{
/**
* @ORM\Id
* @ORM\Column(type="integer")
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;
/**
* @ORM\Column(type="string", unique=true)
* @Assert\NotBlank()
* @Assert\Email()
*/
private $email;
/**
* @ORM\Column(type="string", unique=true)
* @Assert\NotBlank()
*/
private $username;
/**
* @Assert\NotBlank()
* @Assert\Length(max=4096)
*/
private $plainPassword;
/**
* The below length depends on the "algorithm" you use for encoding
* the password, but this works well with bcrypt.
*
* @ORM\Column(type="string", length=64)
*/
private $password;
/**
* @return mixed
*/
public function getId()
{
return $this->id;
}
public function getEmail()
{
return $this->email;
}
public function setEmail($email)
{
$this->email = $email;
}
public function getUsername()
{
return $this->username;
}
public function setUsername($username)
{
$this->username = $username;
}
public function getPlainPassword()
{
return $this->plainPassword;
}
public function setPlainPassword($password)
{
$this->plainPassword = $password;
}
public function getPassword()
{
return $this->password;
}
public function setPassword($password)
{
$this->password = $password;
}
public function getSalt()
{
// The bcrypt and argon2i algorithms don't require a separate salt.
// You *may* need a real salt if you choose a different encoder.
return null;
}
// other methods, including security methods like getRoles()
public function getRoles()
{
return array('ROLE_ADMIN');
}
public function eraseCredentials()
{
}
/** @see \Serializable::serialize() */
public function serialize()
{
return serialize(array(
$this->id,
$this->username,
$this->password,
// see section on salt below
// $this->salt,
));
}
/** @see \Serializable::unserialize() */
public function unserialize($serialized)
{
list (
$this->id,
$this->username,
$this->password,
// see section on salt below
// $this->salt
) = unserialize($serialized, ['allowed_classes' => false]);
}
}
Symfony 建议使用 plainPassword 字段的唯一原因是,通过直接使用注册表中的密码字段,如果您没有正确实施加密过程,您最终可能会在数据库中得到一个未加密的密码在存储用户之前。这将是一个巨大的安全问题。
Symfony 文档提到应该有两个密码属性(password 和 plainPassword)。 plainPassword 仅用于获取用户键入的密码(例如,通过注册表单),并且不按原则保留(因此不存储在数据库中)。另一方面,密码 属性 是在加密 plainPassword 之后设置的。是否不能使用相同的 属性 (密码)从用户那里收集 plainPassword 以避免具有两个密码属性?
这是我的控制器代码:
class SecurityController extends Controller
{
/**
* @Route("/register", name="security_register")
*/
public function register(Request $request,
UserPasswordEncoderInterface $passwordEncode)
{
$user = new User();
$form = $this->createForm(UserType::class, $user);
$form->handleRequest($request);
if ($form->isSubmitted() && $form->isValid()) {
$email = $form->get('email')->getData();
$password = $passwordEncoder->encodePassword($user, $user->getPlainPassword());
$user->setPassword($password);
$em = $this->getDoctrine()->getManager();
$em->persist($user);
$em->flush();
return $this->redirectToRoute('admin');
}
return $this->render(
'security/register.html.twig',
array('form' => $form->createView())
);
}
这是我的用户实体:
class User implements UserInterface
{
/**
* @ORM\Id
* @ORM\Column(type="integer")
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;
/**
* @ORM\Column(type="string", unique=true)
* @Assert\NotBlank()
* @Assert\Email()
*/
private $email;
/**
* @ORM\Column(type="string", unique=true)
* @Assert\NotBlank()
*/
private $username;
/**
* @Assert\NotBlank()
* @Assert\Length(max=4096)
*/
private $plainPassword;
/**
* The below length depends on the "algorithm" you use for encoding
* the password, but this works well with bcrypt.
*
* @ORM\Column(type="string", length=64)
*/
private $password;
/**
* @return mixed
*/
public function getId()
{
return $this->id;
}
public function getEmail()
{
return $this->email;
}
public function setEmail($email)
{
$this->email = $email;
}
public function getUsername()
{
return $this->username;
}
public function setUsername($username)
{
$this->username = $username;
}
public function getPlainPassword()
{
return $this->plainPassword;
}
public function setPlainPassword($password)
{
$this->plainPassword = $password;
}
public function getPassword()
{
return $this->password;
}
public function setPassword($password)
{
$this->password = $password;
}
public function getSalt()
{
// The bcrypt and argon2i algorithms don't require a separate salt.
// You *may* need a real salt if you choose a different encoder.
return null;
}
// other methods, including security methods like getRoles()
public function getRoles()
{
return array('ROLE_ADMIN');
}
public function eraseCredentials()
{
}
/** @see \Serializable::serialize() */
public function serialize()
{
return serialize(array(
$this->id,
$this->username,
$this->password,
// see section on salt below
// $this->salt,
));
}
/** @see \Serializable::unserialize() */
public function unserialize($serialized)
{
list (
$this->id,
$this->username,
$this->password,
// see section on salt below
// $this->salt
) = unserialize($serialized, ['allowed_classes' => false]);
}
}
Symfony 建议使用 plainPassword 字段的唯一原因是,通过直接使用注册表中的密码字段,如果您没有正确实施加密过程,您最终可能会在数据库中得到一个未加密的密码在存储用户之前。这将是一个巨大的安全问题。