minor symfony#10100 Fixed the code of the custom password authenticat…

…or example (javiereguiluz) This PR was merged into the 2.8 branch. Discussion ---------- Fixed the code of the custom password authenticator example Fixes symfony#4579. I used the same code given by @wouterj in symfony#4579 (comment) Commits ------- ad726c1 Fixed the code of the custom password authenticator example
shude · Jul 23, 2018 · 1327065 · 1327065
2 parents 2fdc86d + ad726c1
commit 1327065
Showing 1 changed file with 15 additions and 1 deletion.
diff --git a/security/custom_password_authenticator.rst b/security/custom_password_authenticator.rst
@@ -34,6 +34,7 @@ the user::
     use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
     use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
     use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
+    use Symfony\Component\Security\Core\Exception\BadCredentialsException;
     use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
     use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
     use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -58,7 +59,20 @@ the user::
                 throw new CustomUserMessageAuthenticationException('Invalid username or password');
             }
 
-            $isPasswordValid = $this->encoder->isPasswordValid($user, $token->getCredentials());
+            $currentUser = $token->getUser();
+
+            if ($currentUser instanceof UserInterface) {
+                if ($currentUser->getPassword() !== $user->getPassword()) {
+                    throw new BadCredentialsException('The credentials were changed from another session.');
+                }
+            } else {
+                if ('' === ($givenPassword = $token->getCredentials())) {
+                    throw new BadCredentialsException('The given password cannot be empty.');
+                }
+                if (!$this->encoderFactory->getEncoder($user)->isPasswordValid($user->getPassword(), $givenPassword, $user->getSalt())) {
+                    throw new BadCredentialsException('The given password is invalid.');
+                }
+            }
 
             if ($isPasswordValid) {
                 $currentHour = date('G');