It makes be nervous that this method, by default, results in a user being successfully authenticated and requires throwing an exception in the case that the user should NOT be authenticated. In the case that a developer accidentally writes a bug that doesn't throw an exception in a complex (or any) setup, the mistake results in _users being authenticated that shouldn't have been._

I think a safer way to do this would be to explicitly return a value (perhaps a boolean) indicating whether the credential check was successful or not. In the GuardAuthenticationProvider you could very easily check this boolean value for falseness (in the case that someone doesn't return) and then throw an AuthenticationException to keep the rest of the logic in the Provider the same.

TLDR; Which is worse? Authenticating a user who has invalid credentials? Or not authenticating a user who has valid credentials? I guess I'd rather not take a chance with security. Thoughts?

👍

Not sure I agree - the same could be said for returning false. For example, if you collect the result in a boolean variable $valid which is returned, that variable could easily have the wrong truth value simply by mistaking && for || somewhere in your code.

The only way to prevent bugs like the one you described is by properly testing the authenticator. I don't think that throwing an exception vs. returning false makes any difference here.

see #16395

Heh, maybe I should look at the tip of 2.8 before I go commenting on old PRs. Sorry everyone.

@patrick-mcdougle No, thank you! I was trying to find you at the conference - I made a pull request within an hour after your asked this very good question - and wanted to tell you about it :).

to be consistent, use ::getUser()

I don't think these comments explain anything more (as it's just humanize(method_name) property_name).

Shouldn't the checkPostAuth() be done after createAuthenticatedToken()?

I have a small concern regarding the user checker though. Say that before querying anything to find a user, I want to check if the IP has a time out, how would I do it here?

In the old situation I would have created my own simple-authenticator which did this. After this PR, I'd have to put it in a GuardAuthenticatorInterface. Neither of those solutions seems feasible for me as I would have to create either a weird inheritance tree or duplicate code in my authenticators. It would be great for you (and others ofc!) to think with me on the following points:

• Would it be possible to use an actual FormType (with optional validation) here?
• Would it be possible to implement something related to symfony/security - tagging UserCheckerInterface #11090?

Regarding those points, after an x amount of failed attempts, I have to show a captcha which has to be displayed until either valid or another x attempts have failed. This bundle would add the 'captcha' type to a form which you can then re-use for both the validation and display. I want to do this before the authentication takes place (why query the database for a blocked IP). https://github.com/Gregwar/CaptchaBundle

Just a random brainfart
I can also imagine the possibility to automate certain validation points by using a FormType with constraints; With a data transformer to put the user in there automatically via a user provider based on the username.

A lot here :)

1. Actually, checkPostAuth() is right, but checkPreAuth() was wrong - it should happen right after fetching the User, but before checking credentials (see UserAuthenticationProvider). I've just split a method on the interface to make this possible and moved the checkPreAuth() in the provider. Thanks for asking about this - I hadn't really realized I had things in the wrong spot.

2. About the IP timeout idea, was this simpler with the simple-authenticator? Or are you saying that in both cases, you'd need to use inheritance or duplication to put the code into the "simple authenticator" or the "guard authenticator", so it's the same, but no better? I just commented on symfony/security - tagging UserCheckerInterface #11090 - I think it can be solved there.

3. We should avoid using forms or validation anywhere. But more importantly, the "guard authenticators" are so simple that you can do whatever you want, including using forms and validation.

Regarding point 2, It will be similar. In my case I've actually implement a custom UserChecker, which I manually had to inject (can't configure that at all). I've made a custom method called checkPreUserLoad() in a custom UserCheckerInterface implementation and created an abstract authenticator that all our different authentication classes (simple-form, simple-pre-auth) extend. In your implementation, I would probably put half of this inside the part where you get the values from the request and pass the captcha valid/invalid/not required from there.

I was wondering if it would be possible to tackle that problem while we are at it.

    public function checkPreUserLoad()
    {
        $request  = $this->request_stack->getCurrentRequest();
        $resolved = $this->login_ip_resolver->resolveStatus($request->getClientIp());

        if ($resolved->requiresBlock()) {
            throw new BlockThresholdExceededException('Too many failed login attempts, ip blocked');
        }

        if (!$resolved->requiresCaptcha()) {
            return;
        }
        // captcha is required
        $form = $this->form_factory->create('login', null, ['add_captcha' => true]);
        $form->handleRequest($request);

        // only check the captcha, there is currently no username/password validation
        if ($request->request->has('login') && $form->has('captcha')) {
            if ($form->isSubmitted() && !$form->get('captcha')->isValid()) {
                throw new InvalidCaptchaException('Provided captcha was not valid');
            }

            // captcha is valid, we can skip it
            return;
        }

        throw new CaptchaThresholdExceededException('Too many failed login attempts, captcha required');
    }

Would the user checker stuff in #11090 solve this? If not, what do you propose? This looks like a lot of business logic to me, and putting that either into the user checker or somewhere in the authenticator (or the authenticator calls out to another service which holds the logic) seems right and simple to me.

I think the solution I proposed in #11090 will in fact solve this issue. That is Backwards compatible, just need to modify the configuration for this factory.

Eventually I can use a service decorator to replace the security.user_checker and voila, everything magically works without needing to change this code.