[Security] Support hashing the hashed password using crc32c when putting the user in the session

Author: nicolas-grekas

CHANGELOG.md

@@ -7,6 +7,7 @@ CHANGELOG
  * Add encryption support to `OidcTokenHandler` (JWE)
  * Replace `$hideAccountStatusExceptions` argument with `$exposeSecurityErrors` in `AuthenticatorManager` constructor
  * Add argument `$identifierNormalizer` to `UserBadge::__construct()` to allow normalizing the identifier
+ * Support hashing the hashed password using crc32c when putting the user in the session
 
 7.2
 ---

Firewall/ContextListener.php

@@ -292,9 +292,16 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa
         }
 
         if ($originalUser instanceof PasswordAuthenticatedUserInterface || $refreshedUser instanceof PasswordAuthenticatedUserInterface) {
-            if (!$originalUser instanceof PasswordAuthenticatedUserInterface
-                || !$refreshedUser instanceof PasswordAuthenticatedUserInterface
-                || $refreshedUser->getPassword() !== ($originalUser->getPassword() ?? $refreshedUser->getPassword())
+            if (!$originalUser instanceof PasswordAuthenticatedUserInterface || !$refreshedUser instanceof PasswordAuthenticatedUserInterface) {
+                return true;
+            }
+
+            $originalPassword = $originalUser->getPassword();
+            $refreshedPassword = $refreshedUser->getPassword();
+
+            if (null !== $originalPassword
+                && $refreshedPassword !== $originalPassword
+                && (8 !== \strlen($originalPassword) || hash('crc32c', $refreshedPassword ?? $originalPassword) !== $originalPassword)
             ) {
                 return true;
             }
@@ -303,7 +310,7 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa
                 return true;
             }
 
-            if ($originalUser instanceof LegacyPasswordAuthenticatedUserInterface && $refreshedUser instanceof LegacyPasswordAuthenticatedUserInterface && $originalUser->getSalt() !== $refreshedUser->getSalt()) {
+            if ($originalUser instanceof LegacyPasswordAuthenticatedUserInterface && $originalUser->getSalt() !== $refreshedUser->getSalt()) {
                 return true;
             }
         }

Tests/Firewall/ContextListenerTest.php

@@ -377,9 +377,14 @@ public function testOnKernelResponseRemoveListener()
         $this->assertEmpty($dispatcher->getListeners());
     }
 
-    public function testRemovingPasswordFromSessionDoesntInvalidateTheToken()
+    /**
+     * @testWith [true]
+     *           [false]
+     *           [null]
+     */
+    public function testNullOrHashedPasswordInSessionDoesntInvalidateTheToken(?bool $hashPassword)
     {
-        $user = new CustomUser('user', ['ROLE_USER'], 'pass');
+        $user = new CustomUser('user', ['ROLE_USER'], 'pass', $hashPassword);
 
         $userProvider = $this->createMock(UserProviderInterface::class);
         $userProvider->expects($this->once())

Tests/Fixtures/CustomUser.php

@@ -19,7 +19,8 @@ final class CustomUser implements UserInterface, PasswordAuthenticatedUserInterf
     public function __construct(
         private string $username,
         private array $roles,
-        private ?string $password = null,
+        private ?string $password,
+        private ?bool $hashPassword,
     ) {
     }
 
@@ -44,6 +45,15 @@ public function eraseCredentials(): void
 
     public function __serialize(): array
     {
-        return [\sprintf("\0%s\0username", self::class) => $this->username];
+        $data = (array) $this;
+        $passwordKey = \sprintf("\0%s\0password", self::class);
+
+        if ($this->hashPassword) {
+            $data[$passwordKey] = hash('crc32c', $this->password);
+        } elseif (null !== $this->hashPassword) {
+            unset($data[$passwordKey]);
+        }
+
+        return $data;
     }
 }