Skip to content

[Security] bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider #11058

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
wants to merge 1 commit into from
Closed

[Security] bug #10242 Missing checkPreAuth from RememberMeAuthenticationProvider #11058

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion ...fony/Component/Security/Core/Authentication/Provider/RememberMeAuthenticationProvider.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -50,7 +50,7 @@ public function authenticate(TokenInterface $token)
}

$user = $token->getUser();
$this->userChecker->checkPostAuth($user);
$this->userChecker->checkPreAuth($user);
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IMO, adding the preAuth check is good, but postAuth should not be removed

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's something i was thinking about, but i followed this pr : #9902
and prefered to stay consistent with.

postauth check if credentials are fresh enough (if i'm not wrong), i focused on triger critical checks performed by preAuth checks

it's a matter of remeberme feature ... I can't decide this alone

Anyway, thanks for your remark

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am the one who suggested @glutamatt to remove it.

As discussed here : glutamatt@e0730e0

PostCheck only checks for credentials expiration. I would think that could - but does not have to - prevent the user from logging in. It could just be a suggestion to change a password after X months.

Maybe I am wrong, but if it should always prevent from loging in, why is there 2 separate checks, pre-check and post-check ? Why not everything in the same global check ?


$authenticatedToken = new RememberMeToken($user, $this->providerKey, $this->key);
$authenticatedToken->setAttributes($token->getAttributes());
Expand Down
20 changes: 8 additions & 12 deletions ...nent/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,7 +12,7 @@
namespace Symfony\Component\Security\Core\Tests\Authentication\Provider;

use Symfony\Component\Security\Core\Authentication\Provider\RememberMeAuthenticationProvider;
use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
use Symfony\Component\Security\Core\Exception\DisabledException;
use Symfony\Component\Security\Core\Role\Role;

class RememberMeAuthenticationProviderTest extends \PHPUnit_Framework_TestCase
Expand Down Expand Up @@ -45,15 +45,14 @@ public function testAuthenticateWhenKeysDoNotMatch()
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\AccountExpiredException
* @expectedException \Symfony\Component\Security\Core\Exception\DisabledException
*/
public function testAuthenticateWhenPostChecksFails()
public function testAuthenticateWhenPreChecksFails()
{
$userChecker = $this->getMock('Symfony\Component\Security\Core\User\UserCheckerInterface');
$userChecker->expects($this->once())
->method('checkPostAuth')
->will($this->throwException($this->getMock('Symfony\Component\Security\Core\Exception\AccountExpiredException', null, array(), '')))
;
->method('checkPreAuth')
->will($this->throwException(new DisabledException()));

$provider = $this->getProvider($userChecker);

Expand All @@ -65,8 +64,7 @@ public function testAuthenticate()
$user = $this->getMock('Symfony\Component\Security\Core\User\UserInterface');
$user->expects($this->exactly(2))
->method('getRoles')
->will($this->returnValue(array('ROLE_FOO')))
;
->will($this->returnValue(array('ROLE_FOO')));

$provider = $this->getProvider();

Expand All @@ -86,16 +84,14 @@ protected function getSupportedToken($user = null, $key = 'test')
$user
->expects($this->any())
->method('getRoles')
->will($this->returnValue(array()))
;
->will($this->returnValue(array()));
}

$token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\RememberMeToken', array('getProviderKey'), array($user, 'foo', $key));
$token
->expects($this->once())
->method('getProviderKey')
->will($this->returnValue('foo'))
;
->will($this->returnValue('foo'));

return $token;
}
Expand Down