[Security] Prevent creating session in stateless firewalls

Seb33300 · chalasr · commit 4efd50e34c35 · 2023-08-25T21:42:36.000+02:00
diff --git a/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationFailureHandler.php b/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationFailureHandler.php
@@ -91,7 +91,9 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
 
         $this->logger?->debug('Authentication failure, redirect triggered.', ['failure_path' => $options['failure_path']]);
 
-        $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
+        if (!$request->attributes->getBoolean('_stateless')) {
+            $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
+        }
 
         return $this->httpUtils->createRedirectResponse($request, $options['failure_path']);
     }
diff --git a/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationSuccessHandler.php b/src/Symfony/Component/Security/Http/Authentication/DefaultAuthenticationSuccessHandler.php
@@ -103,7 +103,7 @@ protected function determineTargetUrl(Request $request): string
         }
 
         $firewallName = $this->getFirewallName();
-        if (null !== $firewallName && $targetUrl = $this->getTargetPath($request->getSession(), $firewallName)) {
+        if (null !== $firewallName && !$request->attributes->getBoolean('_stateless') && $targetUrl = $this->getTargetPath($request->getSession(), $firewallName)) {
             $this->removeTargetPath($request->getSession(), $firewallName);
 
             return $targetUrl;
diff --git a/src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php
@@ -46,6 +46,7 @@ protected function setUp(): void
 
         $this->session = $this->createMock(SessionInterface::class);
         $this->request = $this->createMock(Request::class);
+        $this->request->attributes = new ParameterBag(['_stateless' => false]);
         $this->request->expects($this->any())->method('getSession')->willReturn($this->session);
         $this->exception = $this->getMockBuilder(AuthenticationException::class)->onlyMethods(['getMessage'])->getMock();
     }
@@ -89,6 +90,17 @@ public function testExceptionIsPersistedInSession()
         $handler->onAuthenticationFailure($this->request, $this->exception);
     }
 
+    public function testExceptionIsNotPersistedInSessionOnStatelessRequest()
+    {
+        $this->request->attributes = new ParameterBag(['_stateless' => true]);
+
+        $this->session->expects($this->never())
+            ->method('set')->with(SecurityRequestAttributes::AUTHENTICATION_ERROR, $this->exception);
+
+        $handler = new DefaultAuthenticationFailureHandler($this->httpKernel, $this->httpUtils, [], $this->logger);
+        $handler->onAuthenticationFailure($this->request, $this->exception);
+    }
+
     public function testExceptionIsPassedInRequestOnForward()
     {
         $options = ['failure_forward' => true];
diff --git a/src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php b/src/Symfony/Component/Security/Http/Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php
@@ -56,6 +56,25 @@ public function testRequestRedirectionsWithTargetPathInSessions()
         $this->assertSame('http://localhost/admin/dashboard', $handler->onAuthenticationSuccess($requestWithSession, $token)->getTargetUrl());
     }
 
+    public function testStatelessRequestRedirections()
+    {
+        $session = $this->createMock(SessionInterface::class);
+        $session->expects($this->never())->method('get')->with('_security.admin.target_path');
+        $session->expects($this->never())->method('remove')->with('_security.admin.target_path');
+        $statelessRequest = Request::create('/');
+        $statelessRequest->setSession($session);
+        $statelessRequest->attributes->set('_stateless', true);
+
+        $urlGenerator = $this->createMock(UrlGeneratorInterface::class);
+        $urlGenerator->expects($this->any())->method('generate')->willReturn('http://localhost/login');
+        $httpUtils = new HttpUtils($urlGenerator);
+        $token = $this->createMock(TokenInterface::class);
+        $handler = new DefaultAuthenticationSuccessHandler($httpUtils);
+        $handler->setFirewallName('admin');
+
+        $this->assertSame('http://localhost/', $handler->onAuthenticationSuccess($statelessRequest, $token)->getTargetUrl());
+    }
+
     public static function getRequestRedirections()
     {
         return [

Original file line number	Diff line number	Diff line change
`@@ -91,7 +91,9 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio`
`91`	`91`
`92`	`92`	`$this->logger?->debug('Authentication failure, redirect triggered.', ['failure_path' => $options['failure_path']]);`
`93`	`93`
`94`		`- $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);`
	`94`	`+ if (!$request->attributes->getBoolean('_stateless')) {`
	`95`	`+ $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);`
	`96`	`+ }`
`95`	`97`
`96`	`98`	`return $this->httpUtils->createRedirectResponse($request, $options['failure_path']);`
`97`	`99`	`}`
Original file line number	Diff line number	Diff line change
`@@ -103,7 +103,7 @@ protected function determineTargetUrl(Request $request): string`
`103`	`103`	`}`
`104`	`104`
`105`	`105`	`$firewallName = $this->getFirewallName();`
`106`		`- if (null !== $firewallName && $targetUrl = $this->getTargetPath($request->getSession(), $firewallName)) {`
	`106`	`+ if (null !== $firewallName && !$request->attributes->getBoolean('_stateless') && $targetUrl = $this->getTargetPath($request->getSession(), $firewallName)) {`
`107`	`107`	`$this->removeTargetPath($request->getSession(), $firewallName);`
`108`	`108`
`109`	`109`	`return $targetUrl;`