David Declercq February 2016

Dealing with FOSUserBundle PlainPassword field

I've created a User custom class in my Bundle. It inherits from the BaseUser class of FOSUserBundle.

In my class, I've defined several attributes which are entities of my Bundle, like Adress, Avis etc.

I have defined the formType of all my forms with data_class User. It allows me to retrieve interesting user information like username (!) and displaying it in my forms. BUT when I validate my forms it asks me to fill the plainPassword field of User class as it is a mandatory attribute.

First I wanted to retrieve the password from database to fill it in the form before displaying it but it seems impossible as a security measure. So I've tried to stock it in the session (ugly I know) after registration but it seems not possible to force the form data with a value (surely because it is a password type field)...

So question is : what would you do ?

Answers


Twifty February 2016

I would not store the users plain password anywhere, let alone display it in the browser.

Playing with plain text passwords like you are doing is major security threat to your application, and any and all users using it.

The default User class in FOSUserBundle has two fields for the password, password and plainPassword. That plain password is filled in by the form, then, in the controller, the password field is generated by whatever encryption method you have configured for the firewall. The new user is then added to the database and the plain password field is cleared and never used again.

If you are trying to set up a forgot password solution, I would recommend emailing the user with some kind of unique key (as a URL parameter), ask them to confirm then give them the opportunity to update their password.


lord_of_strings February 2016

But what is the purpose of retrieving it? You want to modify any of user's data like username or email? Remember you can have /profile 'module' in FOSUser Bundle, which is used for modifing for example username and email. For changing password you have separate 'module' change password (I don't remember path). Maybe that's what you are looking for? Of course that way user can edit only his own data. These modules are ready to use by deafault (you have to provide routing for them).

If you want for example, that admin modifies the other user's data that can be interesting for you: In case of password, take a look at column in db called 'salt', which is used for encoding password in db. If you try to save password in db without salting it won't work - so I think if you want to change the password in db by some custom action - you have to set plain password and the it will be automatically encoded.

If you want to fill some form's fields by default read something about forms in Symfony, Fields types and something about their additional features and remember that password field require individuall approach.

Post Status

Asked in February 2016
Viewed 1,954 times
Voted 13
Answered 2 times

Search




Leave an answer