Verify that Password Matches Hash for Given User in Symfony 6

PasswordHasher component provided by Symfony can be used to hash and verify passwords. This tutorial shows examples how to verify that password matches hash for a given user in Symfony 6 application.

Install PasswordHasher component, if not already done:

composer require symfony/password-hasher

For testing purpose we created a simple User class that implements PasswordAuthenticatedUserInterface and has password property:

src/Entity/User.php

<?php

namespace App\Entity;

use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;

class User implements PasswordAuthenticatedUserInterface
{
    private string $password;

    public function getPassword(): string { return $this->password;}
    public function setPassword(string $password): void { $this->password = $password; }
}

Framework use

Password hasher is configured in the security.yaml file as follows:

config/packages/security.yaml

security:
    # ...

    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: auto

Inject UserPasswordHasherInterface dependency in your controller or service and use isPasswordValid method to verify that password matches hash for a given user.

src/Controller/TestController.php

<?php

namespace App\Controller;

use App\Entity\User;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
use Symfony\Component\Routing\Annotation\Route;

class TestController
{
    #[Route('/')]
    public function index(UserPasswordHasherInterface $passwordHasher): Response
    {
        $user = new User();
        $user->setPassword('$2y$13$KTK7ivRev5/VD8MLqjA.VOv3uU7N/08vn7ruU3I4MiFHQ9O7ccITe');
        $plaintextPassword = 'pwd123';

        if (!$passwordHasher->isPasswordValid($user, $plaintextPassword)) {
            return new Response('Invalid password');
        }

        return new Response('Valid password');
    }
}

Standalone use

PasswordHasher component can be used in any PHP application independently from the Symfony framework. We can create an instance of password hasher using the PasswordHasherFactory class.

test.php

<?php

use App\Entity\User;
use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactory;
use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasher;
use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;

require_once __DIR__.'/vendor/autoload.php';

$passwordHasherFactory = new PasswordHasherFactory([
    PasswordAuthenticatedUserInterface::class => ['algorithm' => 'auto'],
]);
$passwordHasher = new UserPasswordHasher($passwordHasherFactory);

$user = new User();
$user->setPassword('$2y$13$KTK7ivRev5/VD8MLqjA.VOv3uU7N/08vn7ruU3I4MiFHQ9O7ccITe');
$plaintextPassword = 'pwd123';

if (!$passwordHasher->isPasswordValid($user, $plaintextPassword)) {
    echo 'Invalid password';
    die;
}

echo 'Valid password';

Leave a Comment

Your email address will not be published.