I was reading the Laravel 4 documentation and I saw some security stuffs that would be great in Yii2:
An helper to create some secure hash in yii. In Yii 1.x the user extensions have to handle it and we see some pretty bad stuff (unsalted md5/sha1). I think of something like
Hash::generate($password);
that’ll create a bcrypt salted password.
Hash::check($plainPassword, $hashedPassword)
could be verifying the password
An helper letting you reset the password. This is something really hard to do well and a lot of extension are doing it the wrong way. This helper could generate the temporary random token and send it by mail to reset the password, and then, check that the token is valid for the given email adress and is not expired when the user changes his credentials.
For the first i wasn’t finding anything about it in the Yii class reference, but then I saw it’s in yii since 1.1.14 so it hasn’t been stable released yet! I think it’s a great add to the framework!
Wouldn’t it be better to change this class to an application component or a component class that needs to be instantiated. This way it can check for the crypt() and blowfish stuff when it is instantiated instead of checking it in each method.
I don’t know about instantiate the class, true it’s better when you need to perform
checkBlowfish()
but when you don’t it useless to have a non static class for hash calculation. For the Interface, I agree yii should provide a password interface letting people define their own way to store passwords.