vendor/symfony/security-core/Encoder/BasePasswordEncoder.php line 16

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <[email protected]>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Core\Encoder;
  14. use Symfony\Component\PasswordHasher\Hasher\CheckPasswordLengthTrait;
  16. trigger_deprecation('symfony/security-core', '5.3', 'The "%s" class is deprecated, use "%s" instead.', BasePasswordEncoder::class, CheckPasswordLengthTrait::class);
  18. /**
  19. * BasePasswordEncoder is the base class for all password encoders.
  20. *
  21. * @author Fabien Potencier <[email protected]>
  22. *
  23. * @deprecated since Symfony 5.3, use CheckPasswordLengthTrait instead
  24. */
  25. abstract class BasePasswordEncoder implements PasswordEncoderInterface
  26. {
  27. public const MAX_PASSWORD_LENGTH = 4096;
  29. /**
  30. * {@inheritdoc}
  31. */
  32. public function needsRehash(string $encoded): bool
  33. {
  34. return false;
  35. }
  37. /**
  38. * Demerges a merge password and salt string.
  39. *
  40. * @return array An array where the first element is the password and the second the salt
  41. */
  42. protected function demergePasswordAndSalt(string $mergedPasswordSalt)
  43. {
  44. if (empty($mergedPasswordSalt)) {
  45. return ['', ''];
  46. }
  48. $password = $mergedPasswordSalt;
  49. $salt = '';
  50. $saltBegins = strrpos($mergedPasswordSalt, '{');
  52. if (false !== $saltBegins && $saltBegins + 1 < \strlen($mergedPasswordSalt)) {
  53. $salt = substr($mergedPasswordSalt, $saltBegins + 1, -1);
  54. $password = substr($mergedPasswordSalt, 0, $saltBegins);
  55. }
  57. return [$password, $salt];
  58. }
  60. /**
  61. * Merges a password and a salt.
  62. *
  63. * @return string
  64. *
  65. * @throws \InvalidArgumentException
  66. */
  67. protected function mergePasswordAndSalt(string $password, ?string $salt)
  68. {
  69. if (empty($salt)) {
  70. return $password;
  71. }
  73. if (false !== strrpos($salt, '{') || false !== strrpos($salt, '}')) {
  74. throw new \InvalidArgumentException('Cannot use { or } in salt.');
  75. }
  77. return $password.'{'.$salt.'}';
  78. }
  80. /**
  81. * Compares two passwords.
  82. *
  83. * This method implements a constant-time algorithm to compare passwords to
  84. * avoid (remote) timing attacks.
  85. *
  86. * @return bool
  87. */
  88. protected function comparePasswords(string $password1, string $password2)
  89. {
  90. return hash_equals($password1, $password2);
  91. }
  93. /**
  94. * Checks if the password is too long.
  95. *
  96. * @return bool
  97. */
  98. protected function isPasswordTooLong(string $password)
  99. {
  100. return \strlen($password) > static::MAX_PASSWORD_LENGTH;
  101. }
  102. }