[symfony/security-bundle] set default algorithm to plaintext

[JohJohan]

Q	A
License	MIT
Doc issue/PR	-

I think its nice to have default hashing set to plaintext and show the option to have lowest configuration the docs also start with mention of plaintext see: https://symfony.com/doc/6.4/security/passwords.html#:~:text=algorithm%3A%20plaintext%20%23%20disable%20hashing%20(only%20do%20this%20in%20tests!)

[github-actions]

Thanks for the PR 😍

How to test these changes in your application

1. Define the SYMFONY_ENDPOINT environment variable:

   # On Unix-like (BSD, Linux and macOS)
   export SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1379/index.json
   # On Windows
   SET SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1379/index.json

2. Install the package(s) related to this recipe:

   composer req symfony/flex
   composer req 'symfony/security-bundle:^6.4'

3. Don't forget to unset the SYMFONY_ENDPOINT environment variable when done:

   # On Unix-like (BSD, Linux and macOS)
   unset SYMFONY_ENDPOINT
   # On Windows
   SET SYMFONY_ENDPOINT=

Diff between recipe versions

In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes.
I'm going keep this comment up to date with any updates of the attached patch.

symfony/security-bundle

3.3 vs 4.4

diff --git a/symfony/security-bundle/3.3/config/packages/security.yaml b/symfony/security-bundle/4.4/config/packages/security.yaml
index f7ae4b7..811681e 100644
--- a/symfony/security-bundle/3.3/config/packages/security.yaml
+++ b/symfony/security-bundle/4.4/config/packages/security.yaml
@@ -7,7 +7,7 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: true
+            anonymous: lazy
             provider: users_in_memory
 
             # activate different ways to authenticate

4.4 vs 5.1

diff --git a/symfony/security-bundle/4.4/config/packages/security.yaml b/symfony/security-bundle/5.1/config/packages/security.yaml
index 811681e..0e4cf3d 100644
--- a/symfony/security-bundle/4.4/config/packages/security.yaml
+++ b/symfony/security-bundle/5.1/config/packages/security.yaml
@@ -7,7 +7,8 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: lazy
+            anonymous: true
+            lazy: true
             provider: users_in_memory
 
             # activate different ways to authenticate

5.1 vs 5.3

diff --git a/symfony/security-bundle/5.1/config/packages/security.yaml b/symfony/security-bundle/5.3/config/packages/security.yaml
index 0e4cf3d..789a9ac 100644
--- a/symfony/security-bundle/5.1/config/packages/security.yaml
+++ b/symfony/security-bundle/5.3/config/packages/security.yaml
@@ -1,5 +1,9 @@
 security:
-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    enable_authenticator_manager: true
+    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
+    password_hashers:
+        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
+    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
     providers:
         users_in_memory: { memory: null }
     firewalls:
@@ -7,12 +11,11 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: true
             lazy: true
             provider: users_in_memory
 
             # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#firewalls-authentication
+            # https://symfony.com/doc/current/security.html#the-firewall
 
             # https://symfony.com/doc/current/security/impersonating_user.html
             # switch_user: true
@@ -22,3 +25,16 @@ security:
     access_control:
         # - { path: ^/admin, roles: ROLE_ADMIN }
         # - { path: ^/profile, roles: ROLE_USER }
+
+when@test:
+    security:
+        password_hashers:
+            # By default, password hashers are resource intensive and take time. This is
+            # important to generate secure password hashes. In tests however, secure hashes
+            # are not important, waste resources and increase test times. The following
+            # reduces the work factor to the lowest possible values.
+            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
+                algorithm: auto
+                cost: 4 # Lowest possible value for bcrypt
+                time_cost: 3 # Lowest possible value for argon
+                memory_cost: 10 # Lowest possible value for argon
diff --git a/symfony/security-bundle/5.1/manifest.json b/symfony/security-bundle/5.3/manifest.json
index 5d8527e..4a48e0c 100644
--- a/symfony/security-bundle/5.1/manifest.json
+++ b/symfony/security-bundle/5.3/manifest.json
@@ -5,5 +5,8 @@
     "copy-from-recipe": {
         "config/": "%CONFIG_DIR%/"
     },
-    "aliases": ["security"]
+    "aliases": ["security"],
+    "conflict": {
+        "symfony/framework-bundle": "<5.3"
+    }
 }

5.3 vs 6.0

diff --git a/symfony/security-bundle/5.3/config/packages/security.yaml b/symfony/security-bundle/6.0/config/packages/security.yaml
index 789a9ac..367af25 100644
--- a/symfony/security-bundle/5.3/config/packages/security.yaml
+++ b/symfony/security-bundle/6.0/config/packages/security.yaml
@@ -1,5 +1,4 @@
 security:
-    enable_authenticator_manager: true
     # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
     password_hashers:
         Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'

6.0 vs 6.4

diff --git a/symfony/security-bundle/6.0/config/packages/security.yaml b/symfony/security-bundle/6.4/config/packages/security.yaml
index 367af25..b048fec 100644
--- a/symfony/security-bundle/6.0/config/packages/security.yaml
+++ b/symfony/security-bundle/6.4/config/packages/security.yaml
@@ -30,10 +30,11 @@ when@test:
         password_hashers:
             # By default, password hashers are resource intensive and take time. This is
             # important to generate secure password hashes. In tests however, secure hashes
-            # are not important, waste resources and increase test times. The following
-            # reduces the work factor to the lowest possible values.
+            # are not important, waste resources and increase test times.
             Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
-                algorithm: auto
-                cost: 4 # Lowest possible value for bcrypt
-                time_cost: 3 # Lowest possible value for argon
-                memory_cost: 10 # Lowest possible value for argon
+                algorithm: plaintext # disable hashing all together
+                # You can also use the following configuration to use the lowest possible values for bcrypt and argon:
+                # algorithm: auto
+                # cost: 4 # Lowest possible value for bcrypt
+                # time_cost: 3 # Lowest possible value for argon
+                # memory_cost: 10 # Lowest possible value for argon
diff --git a/symfony/security-bundle/6.4/config/routes/security.yaml b/symfony/security-bundle/6.4/config/routes/security.yaml
new file mode 100644
index 0000000..f853be1
--- /dev/null
+++ b/symfony/security-bundle/6.4/config/routes/security.yaml
@@ -0,0 +1,3 @@
+_security_logout:
+    resource: security.route_loader.logout
+    type: service

[94noni]

But for 7.3 instead?

[nicolas-grekas]

I'd need a better rationale to be convinced. plaintext is bad practice to me, even in this case, because some ppl will copy/paste and 💥

[94noni]

The doc state this as a « tip »
Perhaps we should then remove completly remove plaintext from the recipe and only let ppl discover through the doc ?

[JohJohan]

Yeah interesting thing to think about. I agree with the copy paste and can be damaging, although we have explicitly set it in test env and have the default case set as well.

In our case we are working with Symfony for 8 years and only recently discover this feature and made our pipelines faster.

We could find middle ground and comment out plaintext and show the other options like we had before?