[Security] Add ability for authenticators to explain why they supported the request or not

MatTheCat · MatTheCat · commit b0cdff75055c · 2025-05-25T15:20:49.000+02:00
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig b/src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
@@ -423,7 +423,9 @@
                                         <div id="authenticator-{{ i }}" class="font-normal">
                                             {% if authenticator.supports is same as(false) %}
                                                 <div class="empty">
-                                                    <p>This authenticator did not support the request.</p>
+                                                    {% for reason in (authenticator.supportReasons ?? []) is empty ? ['This authenticator did not support the request.'] : authenticator.supportReasons %}
+                                                        <p>{{ reason }}</p>
+                                                    {% endfor %}
                                                 </div>
                                             {% elseif authenticator.authenticated is null %}
                                                 <div class="empty">
diff --git a/src/Symfony/Component/Ldap/Security/LdapAuthenticator.php b/src/Symfony/Component/Ldap/Security/LdapAuthenticator.php
@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
+use Symfony\Component\Security\Http\RequestSupport;
 
 /**
  * This class decorates internal authenticators to add the LDAP integration.
@@ -44,9 +45,9 @@ public function __construct(
     ) {
     }
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool
     {
-        return $this->authenticator->supports($request);
+        return $this->authenticator->supports($request, $requestSupport);
     }
 
     public function authenticate(Request $request): Passport
diff --git a/src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php b/src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php
@@ -37,6 +37,7 @@
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
 use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Component\Security\Http\SecurityEvents;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 
@@ -117,12 +118,18 @@ public function supports(Request $request): ?bool
                 throw new \InvalidArgumentException(\sprintf('Authenticator "%s" must implement "%s".', get_debug_type($authenticator), AuthenticatorInterface::class));
             }
 
-            if (false !== $supports = $authenticator->supports($request)) {
+            $requestSupport = new RequestSupport();
+            if (false !== $supports = $authenticator->supports($request, $requestSupport)) {
                 $authenticators[] = $authenticator;
                 $lazy = $lazy && null === $supports;
+
+                $requestSupport->result = true;
+                $requestSupport->lazy = $lazy;
             } else {
                 $this->logger?->debug('Authenticator does not support the request.', ['firewall_name' => $this->firewallName, 'authenticator' => $authenticator::class]);
                 $skippedAuthenticators[] = $authenticator;
+
+                $requestSupport->result = false;
             }
         }
 
@@ -158,8 +165,10 @@ private function executeAuthenticators(array $authenticators, Request $request):
             // recheck if the authenticator still supports the listener. supports() is called
             // eagerly (before token storage is initialized), whereas authenticate() is called
             // lazily (after initialization).
-            if (false === $authenticator->supports($request)) {
+            $requestSupport = new RequestSupport();
+            if (false === $authenticator->supports($request, $requestSupport)) {
                 $this->logger?->debug('Skipping the "{authenticator}" authenticator as it did not support the request.', ['authenticator' => ($authenticator instanceof TraceableAuthenticator ? $authenticator->getAuthenticator() : $authenticator)::class]);
+                $requestSupport->result = false;
 
                 continue;
             }
diff --git a/src/Symfony/Component/Security/Http/Authenticator/AbstractLoginFormAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/AbstractLoginFormAuthenticator.php
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
@@ -37,9 +38,24 @@ abstract protected function getLoginUrl(Request $request): string;
      * This default implementation handles all POST requests to the
      * login path (@see getLoginUrl()).
      */
-    public function supports(Request $request): bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): bool
     {
-        return $request->isMethod('POST') && $this->getLoginUrl($request) === $request->getBaseUrl().$request->getPathInfo();
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : new RequestSupport();
+        $requestSupport ??= new RequestSupport();
+
+        if (!$request->isMethod('POST')) {
+            $requestSupport->addReason('Request is not a POST.');
+
+            return false;
+        }
+
+        if ($this->getLoginUrl($request) !== $request->getBaseUrl().$request->getPathInfo()) {
+            $requestSupport->addReason('Request does not match the login URL.');
+
+            return false;
+        }
+
+        return true;
     }
 
     /**
diff --git a/src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\RequestSupport;
 
 /**
  * The base authenticator for authenticators to use pre-authenticated
@@ -52,20 +53,25 @@ public function __construct(
      */
     abstract protected function extractUsername(Request $request): ?string;
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool
     {
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : new RequestSupport();
+        $requestSupport ??= new RequestSupport();
+
         try {
             $username = $this->extractUsername($request);
         } catch (BadCredentialsException $e) {
             $this->clearToken($e);
 
