How to use the credentials expired property in Symfony AdvancedUserInterface?

6
votes

In a Symfony 2.4 project our client wants to force the users to change their password every N days. We saw that there are columns "credentials_expired" and "credentials_expire_at" in the database and a check that throws an AccountExpiredException in the UserChecker class that seem to be for that purpose, but I can't find any documentation on how to enable or configure this feature.

  • How can the credentials_expire_at column be filled with a date N days after now on every password change?
  • How can a user still change the password, if the password is expired?
  • How to warn the user about the passoword expiration some days in advance?
  • Is it possible to forbid the reuse of the last password?
1
symfonyfosuserbundle
This question is definitely too broad as it contains 4 sub-questions. Could you split those up into single questions please? - Nicolai Fröhlich
You can take a lot of inspiration from FOSUserBundle. They solved a couple of these issues. - Jasper N. Brouwer
repeated the question in the symfony issue tracker: github.com/symfony/symfony/issues/12177 - Thomas Koch

1 Answers

2
votes

Actually, it's the CredentialsExpiredException you want to catch. If you're using the Symfony Security component, then the simplest way to handle this is to check for the exception in the loginAction of your SecurityController:

use Symfony\Component\Security\Core\Exception\CredentialsExpiredException;
use Symfony\Component\Security\Core\SecurityContextInterface;

...

$error = $this->get('session')->get(SecurityContextInterface::AUTHENTICATION_ERROR);

// check if credentials have expired
if ($error instanceof CredentialsExpiredException) {
    // display the change password form
    return new Response($this->renderView('AcmeDemoBundle:Security:changePassword.html.twig'));
}

You'll obviously need to create a route for changing passwords, which you can set as the form action of your changePassword template. Password change requests can then be handled accordingly in your SecurityController.

The core of your business logic can/should exist within a UserManager (or whatever you wish to call it) service class, which you can instantiate and invoke as needed from your SecurityController.

Hope that helps.

NOTE: For posterity, the expired user object is stored within the CredentialsExpiredException exception, so you can easily retrieve it if you need to act upon it for handling expired passwords:

$error->getUser();