Skip to content

[symfony/security-bundle] use lowest possible p/w hash "work factor" in test env #1026

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Dec 17, 2021
Merged

[symfony/security-bundle] use lowest possible p/w hash "work factor" in test env #1026

merged 2 commits into from
Dec 17, 2021

Conversation

kbond
Copy link
Member

@kbond kbond commented Nov 22, 2021
edited
Loading

Q A
License MIT
Doc issue/PR Fix #1024

Perhaps we could create a test-hasher in Symfony itself but this wouldn't be available until 6.1. Until then, I believe this is an easy win.

This is documented in the 4.4 docs but was lost (I think) after a documentation refactor.

My argument for not using plaintext is here but I'm not strongly opposed to it.

@github-actions
Copy link

github-actions bot commented Nov 22, 2021
edited
Loading

Thanks for the PR 😍

How to test these changes in your application

  1. Define the SYMFONY_ENDPOINT environment variable:

    # On *nix and Mac
export SYMFONY_ENDPOINT=https://api.github.com/repos/symfony/recipes/contents/index.json?ref=flex/pull-1026
# On Windows
SET SYMFONY_ENDPOINT=https://api.github.com/repos/symfony/recipes/contents/index.json?ref=flex/pull-1026

  2. Install the package(s) related to this recipe:

    composer req 'symfony/flex:^1.16'
composer req 'symfony/security-bundle:^5.3'

  3. Don't forget to unset the SYMFONY_ENDPOINT environment variable when done:

    # On *nix and Mac
unset SYMFONY_ENDPOINT
# On Windows
SET SYMFONY_ENDPOINT=

Diff between recipe versions

In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes.
I'm going keep this comment up to date with any updates of the attached patch.

symfony/security-bundle

3.3 vs 4.4 
diff --git a/symfony/security-bundle/3.3/config/packages/security.yaml b/symfony/security-bundle/4.4/config/packages/security.yaml
index f7ae4b7..811681e 100644
--- a/symfony/security-bundle/3.3/config/packages/security.yaml
+++ b/symfony/security-bundle/4.4/config/packages/security.yaml
@@ -7,7 +7,7 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: true
+            anonymous: lazy
             provider: users_in_memory
 
             # activate different ways to authenticate
4.4 vs 5.1 
diff --git a/symfony/security-bundle/4.4/config/packages/security.yaml b/symfony/security-bundle/5.1/config/packages/security.yaml
index 811681e..0e4cf3d 100644
--- a/symfony/security-bundle/4.4/config/packages/security.yaml
+++ b/symfony/security-bundle/5.1/config/packages/security.yaml
@@ -7,7 +7,8 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: lazy
+            anonymous: true
+            lazy: true
             provider: users_in_memory
 
             # activate different ways to authenticate
5.1 vs 5.3 
diff --git a/symfony/security-bundle/5.1/config/packages/security.yaml b/symfony/security-bundle/5.3/config/packages/security.yaml
index 0e4cf3d..789a9ac 100644
--- a/symfony/security-bundle/5.1/config/packages/security.yaml
+++ b/symfony/security-bundle/5.3/config/packages/security.yaml
@@ -1,5 +1,9 @@
 security:
-    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
+    enable_authenticator_manager: true
+    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
+    password_hashers:
+        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
+    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
     providers:
         users_in_memory: { memory: null }
     firewalls:
@@ -7,12 +11,11 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         main:
-            anonymous: true
             lazy: true
             provider: users_in_memory
 
             # activate different ways to authenticate
-            # https://symfony.com/doc/current/security.html#firewalls-authentication
+            # https://symfony.com/doc/current/security.html#the-firewall
 
             # https://symfony.com/doc/current/security/impersonating_user.html
             # switch_user: true
@@ -22,3 +25,16 @@ security:
     access_control:
         # - { path: ^/admin, roles: ROLE_ADMIN }
         # - { path: ^/profile, roles: ROLE_USER }
+
+when@test:
+    security:
+        password_hashers:
+            # By default, password hashers are resource intensive and take time. This is
+            # important to generate secure password hashes. In tests however, secure hashes
+            # are not important, waste resources and increase test times. The following
+            # reduces the work factor to the lowest possible values.
+            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
+                algorithm: auto
+                cost: 4 # Lowest possible value for bcrypt
+                time_cost: 3 # Lowest possible value for argon
+                memory_cost: 10 # Lowest possible value for argon

weaverryan
weaverryan reviewed Nov 22, 2021
View reviewed changes
symfony/security-bundle/5.3/config/packages/security.yaml
@@ -25,3 +25,16 @@ security:
access_control:
# - { path: ^/admin, roles: ROLE_ADMIN }
# - { path: ^/profile, roles: ROLE_USER }

when@test:
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we use when@test here? It's probably fine... but there's no guarantee the user has FWBundle 5.3 :/

Copy link
Member

@stof stof Nov 22, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

that's not related to FrameworkBundle. That's related to the version of the DI and HttpKernel components. And for those, we have that guarantee

chalasr
chalasr reviewed Nov 22, 2021
View reviewed changes
@kbond @chalasr
Update symfony/security-bundle/5.3/config/packages/security.yaml
6c66020 
Co-authored-by: Robin Chalas <chalasr@users.noreply.github.com>
@kbond
Copy link
Member Author

kbond commented Dec 10, 2021

I confirmed with @maks-rafalko that there is virtually no performance difference between this method and plaintext.

@alexislefebvre alexislefebvre mentioned this pull request Dec 14, 2021
Closed
@nicolas-grekas nicolas-grekas merged commit 65e9e91 into symfony:master Dec 17, 2021
@kbond kbond deleted the test-pw-hash branch December 17, 2021 15:18
This was referenced May 21, 2025
Open
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@weaverryan weaverryan weaverryan left review comments

@stof stof stof left review comments

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[security-bundle recipe] Use less resource-intensive password hasher for test environment
5 participants
@kbond @weaverryan @nicolas-grekas @stof @chalasr