Symfony 3:密码验证

时间:2018-10-25 15:41:12

标签: symfony bcrypt

我使用此代码来验证用户密码:

$encoderService = $this->container->get('security.password_encoder');
$match = $encoderService->isPasswordValid($user, $request->query->get('password'));

但是即使密码正确也总是返回“ false”

1 个答案:

答案 0 :(得分:0)

您以错误的方式使用密码编码器...检查Symfony doc on security
这是一个有关如何使用它的示例。

app / config / security.yml 

security:
    encoders:
        AppBundle\Entity\Security:
            algorithm: bcrypt

src / AppBundle / Controller / SecurityController.php 

class SecurityController extends Controller {
    private $tokenManager;
    private $encoder;

    public function __construct(CsrfTokenManagerInterface $tokenManager=null, UserPasswordEncoderInterface $encoder) {
        $this->tokenManager=$tokenManager;
        $this->encoder=$encoder;
    }

    **[...]**

    public function editAction(Security $user) {
        if($user->getOldPassword() !== null && $user->getPlainPassword() !== null && $this->encoder->isPasswordValid($user, $user->getOldPassword())) {
            $user->setPassword($this->encoder->encodePassword($user, $user->getPlainPassword()));
            $em->flush();
        }
    }
}

表单视图 

<form action="{{ form.vars.action }}" method="{{ form.vars.method }}" onsubmit="event.preventDefault(); ajaxSubmit($(this));">
    <div class="form-section-title">Change password</div>
    <div class="form-col-2">
        <div class="input-field">
            {{ form_label(form.oldPassword, 'Current password') }}
            {{ form_widget(form.oldPassword, { 'attr': {'autocomplete': 'off' }}) }}
        </div>
        <div class="input-field">
        </div>
    </div>
    <div class="form-col-2">
        <div class="input-field">
            {{ form_label(form.plainPassword.first, 'New password') }}
            {{ form_widget(form.plainPassword.first, { 'attr': {'autocomplete': 'off' }}) }}
        </div>
        <div class="input-field">
            {{ form_label(form.plainPassword.second, 'Repeat new password) }}
            {{ form_widget(form.plainPassword.second, { 'attr': {'autocomplete': 'off' }}) }}
        </div>
    </div>
    <input name="{{ form._token.vars.full_name }}" type="hidden" value="{{ form._token.vars.value }}">
    <div class="input-field submit-container">
        <button class="waves-effect waves-light btn btn-2 close_action">Annuler</button>
        <button class="waves-effect waves-light btn btn-1" type="submit">Valider</button>
    </div>
</form>

JavaScript提交功能 

function ajaxSubmit(node) {
    $.ajax({
        type: node.attr("method"),
        url: node.attr("action"),
        enctype: 'multipart/form-data',
        data: new FormData(node[0]),
        processData: false,
        contentType: false,
        cache: false
    }).done(function(response, status, xhr) {
        //Your code here
    }).fail(function(request, status, error) {
        console.error(request);
        console.error(status);
        console.error(error);
    });
}

旁注:应该很明显,但是您应该在AJAX查询中使用POST而不是GET

首先,因为GET参数非常清晰,因此更改密码非常危险。

第二,因为一旦您的站点使用HTTPS,您的POST参数就会被加密。真的很难让任何嗅探内容的人阅读内容。

最后,避免在注释中张贴代码,而是编辑您的问题...;)

相关问题
最新问题