             $this->logger?->debug('Skipping pre-authenticated authenticator as a BadCredentialsException is thrown.', ['exception' => $e, 'authenticator' => static::class]);
+            $requestSupport->addReason('Could not find the username in the request.');
 
             return false;
         }
 
         if (null === $username) {
             $this->logger?->debug('Skipping pre-authenticated authenticator no username could be extracted.', ['authenticator' => static::class]);
+            $requestSupport->addReason('Username found in the request was empty.');
 
             return false;
         }
@@ -75,6 +81,7 @@ public function supports(Request $request): ?bool
 
         if ($token instanceof PreAuthenticatedToken && $this->firewallName === $token->getFirewallName() && $token->getUserIdentifier() === $username) {
             $this->logger?->debug('Skipping pre-authenticated authenticator as the user already has an existing session.', ['authenticator' => static::class]);
+            $requestSupport->addReason('A token already exists for the user in the session.');
 
             return false;
         }
diff --git a/src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
 /**
@@ -46,9 +47,18 @@ public function __construct(
     ) {
     }
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool
     {
-        return null === $this->accessTokenExtractor->extractAccessToken($request) ? false : null;
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : new RequestSupport();
+        $requestSupport ??= new RequestSupport();
+
+        if (null === $this->accessTokenExtractor->extractAccessToken($request)) {
+            $requestSupport->addReason(sprintf('No token was found in the request by the %s.', $this->accessTokenExtractor::class));
+
+            return false;
+        }
+
+        return null;
     }
 
     public function authenticate(Request $request): Passport
diff --git a/src/Symfony/Component/Security/Http/Authenticator/AuthenticatorInterface.php b/src/Symfony/Component/Security/Http/Authenticator/AuthenticatorInterface.php
@@ -16,6 +16,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\RequestSupport;
 
 /**
  * The interface for all authenticators.
@@ -32,8 +33,10 @@ interface AuthenticatorInterface
      * If this returns true, authenticate() will be called. If false, the authenticator will be skipped.
      *
      * Returning null means authenticate() can be called lazily when accessing the token storage.
+     *
+     * @param RequestSupport|null $requestSupport
      */
-    public function supports(Request $request): ?bool;
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool;
 
     /**
      * Create a passport for the current request.
diff --git a/src/Symfony/Component/Security/Http/Authenticator/Debug/TraceableAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/Debug/TraceableAuthenticator.php
@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Component\VarDumper\Caster\ClassStub;
 
 /**
@@ -31,6 +32,7 @@
 final class TraceableAuthenticator implements AuthenticatorInterface, InteractiveAuthenticatorInterface, AuthenticationEntryPointInterface
 {
     private ?bool $supports = false;
+    private array $supportReasons = [];
     private ?Passport $passport = null;
     private ?float $duration = null;
     private ClassStub|string $stub;
@@ -45,6 +47,7 @@ public function getInfo(): array
     {
         return [
             'supports' => $this->supports,
+            'supportReasons' => $this->supportReasons,
             'passport' => $this->passport,
             'duration' => $this->duration,
             'stub' => $this->stub ??= class_exists(ClassStub::class) ? new ClassStub($this->authenticator::class) : $this->authenticator::class,
@@ -62,9 +65,14 @@ static function (BadgeInterface $badge): array {
         ];
     }
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool
     {
-        return $this->supports = $this->authenticator->supports($request);
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : new RequestSupport();
+
+        $this->supports = $this->authenticator->supports($request, $requestSupport);
+        $this->supportReasons = $requestSupport->reasons;
+
+        return $this->supports;
     }
 
     public function authenticate(Request $request): Passport
diff --git a/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
@@ -31,6 +31,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\ParameterBagUtils;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
@@ -68,11 +69,30 @@ protected function getLoginUrl(Request $request): string
         return $this->httpUtils->generateUri($request, $this->options['login_path']);
     }
 
-    public function supports(Request $request): bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): bool
     {
-        return ($this->options['post_only'] ? $request->isMethod('POST') : true)
-            && $this->httpUtils->checkRequestPath($request, $this->options['check_path'])
-            && ($this->options['form_only'] ? 'form' === $request->getContentTypeFormat() : true);
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : new RequestSupport();
+        $requestSupport ??= new RequestSupport();
+
+        if ($this->options['post_only'] && !$request->isMethod('POST')) {
+            $requestSupport->addReason('Request is not a POST while "post_only" is set.');
+
+            return false;
+        }
+
+        if (!$this->httpUtils->checkRequestPath($request, $this->options['check_path'])) {
+            $requestSupport->addReason('Request does not match the "check_path".');
+
+            return false;
+        }
+
+        if ($this->options['form_only'] && 'form' !== $request->getContentTypeFormat()) {
+            $requestSupport->addReason('Request is not a form submission while "form_only" is set.');
+
+            return false;
+        }
+
+        return true;
     }
 
     public function authenticate(Request $request): Passport
diff --git a/src/Symfony/Component/Security/Http/Authenticator/HttpBasicAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/HttpBasicAuthenticator.php
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Http\RequestSupport;
 
 /**
  * @author Wouter de Jong <wouter@wouterj.nl>
@@ -49,9 +50,18 @@ public function start(Request $request, ?AuthenticationException $authException
         return $response;
     }
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool
     {
-        return $request->headers->has('PHP_AUTH_USER');
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : new RequestSupport();
+        $requestSupport ??= new RequestSupport();
+
+        if (!$request->headers->has('PHP_AUTH_USER')) {
+            $requestSupport->addReason('Request has no basic authentication header.');
+
+            return false;
+        }
+
+        return true;
     }
 
     public function authenticate(Request $request): Passport
diff --git a/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php
@@ -31,6 +31,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
 /**
@@ -60,16 +61,23 @@ public function __construct(
         $this->propertyAccessor = $propertyAccessor ?: PropertyAccess::createPropertyAccessor();
     }
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool
     {
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : new RequestSupport();
+        $requestSupport ??= new RequestSupport();
+
         if (
             !str_contains($request->getRequestFormat() ?? '', 'json')
             && !str_contains($request->getContentTypeFormat() ?? '', 'json')
         ) {
+            $requestSupport->addReason('Request format is not JSON.');
+
             return false;
         }
 
         if (isset($this->options['check_path']) && !$this->httpUtils->checkRequestPath($request, $this->options['check_path'])) {
+            $requestSupport->addReason('Request does not match the "check_path".');
+
             return false;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Authenticator/LoginLinkAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/LoginLinkAuthenticator.php
@@ -25,6 +25,7 @@
 use Symfony\Component\Security\Http\LoginLink\Exception\InvalidLoginLinkAuthenticationException;
 use Symfony\Component\Security\Http\LoginLink\Exception\InvalidLoginLinkExceptionInterface;
 use Symfony\Component\Security\Http\LoginLink\LoginLinkHandlerInterface;
+use Symfony\Component\Security\Http\RequestSupport;
 
 /**
  * @author Ryan Weaver <ryan@symfonycasts.com>
@@ -43,10 +44,24 @@ public function __construct(
         $this->options = $options + ['check_post_only' => false];
     }
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool
     {
-        return ($this->options['check_post_only'] ? $request->isMethod('POST') : true)
-            && $this->httpUtils->checkRequestPath($request, $this->options['check_route']);
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : new RequestSupport();
+        $requestSupport ??= new RequestSupport();
+
+        if ($this->options['check_post_only'] && !$request->isMethod('POST')) {
+            $requestSupport->addReason('Request is not a POST while "check_post_only" is set.');
+
+            return false;
+        }
+
+        if (!$this->httpUtils->checkRequestPath($request, $this->options['check_route'])) {
+            $requestSupport->addReason('Request does not match the "check_route".');
+
+            return false;
+        }
+
+        return true;
     }
 
     public function authenticate(Request $request): Passport
diff --git a/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
diff --git a/src/Symfony/Component/Security/Http/RequestSupport.php b/src/Symfony/Component/Security/Http/RequestSupport.php

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@`
`20`	`20`	`use Symfony\Component\Security\Http\Authenticator\Passport\Passport;`
`21`	`21`	`use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;`
`22`	`22`	`use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;`
	`23`	`+use Symfony\Component\Security\Http\RequestSupport;`
`23`	`24`
`24`	`25`	`/**`
`25`	`26`	`* This class decorates internal authenticators to add the LDAP integration.`
`@@ -44,9 +45,9 @@ public function __construct(`
`44`	`45`	`) {`
`45`	`46`	`}`
`46`	`47`
`47`		`- public function supports(Request $request): ?bool`
	`48`	`+ public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool`
`48`	`49`	`{`
`49`		`- return $this->authenticator->supports($request);`
	`50`	`+ return $this->authenticator->supports($request, $requestSupport);`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`public function authenticate(Request $request): Passport`