[Security] Cannot autowire custom LoginFormAuthenticator in a controller action #59091

ebitkov · 2024-12-04T15:36:08Z

Symfony version(s) affected

7.2

Description

This may be related to #59071.

I have a custom authenticator extending the builtin AbstractLoginFormAuthenticator. I autowire it into the register action of my SecurityController, so I can authenticate newly registered users, so they can continue the process they are currently in without the need to verify their data at this point:

class SecurityController extends AbstractController {
    # ...
  
    public function register(
        App\Security\LoginFormAuthenticator $customAuthenticator,
        # ...
    ) {
        # ...
    }

After upgrading to 7.2, this throws an exception:

App\Controller\SecurityController::register(): Argument #3 ($customAuthenticator) must be of type App\Security\LoginFormAuthenticator, Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator given

A quick debug of the service shows, that the dev environment seems to wrap it automatically into the TracableAuthenticator class:

> symfony console debug:container App\Security\LoginFormAuthenticator


// This service is a private alias for the service debug.App\Security\LoginFormAuthenticator                           

Information for Service "debug.App\Security\LoginFormAuthenticator"
===================================================================

 Collects info about an authenticator for debugging purposes.

 ---------------- ----------------------------------------------------------------------------------------------------------------------- 
  Option           Value                                                                                                                  
 ---------------- ----------------------------------------------------------------------------------------------------------------------- 
  Service ID       debug.App\Security\LoginFormAuthenticator                                                                              
  Class            Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticator                                             
  Tags             container.decorator (id: App\Security\LoginFormAuthenticator, inner: debug.App\Security\LoginFormAuthenticator.inner)  
  Public           no                                                                                                                     
  Synthetic        no                                                                                                                     
  Lazy             no                                                                                                                     
  Shared           yes                                                                                                                    
  Abstract         no                                                                                                                     
  Autowired        no                                                                                                                     
  Autoconfigured   no                                                                                                                     
  Usages           App\Security\LoginFormAuthenticator                                                                                    
                   security.command.debug_firewall                                                                                        
                   security.authenticator.manager.main                                                                                    
                   security.exception_listener.main                                                                                       
                   .service_locator.vgziCoP                                                                                               
                   .service_locator.j9y68NC                                                                                               
 ---------------- ----------------------------------------------------------------------------------------------------------------------- 

 ! [NOTE] The "App\Security\LoginFormAuthenticator" service or alias has been removed or inlined when the container was 
 !        compiled.

Switching to the prod environment seems to "fix" the problem.

How to reproduce

Create a new class App\Security\LoginFormAuthenticator extending Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator. Define the abstract methods and configure it in your configurations:

# config/packages/security.yaml

security:
    firewalls:
        main:
            custom_authenticators:
                - App\Security\LoginFormAuthenticator

Now, create a new class App\Controller\SecurityController with an method register and try to autowire the newly created authenticator via a method parameter:

class SecurityController extends AbstractController
{
    #[Route(path: '/register')]
    public function register(
        App\Security\LoginFormAuthenticator $customAuthenticator,
    ): Response {
        # ...
    }
}

Accessing the route (https://127.0.0.1:8000/register) throws the described exception.

Possible Solution

No response

Additional Context

No response

The text was updated successfully, but these errors were encountered:

amilaev · 2024-12-06T15:38:09Z

Same for me. However, the error disappears if I remove the custom_authenticators option.

Marv51 · 2024-12-10T11:34:44Z

I have the same issue when upgrading to 7.2:

I changed my controller to this:

#[Route("/something", methods:["GET", "POST"])]
    public function doSomethingAction(
    #[Autowire(service: 'App\Security\AppCustomAuthentiatorAuthenticator')]
    AuthenticatorInterface $appCustomAuthentiatorAuthenticator)
{
// ....

And that seems to work?

yblatti · 2024-12-12T15:23:45Z

Had the same problem.

To me, it looks like all authenticators are wrapped/decorated now (06f7876#diff-5eece14c3eaf711243f93091c28eb0a6e3dc4e0af44830f87ee0cb436dd39460R644).

