Skip to content

UserProvider not called after initial login when multiple user providers #29652

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
HTMLGuyLLC opened this issue Dec 19, 2018 · 3 comments
Closed

UserProvider not called after initial login when multiple user providers #29652

HTMLGuyLLC opened this issue Dec 19, 2018 · 3 comments
Labels
Bug Security Status: Needs Review

Comments

@HTMLGuyLLC
Copy link

HTMLGuyLLC commented Dec 19, 2018
edited
Loading

Symfony version(s) affected: 4.2.1

Description
The api_provider is being used to refresh the user for the main firewall instead of the api_provider.
Is it me, or a bug in Symfony?

How to reproduce
Security.yml:

providers:
    api_provider:
        id: App\Security\APIProvider
    user_provider:
        id: App\Security\UserProvider
firewalls:
    dev:
        # assets and profiler
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false

    api:
        host: ^(api\.mydomain\.com|crm-api\.localhost|dev-api\.mydomain\.com)$
        stateless: true
        provider: api_provider
        guard:
            authenticators:
                - App\Security\APIAuthenticator

    #the main firewall
    main:
        #guard will run the form authenticator on each request
        guard:
            authenticators:
                - App\Security\FormAuthenticator
        provider: user_provider
        switch_user: { role: ROLE_IMPERSONATE_USER, parameter: _switch_user }
        anonymous: ~

        #the path /logout should logout our user and send them to /login
        logout:
            path:   /logout
            target: /login
@HTMLGuyLLC HTMLGuyLLC changed the title FormAuthenticator not called after initial login FormAuthenticator not called after initial login when multiple user providers Dec 19, 2018
@HTMLGuyLLC HTMLGuyLLC changed the title FormAuthenticator not called after initial login when multiple user providers UserProvider not called after initial login when multiple user providers Dec 19, 2018
@HTMLGuyLLC
Copy link
Author

HTMLGuyLLC commented Dec 19, 2018
edited
Loading

I see in the ContextListener. refreshUser() in my APIProvider needs to throw an exception to be skipped. Doesn't make much sense since the firewall doesn't apply to this host or url pattern. Why would you still test the userprovider? Since my api firewall is stateless, I didn't think I had to do anything inside my refreshUser method. Kinda unintuitive, don't you think? I suggest you filter down the user providers by the firewalls that apply to the current request before looping through and testing them OR at least call the supportsClass() method before trying to refreshUser()...

catch (UnsupportedUserException $e) {
                // let's try the next user provider

@HTMLGuyLLC
Copy link
Author

I created a crappy pull request showing a simplistic solution. I really think it would be best to skip user providers that don't apply to the current firewall though. #29653

@HTMLGuyLLC HTMLGuyLLC mentioned this issue Dec 19, 2018
Closed
@xabbuh xabbuh added the Bug label Dec 20, 2018
@chalasr
Copy link
Member

chalasr commented Feb 20, 2020

Fixed by #35065. Thank you for starting the work and thanks @linaori for taking over.

@chalasr chalasr closed this as completed Feb 20, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@xabbuh @HTMLGuyLLC @chalasr @carsonbot