Symfony News

New in Symfony 4.3: Compromised password validator

Kévin Dunglas

Contributed by
Kévin Dunglas
in #27738.

A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment. The list of data breaches increases every day and, just in the first half of 2018, about 4.5 billion records were exposed, including user passwords.

Users that set their password to any of the publicly exposed passwords are a serious security problem for web sites and applications. That's why services like have i been pwned? allow you to check if your password is compromised.

In Symfony 4.3, we've added a new NotPwned constraint to validate that the given password hasn't been compromised:

  • Annotations
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    14
    // src/Entity/User.php
    namespace App\Entity;
    
    use Symfony\Component\Validator\Constraints as Assert;
    
    class User
    {
        // ...
    
        /**
         * @Assert\NotPwned
         */
        protected $rawPassword;
    }
    
  • YAML
    1
    2
    3
    4
    5
    # config/validator/validation.yaml
    App\Entity\User:
        properties:
            rawPassword:
                - NotPwned
    
  • XML
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    <!-- config/validator/validation.xml -->
    <?xml version="1.0" encoding="UTF-8" ?>
    <constraint-mapping xmlns="https://symfony.com/schema/dic/constraint-mapping"
        xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="https://symfony.com/schema/dic/constraint-mapping https://symfony.com/schema/dic/constraint-mapping/constraint-mapping-1.0.xsd">
    
        <class name="App\Entity\User">
            <property name="rawPassword">
                <constraint name="NotPwned"></constraint>
            </property>
        </class>
    </constraint-mapping>
    
  • PHP
     1
     2
     3
     4
     5
     6
     7
     8
     9
    10
    11
    12
    13
    // src/Entity/User.php
    namespace App\Entity;
    
    use Symfony\Component\Validator\Mapping\ClassMetadata;
    use Symfony\Component\Validator\Constraints as Assert;
    
    class User
    {
        public static function loadValidatorMetadata(ClassMetadata $metadata)
        {
            $metadata->addPropertyConstraint('rawPassword', new Assert\NotPwned());
        }
    }
    

Internally, the constraint makes an HTTP request to the API provided by the haveibeenpwned.com website. To do so, it uses the new HttpClient component added in Symfony 4.3 and which will we introduced soon in a dedicated blog post.


Be trained by Symfony experts - 2019-04-10 Clichy - 2019-04-15 Clichy - 2019-04-15 Clichy


About us

What a Symfony developer should know about the framework: News, Jobs, Tweets, Events, Videos,...

Find us on Twitter

Find us on Facebook

ADS