Chris Chris - 9 months ago 68
PHP Question

Symfony 3 custom user provider using Bcrypt

In reading, all of the examples that I've seen implement the

for the
class. This interface defines a method for a salt field - but I'm wanting to use Bcrypt for the hashing algorithm.

In my
file I have:

algorithm: bcrypt
cost: 12

The linked document says:

If getSalt() returns nothing, then the submitted password is simply encoded using the algorithm you specify in security.yml. If a salt is specified, then the following value is created and then hashed ...

Does this imply that if I specify for Bcrypt to be used, then I don't need a salt field in the users DB table (since the salt is in the same string as the rest of the password when hashed with Bcrypt)?

If that is the case then I'm guessing that I could just leave the
method with an empty body so that no salt would be specified and the algorithm in security.yml would be used.

Are my above assumptions correct? If they are not, how can I implement a user provider with bcrypt being used to hash passwords?

I'm using Symfony 3.1.6

Answer Source

As stated in Creating your First User:

Do you need to use a Salt property?

If you use bcrypt, no. Otherwise, yes. All passwords must be hashed with a salt, but bcrypt does this internally. Since this tutorial does use bcrypt, the getSalt() method in User can just return null (it's not used). If you use a different algorithm, you'll need to uncomment the salt lines in the User entity and add a persisted salt property.

if you want to use Bcrypt just return null in the getSalt() method.