Merge branch '1.3.x'

Conflicts:
	Changelog.md
	Util/TokenGenerator.php
	composer.json

Author: XWB

Changelog.md

@@ -55,6 +55,10 @@ Changelog
 * [BC break] Changed Datetime properties of default User entity that were nullable to default to null when no value supplied.
 * [BC break] Updated schema.xml for Propel BaseUser class to allow nullable and typehint accordingly.
 
+### 1.3.8 (xxxx-xx-xx)
+
+* Use `random_bytes` to generate tokens
+
 ### 1.3.7 (2016-11-22)
 
 * Fixed some yaml errors in translation files

Resources/config/util.xml

@@ -14,9 +14,7 @@
             <argument type="service" id="request_stack" />
         </service>
 
-        <service id="fos_user.util.token_generator.default" class="FOS\UserBundle\Util\TokenGenerator" public="false">
-            <argument type="service" id="logger" on-invalid="ignore" />
-        </service>
+        <service id="fos_user.util.token_generator.default" class="FOS\UserBundle\Util\TokenGenerator" public="false" />
 
         <service id="fos_user.util.password_updater" class="FOS\UserBundle\Util\PasswordUpdater" public="false">
             <argument type="service" id="security.encoder_factory" />

Util/TokenGenerator.php

@@ -11,70 +11,13 @@
 
 namespace FOS\UserBundle\Util;
 
-use Psr\Log\LoggerInterface;
-
 class TokenGenerator implements TokenGeneratorInterface
 {
-    /**
-     * @var LoggerInterface
-     */
-    private $logger;
-
-    /**
-     * @var bool
-     */
-    private $useOpenSsl;
-
-    /**
-     * TokenGenerator constructor.
-     *
-     * @param LoggerInterface|null $logger
-     */
-    public function __construct(LoggerInterface $logger = null)
-    {
-        $this->logger = $logger;
-
-        // determine whether to use OpenSSL
-        if (defined('PHP_WINDOWS_VERSION_BUILD') && version_compare(PHP_VERSION, '5.3.4', '<')) {
-            $this->useOpenSsl = false;
-        } elseif (!function_exists('openssl_random_pseudo_bytes')) {
-            if (null !== $this->logger) {
-                $this->logger->notice('It is recommended that you enable the "openssl" extension for random number generation.');
-            }
-            $this->useOpenSsl = false;
-        } else {
-            $this->useOpenSsl = true;
-        }
-    }
-
     /**
      * {@inheritdoc}
      */
     public function generateToken()
     {
-        return rtrim(strtr(base64_encode($this->getRandomNumber()), '+/', '-_'), '=');
-    }
-
-    /**
-     * @return string
-     */
-    private function getRandomNumber()
-    {
-        $nbBytes = 32;
-
-        // try OpenSSL
-        if ($this->useOpenSsl) {
-            $bytes = openssl_random_pseudo_bytes($nbBytes, $strong);
-
-            if (false !== $bytes && true === $strong) {
-                return $bytes;
-            }
-
-            if (null !== $this->logger) {
-                $this->logger->info('OpenSSL did not produce a secure random number.');
-            }
-        }
-
-        return hash('sha256', uniqid(mt_rand(), true), true);
+        return rtrim(strtr(base64_encode(random_bytes(32)), '+/', '-_'), '=');
     }
 }

composer.json

@@ -21,6 +21,7 @@
     ],
     "require": {
         "php": "^5.5.9 || ^7.0",
+        "paragonie/random_compat": "^1 || ^2",
         "symfony/form": "^2.7 || ^3.0",
         "symfony/framework-bundle": "^2.7 || ^3.0",
         "symfony/security-bundle": "^2.7 || ^3.0",