Symfony version(s) affected

5.4

Description

My project needs a LegacyPasswordHasher to verify old MYSQL passwords and the security configuration should make sure that these passwords are migrated to a newer algorithm. Unfortunately this fails.

How to reproduce

Configure the legacy password hasher in security.yaml:

        legacy:
            id: 'App\Security\PasswordHasher\LegacyPasswordHasher'

        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
            algorithm: 'auto'
            migrate_from:
                - legacy

Implement the PasswordHasherAwareInterface on the user entity checks and make it return 'legacy' to trigger that password hasher:

public function getPasswordHasherName(): ?string
{
    if (preg_match('/^\*[0-9A-F]{40}$/', $this->getPassWord())) {
        return 'legacy';
    }

    return null;
}

Possible Solution

No response

Additional Context

The culprit is in vendor/symfony/security-http/EventListener/PasswordMigratingListener.php::onLoginSuccess when creating the new password hash it calls LegacyPasswordhasher instead of the expected default password hasher.