Skip to content

[Security] Fixed auth provider authenticate() cannot return void #24644

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 20, 2017
Merged

[Security] Fixed auth provider authenticate() cannot return void #24644

merged 1 commit into from
Oct 20, 2017

Conversation

glye
Copy link
Contributor

@glye glye commented Oct 20, 2017

Q A
Branch? 2.7 and up
Bug fix? yes
New feature? no
BC breaks? no (arguably)
Deprecations? no
Tests pass? yes
Fixed tickets
License MIT
Doc PR

The AuthenticationManagerInterface requires that authenticate() must return a TokenInterface, never null. Several authentication providers are violating this. Changed to throw exception instead.

See discussion in earlier PR #24585 which was changing the docblock rather than the implementations.

@glye glye mentioned this pull request Oct 20, 2017
Closed
stof
stof requested changes Oct 20, 2017
View reviewed changes
...mponent/Security/Core/Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php Outdated
@@ -26,12 +26,15 @@ public function testSupports()
$this->assertFalse($provider->supports($this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock()));
}

/**
* @expectedException \Symfony\Component\Security\Core\Exception\BadCredentialsException
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

you should also use @expectedExceptionMessage to be sure it is the right one being thrown

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, added.

src/Symfony/Component/Security/Core/Authentication/Provider/AnonymousAuthenticationProvider.php Outdated
@@ -38,7 +38,7 @@ public function __construct($key)
public function authenticate(TokenInterface $token)
{
if (!$this->supports($token)) {
return;
throw new BadCredentialsException('The token is not supported by this authentication provider.');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would use AuthenticationException, not BadCredentialsException, as it is not a case of bad credentials (it is a case of a bug in the supports implementation or in the calling code ignoring supports)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, done.

@glye
Copy link
Contributor Author

glye commented Oct 20, 2017

Update: Use AuthenticationException. Add @expectedExceptionMessage.

@stof
Copy link
Member

stof commented Oct 20, 2017

@glye if you want to have the PR appearing as merged rather than closed, I suggest you to squash your fixup commit yourselves.
Otherwise, we will squash it at the time of merging the PR, but Github will then not recognize it as a merged PR (we are not using the Github UI to squash the commits, but the git CLI)

@glye
[Security] Fixed auth provider authenticate() cannot return void
6e18b56 
The AuthenticationManagerInterface requires that authenticate() must return a TokenInterface, never null.
Several authentication providers are violating this. Changed to throw exception instead.
@glye glye force-pushed the authenticate_cannot_return_void branch from 8eabff8 to 6e18b56 Compare October 20, 2017 14:24
@glye
Copy link
Contributor Author

glye commented Oct 20, 2017

Right! Squashed.

@glye glye mentioned this pull request Oct 20, 2017
Merged
4 tasks
@nicolas-grekas nicolas-grekas added this to the 2.7 milestone Oct 20, 2017
@fabpot
Copy link
Member

fabpot commented Oct 20, 2017

Thank you @glye.

@fabpot fabpot merged commit 6e18b56 into symfony:2.7 Oct 20, 2017
fabpot added a commit that referenced this pull request Oct 20, 2017
@fabpot
bug #24644 [Security] Fixed auth provider authenticate() cannot retur…
2661da4 
…n void (glye)

This PR was merged into the 2.7 branch.

Discussion
----------

[Security] Fixed auth provider authenticate() cannot return void

| Q             | A
| ------------- | ---
| Branch?       | 2.7 and up
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no (arguably)
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        |

The `AuthenticationManagerInterface` [requires](https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Core/Authentication/AuthenticationManagerInterface.php#L30) that `authenticate()` must return a TokenInterface, never null. Several authentication providers are violating this. Changed to throw exception instead.

See discussion in earlier PR #24585 which was changing the docblock rather than the implementations.

Commits
-------

6e18b56 [Security] Fixed auth provider authenticate() cannot return void
@glye glye deleted the authenticate_cannot_return_void branch October 23, 2017 07:07
This was referenced Oct 30, 2017
Merged
Merged
This was referenced Nov 10, 2017
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@stof stof stof approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
2.7
Development

Successfully merging this pull request may close these issues.
6 participants
@glye @stof @fabpot @chalasr @nicolas-grekas @carsonbot