Yii2: Refactor Security Component [2.1]

Created on 29 Mar 2017  路  5Comments  路  Source: yiisoft/yii2

Expanded from a comment by @dynasource on #13837

I propose refactoring parts of the security component into a SecurityHelper.
Lots of functionality from the Security component does not use state and is purely functional. It could just as well be implemented in a helper.

Functions that do not ever use state.

  • [ ] compareString
  • [ ] hkdf
  • [ ] pbkdf2
  • [ ] validatePassword

Functions that use state only if random_bytes() is not available (PHP < 7.0). Listed here since I do not know the minimum requirements Yii 2.1 will have.

  • [ ] generatePasswordHash
  • [ ] generateRandomKey
  • [ ] generateRandomString
  • [ ] generateSalt

Functions that could moved from Request or StringHelper to SecurityHelper:

  • [ ] maskToken
  • [ ] unmaskToken

I'm not entirely sure what the criteria are for implementing something as a component vs a helper.

This issue is mainly meant for discussion.

picture SamMousa

Most helpful comment

Functions that use state only if random_bytes() is not available (PHP < 7.0). Listed here since I do not know the minimum requirements Yii 2.1 will have.

it will be php 7.1 minimum. imo that will help the security module quite a lot.

picture Faryshta on 25 Apr 2017
👍3

All 5 comments

Long ago Security component already was a helper, but was converted into a component by #4089.
I see no reason to switch it back returning to the old problems.
See https://github.com/yiisoft/yii2/pull/4052#issuecomment-47199529

klimov-paul picture klimov-paul on 29 Mar 2017

Generally I don't think it's a good idea. The pro of helpers mainly is about short syntax which is great to use in views. Not the case about security one.

samdark picture samdark on 29 Mar 2017

Having maskToken() and unmaskToken() in a helper makes sense but I'd avoid having both component and helper with the same name. Would cause huge confusion.

samdark picture samdark on 29 Mar 2017

refactoring logic without state from components makes sense to me. Helps reducing complexity.

dynasource picture dynasource on 29 Mar 2017

Functions that use state only if random_bytes() is not available (PHP < 7.0). Listed here since I do not know the minimum requirements Yii 2.1 will have.

it will be php 7.1 minimum. imo that will help the security module quite a lot.

Faryshta picture Faryshta on 25 Apr 2017
👍3
Was this page helpful?
0 / 5 - 0 ratings

Related issues

indicalabs picture indicalabs  路  3Comments
kminooie picture kminooie  路  3Comments
schmunk42 picture schmunk42  路  3Comments
sobit picture sobit  路  3Comments
jpodpro picture jpodpro  路  3Comments