Skip to content

Commit f599e20

Browse files
nicolas-grekasnicolas-grekas
committed
[Security] Throw when passing an empty string as $userIdentifier and tighten AuthenticatorManager and OidcTokenHandler arguments
1 parent 265d4b2 commit f599e20

File tree

8 files changed

+11
-494
lines changed

8 files changed

+11
-494
lines changed

UPGRADE-8.0.md

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -408,7 +408,9 @@ Security
408408
+ return $data;
409409
+}
410410
```
411-
411+
* Throw a `BadCredentialsException` when passing an empty string as `$userIdentifier` argument to `UserBadge` constructor
412+
* Accept only `ExposeSecurityLevel` enums for `AuthenticatorManager`'s `$exposeSecurityErrors` argument
413+
* Respectively accept only `AlgorithmManager` and `JWKSet` for `OidcTokenHandler`'s `$signatureAlgorithm` and `$signatureKeyset` arguments
412414
* Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
413415
* Remove `AbstractListener::__invoke`
414416
* Remove `LazyFirewallContext::__invoke()`

src/Symfony/Component/Security/Http/AccessToken/Oidc/OidcTokenHandler.php

Lines changed: 2 additions & 12 deletions
Original file line numberDiff line numberDiff line change
@@ -13,9 +13,7 @@
1313

1414
use Jose\Component\Checker;
1515
use Jose\Component\Checker\ClaimCheckerManager;
16-
use Jose\Component\Core\Algorithm;
1716
use Jose\Component\Core\AlgorithmManager;
18-
use Jose\Component\Core\JWK;
1917
use Jose\Component\Core\JWKSet;
2018
use Jose\Component\Encryption\JWEDecrypter;
2119
use Jose\Component\Encryption\JWETokenSupport;
@@ -53,22 +51,14 @@ final class OidcTokenHandler implements AccessTokenHandlerInterface
5351
private ?string $oidcJWKSetCacheKey = null;
5452

5553
public function __construct(
56-
private Algorithm|AlgorithmManager $signatureAlgorithm,
57-
private JWK|JWKSet|null $signatureKeyset,
54+
private AlgorithmManager $signatureAlgorithm,
55+
private ?JWKSet $signatureKeyset,
5856
private string $audience,
5957
private array $issuers,
6058
private string $claim = 'sub',
6159
private ?LoggerInterface $logger = null,
6260
private ClockInterface $clock = new Clock(),
6361
) {
64-
if ($signatureAlgorithm instanceof Algorithm) {
65-
trigger_deprecation('symfony/security-http', '7.1', 'First argument must be instance of %s, %s given.', AlgorithmManager::class, Algorithm::class);
66-
$this->signatureAlgorithm = new AlgorithmManager([$signatureAlgorithm]);
67-
}
68-
if ($signatureKeyset instanceof JWK) {
69-
trigger_deprecation('symfony/security-http', '7.1', 'Second argument must be instance of %s, %s given.', JWKSet::class, JWK::class);
70-
$this->signatureKeyset = new JWKSet([$signatureKeyset]);
71-
}
7262
}
7363

7464
public function enableJweSupport(JWKSet $decryptionKeyset, AlgorithmManager $decryptionAlgorithms, bool $enforceEncryption): void

src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php

Lines changed: 1 addition & 11 deletions
Original file line numberDiff line numberDiff line change
@@ -47,8 +47,6 @@
4747
*/
4848
class AuthenticatorManager implements AuthenticatorManagerInterface, UserAuthenticatorInterface
4949
{
50-
private ExposeSecurityLevel $exposeSecurityErrors;
51-
5250
/**
5351
* @param iterable<mixed, AuthenticatorInterface> $authenticators
5452
*/
@@ -59,17 +57,9 @@ public function __construct(
5957
private string $firewallName,
6058
private ?LoggerInterface $logger = null,
6159
private bool $eraseCredentials = true,
62-
ExposeSecurityLevel|bool $exposeSecurityErrors = ExposeSecurityLevel::None,
60+
private ExposeSecurityLevel $exposeSecurityErrors = ExposeSecurityLevel::None,
6361
private array $requiredBadges = [],
6462
) {
65-
if (\is_bool($exposeSecurityErrors)) {
66-
trigger_deprecation('symfony/security-http', '7.3', 'Passing a boolean as "exposeSecurityErrors" parameter is deprecated, use %s value instead.', ExposeSecurityLevel::class);
67-
68-
// The old parameter had an inverted meaning ($hideUserNotFoundExceptions), for that reason the current name does not reflect the behavior
69-
$exposeSecurityErrors = $exposeSecurityErrors ? ExposeSecurityLevel::None : ExposeSecurityLevel::All;
70-
}
71-
72-
$this->exposeSecurityErrors = $exposeSecurityErrors;
7363
}
7464

7565
/**

src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/UserBadge.php

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -55,8 +55,7 @@ public function __construct(
5555
?\Closure $identifierNormalizer = null,
5656
) {
5757
if ('' === $userIdentifier) {
58-
trigger_deprecation('symfony/security-http', '7.2', 'Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.');
59-
// throw new BadCredentialsException('Empty user identifier.');
58+
throw new BadCredentialsException('Empty user identifier.');
6059
}
6160

6261
if (\strlen($userIdentifier) > self::MAX_USERNAME_LENGTH) {

src/Symfony/Component/Security/Http/CHANGELOG.md

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -6,6 +6,9 @@ CHANGELOG
66

77
* Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
88
* Remove `AbstractListener::__invoke`
9+
* Throw a `BadCredentialsException` when passing an empty string as `$userIdentifier` argument to `UserBadge` constructor
10+
* Accept only `ExposeSecurityLevel` enums for `AuthenticatorManager`'s `$exposeSecurityErrors` argument
11+
* Respectively accept only `AlgorithmManager` and `JWKSet` for `OidcTokenHandler`'s `$signatureAlgorithm` and `$signatureKeyset` arguments
912

1013
7.4
1114
---

0 commit comments

Comments
 (0)
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy