MALIO-DEV/Lesstime
3
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases 32 Wiki Activity

fix(auth) : use dedicated plainPassword field for password hashing

Browse Source 
- Add non-persisted plainPassword field to User entity (write-only via API)
- Remove direct write access to password field
- Update UserPasswordHasherProcessor to hash from plainPassword
- Update frontend DTO and UserDrawer component

Ticket: T-009

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Matthieu
2026-03-17 15:23:29 +01:00
parent 2ac815d074
commit ed58a402b0
4 changed files with 28 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
src/Entity/User.php
View File

@@ -61,9 +61,11 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
private array $roles = [];
#[ORM\Column]
#[Groups(['user:write'])]
private ?string $password = null;
#[Groups(['user:write'])]
private ?string $plainPassword = null;
#[ORM\Column(type: Types::DATETIME_IMMUTABLE)]
private ?DateTimeImmutable $createdAt = null;
@@ -224,5 +226,20 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
return '/api/users/'.$this->id.'/avatar';
}
public function eraseCredentials(): void {}
public function getPlainPassword(): ?string
{
return $this->plainPassword;
}
public function setPlainPassword(?string $plainPassword): static
{
$this->plainPassword = $plainPassword;
return $this;
}
public function eraseCredentials(): void
{
$this->plainPassword = null;
}
}

5
src/State/UserPasswordHasherProcessor.php
View File

@@ -29,10 +29,11 @@ final readonly class UserPasswordHasherProcessor implements ProcessorInterface
*/
public function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): mixed
{
$plainPassword = $data->getPassword();
$plainPassword = $data->getPlainPassword();
if (null !== $plainPassword && !str_starts_with($plainPassword, '$')) {
if (null !== $plainPassword && '' !== $plainPassword) {
$data->setPassword($this->passwordHasher->hashPassword($data, $plainPassword));
$data->setPlainPassword(null);
}
return $this->persistProcessor->process($data, $operation, $uriVariables, $context);