Symfony 3 custom user provider using Bcrypt

2
votes

In reading https://symfony.com/doc/current/security/custom_provider.html#create-a-user-class/, all of the examples that I've seen implement the Symfony\Component\Security\Core\User\UserInterface for the User class. This interface defines a method for a salt field - but I'm wanting to use Bcrypt for the hashing algorithm.

In my app/config/security.yml file I have:

encoders:
    AppBundle\Security\User\WebserviceUser:
        algorithm: bcrypt
        cost: 12

The linked document says:

If getSalt() returns nothing, then the submitted password is simply encoded using the algorithm you specify in security.yml. If a salt is specified, then the following value is created and then hashed ...

Does this imply that if I specify for Bcrypt to be used, then I don't need a salt field in the users DB table (since the salt is in the same string as the rest of the password when hashed with Bcrypt)?

If that is the case then I'm guessing that I could just leave the getSalt() method with an empty body so that no salt would be specified and the algorithm in security.yml would be used.

Are my above assumptions correct? If they are not, how can I implement a user provider with bcrypt being used to hash passwords?

I'm using Symfony 3.1.6

1
phpsymfonybcryptsymfony-securitysymfony-3.1

1 Answers

4
votes

As stated in Creating your First User:

Do you need to use a Salt property?

If you use bcrypt, no. Otherwise, yes. All passwords must be hashed with a salt, but bcrypt does this internally. Since this tutorial does use bcrypt, the getSalt() method in User can just return null (it's not used). If you use a different algorithm, you'll need to uncomment the salt lines in the User entity and add a persisted salt property.

if you want to use Bcrypt just return null in the getSalt() method.