Skip to content

Commit 4d4859a

Browse files
bug #59590 [Security] Throw an explicit error when refreshing a token with a null user (alexandre-daubois)
This PR was merged into the 6.4 branch. Discussion ---------- [Security] Throw an explicit error when refreshing a token with a null user | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #59559 | License | MIT Follwing #59560 (comment), to prevent the code to simply fail and return an explicit message to the user. Commits ------- cd427c3 [Security] Throw an explicit error when authenticating a token with a null user
2 parents eabc942 + cd427c3 commit 4d4859a

File tree

3 files changed

+52
-0
lines changed

3 files changed

+52
-0
lines changed

src/Symfony/Component/Security/Http/Firewall/ContextListener.php

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -123,6 +123,10 @@ public function authenticate(RequestEvent $event): void
123123
]);
124124

125125
if ($token instanceof TokenInterface) {
126+
if (!$token->getUser()) {
127+
throw new \UnexpectedValueException(\sprintf('Cannot authenticate a "%s" token because it doesn\'t store a user.', $token::class));
128+
}
129+
126130
$originalToken = $token;
127131
$token = $this->refreshUser($token);
128132

src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php

Lines changed: 25 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -36,6 +36,7 @@
3636
use Symfony\Component\Security\Core\User\UserInterface;
3737
use Symfony\Component\Security\Core\User\UserProviderInterface;
3838
use Symfony\Component\Security\Http\Firewall\ContextListener;
39+
use Symfony\Component\Security\Http\Tests\Fixtures\NullUserToken;
3940
use Symfony\Contracts\Service\ServiceLocatorTrait;
4041

4142
class ContextListenerTest extends TestCase
@@ -58,6 +59,30 @@ public function testUserProvidersNeedToImplementAnInterface()
5859
$this->handleEventWithPreviousSession([new \stdClass()]);
5960
}
6061

62+
public function testTokenReturnsNullUser()
63+
{
64+
$tokenStorage = new TokenStorage();
65+
$tokenStorage->setToken(new NullUserToken());
66+
67+
$session = new Session(new MockArraySessionStorage());
68+
$session->set('_security_context_key', serialize($tokenStorage->getToken()));
69+
70+
$request = new Request();
71+
$request->setSession($session);
72+
$request->cookies->set('MOCKSESSID', true);
73+
74+
$listener = new ContextListener($tokenStorage, [], 'context_key');
75+
76+
$this->expectException(\UnexpectedValueException::class);
77+
$this->expectExceptionMessage('Cannot authenticate a "Symfony\Component\Security\Http\Tests\Fixtures\NullUserToken" token because it doesn\'t store a user.');
78+
79+
$listener->authenticate(new RequestEvent(
80+
$this->createMock(HttpKernelInterface::class),
81+
$request,
82+
HttpKernelInterface::MAIN_REQUEST,
83+
));
84+
}
85+
6186
public function testOnKernelResponseWillAddSession()
6287
{
6388
$session = $this->runSessionOnKernelResponse(
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
<?php
2+
3+
/*
4+
* This file is part of the Symfony package.
5+
*
6+
* (c) Fabien Potencier <fabien@symfony.com>
7+
*
8+
* For the full copyright and license information, please view the LICENSE
9+
* file that was distributed with this source code.
10+
*/
11+
12+
namespace Symfony\Component\Security\Http\Tests\Fixtures;
13+
14+
use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
15+
use Symfony\Component\Security\Core\User\UserInterface;
16+
17+
class NullUserToken extends AbstractToken
18+
{
19+
public function getUser(): ?UserInterface
20+
{
21+
return null;
22+
}
23+
}

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy