[Security] Dispatch an event when "logout user on change" steps in

Simperfit · Robin Chalas · commit ecdeab898b97 · 2019-04-26T23:15:59.000+02:00
diff --git a/src/Symfony/Component/Security/CHANGELOG.md b/src/Symfony/Component/Security/CHANGELOG.md
@@ -23,6 +23,7 @@ CHANGELOG
  * Dispatch `SwitchUserEvent` on `security.switch_user`
  * Deprecated `Argon2iPasswordEncoder`, use `SodiumPasswordEncoder` instead
  * Deprecated `BCryptPasswordEncoder`, use `NativePasswordEncoder` instead
+ * Added `DeauthenticatedEvent` dispatched in case the user has changed when trying to refresh it
 
 4.2.0
 -----
@@ -32,7 +33,7 @@ CHANGELOG
  * Passing custom class names to the
    `Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver` to define
    custom anonymous and remember me token classes is deprecated. To
-   use custom tokens, extend the existing `Symfony\Component\Security\Core\Authentication\Token\AnonymousToken`
+   use custom tokens, extend the ex~~~~isting `Symfony\Component\Security\Core\Authentication\Token\AnonymousToken`
    or `Symfony\Component\Security\Core\Authentication\Token\RememberMeToken`.
  * allow passing null as $filter in LdapUserProvider to get the default filter
  * accessing the user object that is not an instance of `UserInterface` from `Security::getUser()` is deprecated
diff --git a/src/Symfony/Component/Security/Http/Event/DeauthenticatedEvent.php b/src/Symfony/Component/Security/Http/Event/DeauthenticatedEvent.php
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Event;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Contracts\EventDispatcher\Event;
+
+/**
+ * Deauthentication happens in case the user has changed when trying to refresh it.
+ *
+ * @author Hamza Amrouche <hamza.simperfit@gmail.com>
+ */
+class DeauthenticatedEvent extends Event
+{
+    private $token;
+    private $user;
+
+    public function __construct(TokenInterface $token, UserInterface $user)
+    {
+        $this->token = $token;
+        $this->user = $user;
+    }
+
+    /**
+     * @return TokenInterface The token containing the refreshed (changed) user
+     */
+    public function getToken(): TokenInterface
+    {
+        return $this->token;
+    }
+
+    /**
+     * @return UserInterface The original user
+     */
+    public function getUser(): UserInterface
+    {
+        return $this->user;
+    }
+}
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -28,6 +28,7 @@
 use Symfony\Component\Security\Core\Role\SwitchUserRole;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
 
 /**
  * ContextListener manages the SecurityContext persistence through a session.
@@ -225,6 +226,11 @@ protected function refreshUser(TokenInterface $token)
                 $this->logger->debug('Token was deauthenticated after trying to refresh it.');
             }
 
+            if (null !== $this->dispatcher) {
+                $token->setUser($refreshedUser);
+                $this->dispatcher->dispatch(new DeauthenticatedEvent($token, $user), DeauthenticatedEvent::class);
+            }
+
             return null;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php
@@ -31,6 +31,7 @@
 use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
 use Symfony\Component\Security\Http\Firewall\ContextListener;
 
 class ContextListenerTest extends TestCase
@@ -313,6 +314,30 @@ public function testAcceptsProvidersAsTraversable()
         $this->assertSame($refreshedUser, $tokenStorage->getToken()->getUser());
     }
 
+    public function testDeauthenticatedEvent()
+    {
+        $tokenStorage = new TokenStorage();
+        $refreshedUser = new User('foobar', 'baz');
+
+        $user = new User('foo', 'bar');
+        $session = new Session(new MockArraySessionStorage());
+        $session->set('_security_context_key', serialize(new UsernamePasswordToken($user, '', 'context_key', ['ROLE_USER'])));
+
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set('MOCKSESSID', true);
+
+        $eventDispatcher = new EventDispatcher();
+        $eventDispatcher->addListener(DeauthenticatedEvent::class, function ($event) use ($user) {
+            $this->assertEquals($event->getWrappedEvent()->getUser(), $user);
+        });
+
+        $listener = new ContextListener($tokenStorage, [new NotSupportingUserProvider(), new SupportingUserProvider($refreshedUser)], 'context_key', null, $eventDispatcher);
+        $listener(new RequestEvent($this->getMockBuilder(HttpKernelInterface::class)->getMock(), $request, HttpKernelInterface::MASTER_REQUEST));
+
+        $this->assertNull($tokenStorage->getToken());
+    }
+
     protected function runSessionOnKernelResponse($newToken, $original = null)
     {
         $session = new Session(new MockArraySessionStorage());
