I'm trying to make a forgot password feature in my Symfony 3.1 application.
I have a form sending an email with an url to reset the password, with a security token. You then land on a simple form containing a password input.
On submit, I update the user password with the one they submitted, but then when I try to login, it says the credentials are wrong.
I can see that the password is beeing updated in the database, but I don't get why it's not working when I try to login.
Here is the code that updates the password :
// retrieve the user
$user = $this->getDoctrine()->getRepository("AppBundle:User")->findOneBy(array('username' => "admin", "token" => $token));
//the password posted from the form
$password = $request->get('new_password');
$em = $this->getDoctrine()->getManager();
//encoding it according to the symfony doc
//see https://symfony.com/doc/3.1/security/password_encoding.html
$encoder = $this->container->get('security.password_encoder');
$encoded = $encoder->encodePassword($user, $password);
//updating the password in the database
$user->setPassword($encoded);
$em->persist($user);
$em->flush();
I have an encoder set in my security.yaml file :
encoders:
Symfony\Component\Security\Core\User\User:
algorithm: bcrypt
AppBundle\Entity\User:
algorithm: bcrypt
Firewall in the security.yaml :
firewalls:
# disables authentication for assets and the profiler, adapt it according to your needs
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: ~
form_login:
login_path: /admin/connexion
check_path: /admin/connexion
logout:
path: /logout
target: /
Password property in User.php class :
/**
* @var string
*/
private $password;
Password field in config/doctrine/User.orm.xml :
<field name="password" type="string" column="password" length="64"/>
The issue was from my providers : I had two providers, one for users coming from the database, and one for a hardcoded user in_memory, and I forgot to create a chain provider as explained here : symfony.com/doc/3.1/security/multiple_user_providers.html