Add database-less option using Symfony's SignatureHasher?

[wouterj]

Symfony 5.3+ provides a SignatureHasher class to create hashes for e.g. remember me tokens and login link tokens. I believe the password reset tokens of this bundle are quite similar to these.

What do you think about providing a way to use the bundle without Doctrine ORM, using this signature hasher?

[jrushlow]

Howdy @wouterj

We toyed around with stateless tokens a couple years ago when we were initially developing the bundle. We did run into a couple areas where stateless was not an option. Although being honest, I cannot remember the exact why's and why nots at this time. I do remember that we had a limited concept and code review w/ a couple of the PHP core team folks early on and we got their blessing based on 1) how we were generating tokens & 2) how we were validating the tokens using the public / private selector method.

That being said, I'm not opposed to the idea of having a stateless system as an option. I do think if we were to pursue the feature we should make it opt-in for BC.

Another consideration that is indirectly related to going stateless - I have implemented the bundle in a number of client projects and more often than not, I've found myself implementing additional admin based visibility into the lifecycle of a reset request. There are of a course a handful of ways to do this but because the bundle is maintains state by default, I've been able to lean on this a bit when implementing such functionality.

I'm curious how others feel about using a stateless approach after having implemented the bundle in production apps and accommodating client requests that utilize the bundle. e.g. additional admin functionality..