FOSUserBundle keeps saving passwords as plaintext

Question

I have installed FOSUserBundle in a Symfony 3.4 app, with the goal of eventually using it with LexikJWTAuthenticationBundle to create an API. My security.yml file looks like this:

security:

    encoders:
        FOS\UserBundle\Model\UserInterface: bcrypt

    role_hierarchy:
        ROLE_ADMIN:       ROLE_USER
        ROLE_SUPER_ADMIN: ROLE_ADMIN

    # https://symfony.com/doc/current/security.html#b-configuring-how-users-are-loaded
    providers:
        fos_userbundle:
            id: fos_user.user_provider.username

    firewalls:

        login:
            pattern:  ^/api/login
            stateless: true
            anonymous: true
            json_login:
                check_path:               /api/login_check
                success_handler:          lexik_jwt_authentication.handler.authentication_success
                failure_handler:          lexik_jwt_authentication.handler.authentication_failure

        api:
            pattern:   ^/api
            stateless: true
            guard:
                authenticators:
                    - lexik_jwt_authentication.jwt_token_authenticator

        # disables authentication for assets and the profiler, adapt it according to your needs
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false

    access_control:
        - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api,       roles: IS_AUTHENTICATED_FULLY }

... and my User class looks like this:

<?php

namespace AppBundle\Entity;

use FOS\UserBundle\Model\User as BaseUser;
use Doctrine\ORM\Mapping as ORM;

/**
 * @ORM\Entity
 * @ORM\Table(name="fos_user")
 */
class User extends BaseUser
{
    /**
     * @ORM\Id
     * @ORM\Column(type="integer")
     * @ORM\GeneratedValue(strategy="AUTO")
     */
    protected $id;

    public function __construct()
    {
        parent::__construct();
        // your own logic
    }
}

For some reason, when I create and persist a test user using Doctrine's fixtures bundle, the fos_user table in the database shows the new user's password in plaintext -- not ideal!

I've done brew install bcrypt on my mac to make sure that I have the required dependency installed, and that didn't help. Anyone know what's going on?

Answer 1

It looks like the problem is only present when I try to load users in fixtures. If I use bin/console fos:user:create, the user is created correctly.

So assuming there's a way to run that command non-interactively, I guess I'll just add a Make command that calls that Symfony console command a bunch of time when loading fixtures.

Still, I'd be interested in hearing others' perspectives on this.

Answer 2

Oh, i think you are using $user->setPassword("pass123") in fixtures, am i right? Doctrine doesn`t know what password is so it dealing it as plaintext. You should use UserPasswordEncoderInterfaces encodePassword. Documentation here