bug #57378 [Security] Change to BadCredentialsException when empty username / password (llupa)

wouterj · wouterj · commit 302938c8639c · 2024-06-12T23:37:38.000+02:00
This PR was merged into the 7.1 branch. Discussion ---------- [Security] Change to `BadCredentialsException` when empty username / password | Q | A | ------------- | --- | Branch? | 7.1 | Bug fix? |no | New feature? |no | Deprecations? |no | Issues | Fix #53851 (comment) | License | MIT ~Tests will likely fail since they are running flipped.~ Commits ------- 2ab91bb [Security] Change to `BadCredentialsException` when empty username / password
diff --git a/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
@@ -18,6 +18,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
@@ -130,7 +131,7 @@ private function getCredentials(Request $request): array
         $credentials['username'] = trim($credentials['username']);
 
         if ('' === $credentials['username']) {
-            throw new BadRequestHttpException(sprintf('The key "%s" must be a non-empty string.', $this->options['username_parameter']));
+            throw new BadCredentialsException(sprintf('The key "%s" must be a non-empty string.', $this->options['username_parameter']));
         }
 
         $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);
@@ -140,7 +141,7 @@ private function getCredentials(Request $request): array
         }
 
         if ('' === (string) $credentials['password']) {
-            throw new BadRequestHttpException(sprintf('The key "%s" must be a non-empty string.', $this->options['password_parameter']));
+            throw new BadCredentialsException(sprintf('The key "%s" must be a non-empty string.', $this->options['password_parameter']));
         }
 
         if (!\is_string($credentials['csrf_token'] ?? '') && (!\is_object($credentials['csrf_token']) || !method_exists($credentials['csrf_token'], '__toString'))) {
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php
@@ -44,7 +44,7 @@ protected function setUp(): void
 
     public function testHandleWhenUsernameEmpty()
     {
-        $this->expectException(BadRequestHttpException::class);
+        $this->expectException(BadCredentialsException::class);
         $this->expectExceptionMessage('The key "_username" must be a non-empty string.');
 
         $request = Request::create('/login_check', 'POST', ['_username' => '', '_password' => 's$cr$t']);
@@ -56,7 +56,7 @@ public function testHandleWhenUsernameEmpty()
 
     public function testHandleWhenPasswordEmpty()
     {
-        $this->expectException(BadRequestHttpException::class);
+        $this->expectException(BadCredentialsException::class);
         $this->expectExceptionMessage('The key "_password" must be a non-empty string.');
 
         $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => '']);

Original file line number	Diff line number	Diff line change
`@@ -44,7 +44,7 @@ protected function setUp(): void`
`44`	`44`
`45`	`45`	`public function testHandleWhenUsernameEmpty()`
`46`	`46`	`{`
`47`		`- $this->expectException(BadRequestHttpException::class);`
	`47`	`+ $this->expectException(BadCredentialsException::class);`
`48`	`48`	`$this->expectExceptionMessage('The key "_username" must be a non-empty string.');`
`49`	`49`
`50`	`50`	`$request = Request::create('/login_check', 'POST', ['_username' => '', '_password' => 's$cr$t']);`
`@@ -56,7 +56,7 @@ public function testHandleWhenUsernameEmpty()`
`56`	`56`
`57`	`57`	`public function testHandleWhenPasswordEmpty()`
`58`	`58`	`{`
`59`		`- $this->expectException(BadRequestHttpException::class);`
	`59`	`+ $this->expectException(BadCredentialsException::class);`
`60`	`60`	`$this->expectExceptionMessage('The key "_password" must be a non-empty string.');`
`61`	`61`
`62`	`62`	`$request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => '']);`