Skip to content

[Security-Http] ContextListener.refreshUser does not handle null users #59559

New issue
New issue
Closed as not planned
Closed as not planned
[Security-Http] ContextListener.refreshUser does not handle null users#59559
Labels
BugSecurityStatus: Needs Review
@jorrit

Description

@jorrit
jorrit
opened on Jan 20, 2025

Symfony version(s) affected

7.3.0

Description

I have a custom security token implementation that returns null in getUser when the underlying token has expired. This is allowed by TokenInterface.

The method refreshUser of the ContextListener class contains this code:

        $user = $token->getUser();

        $userNotFoundByProvider = false;
        $userDeauthenticated = false;
        $userClass = $user::class;

When $user is null, this code fails. Perhaps this method should just return null when $user is null.

It may very well be that I shouldn't return null from getUser, but the fact that the interface allows it and refreshUser doesn't handle it, might constitute a bug anyway.

How to reproduce

  1. Create a custom token class and use it in an authenticator.
  2. Open a secured page in Symfony that triggers ContextListener.authenticate().

Possible Solution

Return null early in ContextListener.refreshUser when $user is null.

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions