[Security] Dispatch an event when "logout user on change" steps in

Simperfit · Robin Chalas · commit b901b0b63c59 · 2019-04-27T15:37:27.000+02:00
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -23,6 +23,7 @@ CHANGELOG
  * Dispatch `SwitchUserEvent` on `security.switch_user`
  * Deprecated `Argon2iPasswordEncoder`, use `SodiumPasswordEncoder` instead
  * Deprecated `BCryptPasswordEncoder`, use `NativePasswordEncoder` instead
+ * Added `DeauthenticatedEvent` dispatched in case the user has changed when trying to refresh it
 
 4.2.0
 -----
diff --git a/src/Symfony/Component/Security/Http/Event/DeauthenticatedEvent.php b/src/Symfony/Component/Security/Http/Event/DeauthenticatedEvent.php
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Event;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Contracts\EventDispatcher\Event;
+
+/**
+ * Deauthentication happens in case the user has changed when trying to refresh it.
+ *
+ * @author Hamza Amrouche <hamza.simperfit@gmail.com>
+ */
+class DeauthenticatedEvent extends Event
+{
+    private $originalToken;
+    private $deauthenticatedToken;
+
+    public function __construct(TokenInterface $originalToken, TokenInterface $deauthenticatedToken)
+    {
+        $this->originalToken = $originalToken;
+        $this->deauthenticatedToken = $deauthenticatedToken;
+    }
+
+    /**
+     * @return TokenInterface The token that was deauthenticated during refreshment
+     */
+    public function getDeauthenticatedToken(): TokenInterface
+    {
+        return $this->deauthenticatedToken;
+    }
+
+    /**
+     * @return TokenInterface The original (authenticated) token
+     */
+    public function getOriginalToken(): TokenInterface
+    {
+        return $this->originalToken;
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -28,6 +28,7 @@
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
 
 /**
  * ContextListener manages the SecurityContext persistence through a session.
@@ -225,6 +226,10 @@ protected function refreshUser(TokenInterface $token)
                 $this->logger->debug('Token was deauthenticated after trying to refresh it.');
             }
 
+            if (null !== $this->dispatcher) {
+                $this->dispatcher->dispatch(new DeauthenticatedEvent($token, $newToken), DeauthenticatedEvent::class);
+            }
+
             return null;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php
@@ -31,6 +31,7 @@
 use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
 use Symfony\Component\Security\Http\Firewall\ContextListener;
 
 class ContextListenerTest extends TestCase
@@ -313,6 +314,35 @@ public function testAcceptsProvidersAsTraversable()
         $this->assertSame($refreshedUser, $tokenStorage->getToken()->getUser());
     }
 
+    public function testDeauthenticatedEvent()
+    {
+        $tokenStorage = new TokenStorage();
+        $refreshedUser = new User('foobar', 'baz');
+
+        $user = new User('foo', 'bar');
+        $session = new Session(new MockArraySessionStorage());
+        $session->set('_security_context_key', serialize(new UsernamePasswordToken($user, '', 'context_key', ['ROLE_USER'])));
+
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set('MOCKSESSID', true);
+
+        $eventDispatcher = new EventDispatcher();
+        $eventDispatcher->addListener(DeauthenticatedEvent::class, function ($event) use ($user) {
+            $originalToken = $event->getWrappedEvent()->getOriginalToken();
+            $this->assertTrue($originalToken->isAuthenticated());
+            $this->assertEquals($originalToken->getUser(), $user);
+            $deauthenticatedToken = $event->getWrappedEvent()->getDeauthenticatedToken();
+            $this->assertFalse($deauthenticatedToken->isAuthenticated());
+            $this->assertNotEquals($deauthenticatedToken->getUser(), $user);
+        });
+
+        $listener = new ContextListener($tokenStorage, [new NotSupportingUserProvider(), new SupportingUserProvider($refreshedUser)], 'context_key', null, $eventDispatcher);
+        $listener(new RequestEvent($this->getMockBuilder(HttpKernelInterface::class)->getMock(), $request, HttpKernelInterface::MASTER_REQUEST));
+
+        $this->assertNull($tokenStorage->getToken());
+    }
+
     protected function runSessionOnKernelResponse($newToken, $original = null)
     {
         $session = new Session(new MockArraySessionStorage());
