Possibility to configure the hashing algorithm for VerifyEmailTokenGenerator

[PrInStPL]

Is it possible to add a hashing algorithm configuration for the SymfonyCasts\Bundle\VerifyEmail\Generator\VerifyEmailTokenGenerator ?

[bocharsky-bw]

There's no way. As you can see it's hardcoded inside the createToken(). But I suppose you can override the VerifyEmailTokenGenerator in your app if needed. The question is why would you need that?

[PrInStPL]

Both VerifyEmailTokenGenerator and UriSigner use hardcoded sha256. I know that in this package this algorithm is less important because it is before UriSigner, but it is worth fighting to avoid hardcoding algorithms in the code as much as possible. And in both cases this can be achieved by throwing the algorithm into the service configuration.

[PrInStPL]

After analysis... Using the default Symfony and VerifyEmailBundle configuration, if $userId is based on a value provided by the user, e.g. username, then the generated link has two parameters, which are based on the same key, APP_SECRET.

The link signature is calculated from the link and the key. I have the link, but I am missing the key.

The confirmation token is calculated from three values. I have two (username and email), but I am missing the key.

So... There are four variables, and I have three. Additionally, both the link signature and the token have the same hash algorithm... Hence a fairly quick way to calculate APP_SECRET using GPU capabilities.