Contributed by
Kévin Dunglas
in #27738.
A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. The list of data breaches increases every day and, just in the first half of 2018, about 4.5 billion records were exposed, including user passwords.
Users that set their password to any of the publicly exposed passwords are a serious security problem for web sites and applications. That's why services like have i been pwned? allow you to check if your password is compromised.
In Symfony 4.3, we've added a new NotPwned
constraint to validate that the
given password hasn't been compromised:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | // src/Entity/User.php
namespace App\Entity;
use Symfony\Component\Validator\Constraints as Assert;
class User
{
// ...
/**
* @Assert\NotPwned
*/
protected $rawPassword;
}
|
1 2 3 4 5 | # config/validator/validation.yaml
App\Entity\User:
properties:
rawPassword:
- NotPwned
|
1 2 3 4 5 6 7 8 9 10 11 12 | <!-- config/validator/validation.xml -->
<?xml version="1.0" encoding="UTF-8" ?>
<constraint-mapping xmlns="https://symfony.com/schema/dic/constraint-mapping"
xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="https://symfony.com/schema/dic/constraint-mapping https://symfony.com/schema/dic/constraint-mapping/constraint-mapping-1.0.xsd">
<class name="App\Entity\User">
<property name="rawPassword">
<constraint name="NotPwned"></constraint>
</property>
</class>
</constraint-mapping>
|
1 2 3 4 5 6 7 8 9 10 11 12 13 | // src/Entity/User.php
namespace App\Entity;
use Symfony\Component\Validator\Mapping\ClassMetadata;
use Symfony\Component\Validator\Constraints as Assert;
class User
{
public static function loadValidatorMetadata(ClassMetadata $metadata)
{
$metadata->addPropertyConstraint('rawPassword', new Assert\NotPwned());
}
}
|
Internally, the constraint makes an HTTP request to the API provided by the
haveibeenpwned.com
website. To do so, it uses the new HttpClient component
added in Symfony 4.3 and which will we introduced soon in a dedicated blog post.
What a Symfony developer should know about the framework: News, Jobs, Tweets, Events, Videos,...