In my code I autowire my CustomLoginFormAuthenticator by its class. In 7.2 the decorated service type won't match.

I changed it to AuthenticatorInterface, and specified my CustomLoginFormAuthenticator class as an argument in services.yaml or with the Autowire attribute (thanks @Marv51 !).

Before :

class ProgrammaticUserAuthenticator
{
    public function __construct(private UserAuthenticatorInterface $authenticator, private CustomLoginFormAuthenticator $customFormAuthenticator, private TokenStorageInterface $tokenStorage)

After (services.yaml) :

class ProgrammaticUserAuthenticator
{
    public function __construct(private UserAuthenticatorInterface $authenticator, private AuthenticatorInterface $customFormAuthenticator, private TokenStorageInterface $tokenStorage)

services:
    App\User\Security\ProgrammaticUserAuthenticator:
        class: App\User\Security\ProgrammaticUserAuthenticator
        arguments:
            - '@security.authenticator.manager.main'
            - '@App\User\Security\Authenticator\CustomLoginFormAuthenticator'
            - '@security.token_storage'

After (Autowire attribute) :

class ProgrammaticUserAuthenticator
{
    public function __construct(private UserAuthenticatorInterface $authenticator, #[Autowire(service: 'App\User\Security\Authenticator\CustomLoginFormAuthenticator')] private AuthenticatorInterface $customFormAuthenticator, private TokenStorageInterface $tokenStorage)

Seems to work :)

chalasr · 2024-12-12T15:30:55Z

Although we should certainly try to fix this regression, using the interface as type and wiring the concrete authenticator’s service id explicitly e.g. using #[Autowire] is the way to go. An even better path is to not inject the authenticator at all and rely on the Security helper instead.

MatTheCat · 2024-12-23T16:05:53Z

@ebitkov #59278 should fix your issue; could you check it works please? 🙏

…their traceable version (MatTheCat) This PR was squashed before being merged into the 7.2 branch. Discussion ---------- [SecurityBundle] Do not replace authenticators service by their traceable version | Q | A | ------------- | --- | Branch? | 7.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Issues | Fix #59071, fix #59091 | License | MIT Commits ------- d44b7af [SecurityBundle] Do not replace authenticators service by their traceable version

ebitkov · 2025-01-15T13:16:38Z

@ebitkov #59278 should fix your issue; could you check it works please? 🙏

Even tho my reply is not need here anymore, just for the sake of completeness: Yes, it works. Thank you all <3

ebitkov added the Bug label Dec 4, 2024

carsonbot added Status: Needs Review Security labels Dec 4, 2024

MatTheCat mentioned this issue Dec 21, 2024

[SecurityBundle] Do not replace authenticators service by their traceable version #59278

Merged

fabpot closed this as completed Dec 30, 2024

tomasvts mentioned this issue Jan 9, 2025

Symfony 7.2: $authenticator must be ..., bad type given auth0/symfony#198

Open

4 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[Security] Cannot autowire custom LoginFormAuthenticator in a controller action #59091

[Security] Cannot autowire custom LoginFormAuthenticator in a controller action #59091

ebitkov commented Dec 4, 2024

amilaev commented Dec 6, 2024

Marv51 commented Dec 10, 2024

yblatti commented Dec 12, 2024

chalasr commented Dec 12, 2024

MatTheCat commented Dec 23, 2024

ebitkov commented Jan 15, 2025

[Security] Cannot autowire custom LoginFormAuthenticator in a controller action #59091

[Security] Cannot autowire custom LoginFormAuthenticator in a controller action #59091

Comments

ebitkov commented Dec 4, 2024

Symfony version(s) affected

Description

How to reproduce

Possible Solution

Additional Context

amilaev commented Dec 6, 2024

Marv51 commented Dec 10, 2024

yblatti commented Dec 12, 2024

chalasr commented Dec 12, 2024

MatTheCat commented Dec 23, 2024

ebitkov commented Jan 15, 2025