From ce1ee7459e5a2213e39ab8f209eb0364deea8da1 Mon Sep 17 00:00:00 2001 From: stlrnz Date: Wed, 10 Nov 2021 11:44:45 +0100 Subject: [PATCH] [Security] Do not overwrite already stored tokens for REMOTE_USER authentication --- .../AbstractPreAuthenticatedAuthenticator.php | 11 +++++++++++ .../Authenticator/RemoteUserAuthenticatorTest.php | 12 ++++++++++++ 2 files changed, 23 insertions(+) diff --git a/src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php index a5736aecd800c..7317967125e1f 100644 --- a/src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php +++ b/src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php @@ -79,6 +79,17 @@ public function supports(Request $request): ?bool return false; } + // do not overwrite already stored tokens from the same user (i.e. from the session) + $token = $this->tokenStorage->getToken(); + + if ($token instanceof PreAuthenticatedToken && $this->firewallName === $token->getFirewallName() && $token->getUserIdentifier() === $username) { + if (null !== $this->logger) { + $this->logger->debug('Skipping pre-authenticated authenticator as the user already has an existing session.', ['authenticator' => static::class]); + } + + return false; + } + $request->attributes->set('_pre_authenticated_username', $username); return true; diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/RemoteUserAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/RemoteUserAuthenticatorTest.php index 46454e6aaf86a..d1322ec4a3164 100644 --- a/src/Symfony/Component/Security/Http/Tests/Authenticator/RemoteUserAuthenticatorTest.php +++ b/src/Symfony/Component/Security/Http/Tests/Authenticator/RemoteUserAuthenticatorTest.php @@ -13,6 +13,7 @@ use PHPUnit\Framework\TestCase; use Symfony\Component\HttpFoundation\Request; +use Symfony\Component\Security\Core\Authentication\Token\PreAuthenticatedToken; use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage; use Symfony\Component\Security\Core\User\InMemoryUser; use Symfony\Component\Security\Core\User\InMemoryUserProvider; @@ -37,6 +38,17 @@ public function testSupportNoUser() $this->assertFalse($authenticator->supports($this->createRequest([]))); } + public function testSupportTokenStorageWithToken() + { + $tokenStorage = new TokenStorage(); + $tokenStorage->setToken(new PreAuthenticatedToken('username', 'credentials', 'main')); + + $authenticator = new RemoteUserAuthenticator(new InMemoryUserProvider(), $tokenStorage, 'main'); + + $this->assertFalse($authenticator->supports($this->createRequest(['REMOTE_USER' => 'username']))); + $this->assertTrue($authenticator->supports($this->createRequest(['REMOTE_USER' => 'another_username']))); + } + /** * @dataProvider provideAuthenticators */ pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy