.. rst-class:: outdated

Updating password
=================

.. danger::

   We're sorry but **this documentation section is outdated**. Please have that in mind when trying to use it.
   You can help us making documentation up to date via Sylius Github. Thank you!

In order to store user's password safely you need to encode it and get rid of
the plain password.

PasswordUpdater
---------------

User component offers simple password updater and encoder. All you need to do
is set the plain password on `User` entity and use `updatePassword` method on
`PasswordUpdater`. The plain password will be removed and the encoded password
will be set on `User` entity. Now you can safely store the encoded password.
Example usage:

.. code-block:: php

    <?php
    // src/script.php

    // update this to the path to the "vendor/"
    // directory, relative to this file
    require_once __DIR__.'/../vendor/autoload.php';

    use Sylius\Component\User\Model\User;
    use Sylius\Component\User\Security\PasswordUpdater;
    use Sylius\Component\User\Security\UserPbkdf2PasswordEncoder;

    $user = new User();
    $user->setPlainPassword('secretPassword');

    $user->getPlainPassword(); // returns 'secretPassword'
    $user->getPassword(); // returns null

    // after you set user's password you need to encode it and get rid of unsafe plain text
    $passwordUpdater = new PasswordUpdater(new UserPbkdf2PasswordEncoder());
    $passwordUpdater->updatePassword($user);

    // the plain password no longer exist
    $user->getPlainPassword(); // returns null
    // encoded password can be safely stored
    $user->getPassword(); //returns 'notPredictableBecauseOfSaltHashedPassword'

.. note::

    The password encoder takes user's salt (random, autogenerated string in the
    `User` constructor) as an additional input to a one-way function that hashes
    a password. The primary function of salts is to defend against dictionary attacks
    versus a list of password hashes and against pre-computed rainbow table attacks.