[Security] Fix json_login default success/failure handling #22494
Conversation
f481ea2 to
9749618
Compare
| { | ||
| public function onAuthenticationSuccess(Request $request, TokenInterface $token) | ||
| { | ||
| return new JsonResponse(array('message' => sprintf('Good game @%s!', $token->getUsername()))); |
There was a problem hiding this comment.
do we have a standard style how we word such defaults?
There was a problem hiding this comment.
this is a custom success handler fixture :)
| @@ -117,6 +118,10 @@ public function handle(GetResponseEvent $event) | |||
| $response = $this->onFailure($request, $e); | |||
| } | |||
|
|
|||
| if (null === $response) { | |||
There was a problem hiding this comment.
what is the reason this is needed?
There was a problem hiding this comment.
In case of success, the listener just lets the original request succeeds so it doesn't return any response. Should it return a default success response instead?
|
great! thanks for implementing this. |
|
Thank you @chalasr. |
… (chalasr) This PR was merged into the 3.3-dev branch. Discussion ---------- [Security] Fix json_login default success/failure handling | Q | A | ------------- | --- | Branch? | 3.3 | Bug fix? | yes | New feature? | no | BC breaks? | no (master only) | Deprecations? | no | Tests pass? | yes | Fixed tickets | #22483 | License | MIT | Doc PR | n/a This makes the `json_login` listener default configuration stateless oriented by: - Not using the default (redirect based) failure handler, it returns a 401 (json) response containing the failure reason instead - Not using the default (redirect based) success handler, just let the original request continue instead (reaching the targeted resource without being redirected). - Setting `require_previous_session` to `false` by default (I have to set it on `form-login` each time I want it to be stateless) - Removing the options related to redirections (`default_target_path`, `login_path`, ...) from the listener factory, if one wants redirections then one has to write its own handlers, not the inverse Commits ------- 9749618 Fix json_login default success/failure handling
|
@chalasr does this mean that now I'm copying the configuration from https://symfony.com/doc/current/security/json_login_setup.html and I'm getting the following error on successful logins:
Which I think is because my controller is empty (as suggested by the documentation) and:
by default there is no success handler by default. I'm happy to submit a bug report, but I'm not sure if the bug is in the docs or in the code |
@arthens depending on your need, yes. This made To me the common workflow is to send username/password to a specific Docs need to be updated indeed, please submit an issue there and eventually ping me, I'll take care of the PR. Thanks! |
This PR was squashed before being merged into the 3.4 branch (closes #10467). Discussion ---------- Fix and improve JSON login docs Since symfony/symfony#22494, it's mandatory to return a valid response in the controller to prevent a 500 error. I've updated the docs accordingly, and added an example of what can be returned. This PR is similar to #9611 (that was right, sorry I just noticed). ping @vincentchalamon Commits ------- 570dce3 Fix and improve JSON login docs
This makes the
json_loginlistener default configuration stateless oriented by:require_previous_sessiontofalseby default (I have to set it onform-logineach time I want it to be stateless)default_target_path,login_path, ...) from the listener factory, if one wants redirections then one has to write its own handlers, not the inverse