[Security] Make statefull pages NOT turn responses private when the token is not used #28089
Conversation
d53fee4 to
e47281f
Compare
|
Now tested and green, ready. |
e47281f to
6fc67d4
Compare
| @@ -30,7 +30,7 @@ public function __construct(TokenStorageInterface $tokenStorage) | |||
| public function __invoke(array $records) | |||
| { | |||
| $records['extra']['token'] = null; | |||
| if (null !== $token = $this->tokenStorage->getToken()) { | |||
| if (null !== $token = $this->tokenStorage->getToken(false)) { | |||
There was a problem hiding this comment.
I have the feeling this is a step backwards in terms of code quality 😢
When I see this and then look at the interface I'm confused:
So here we kind of code against the implementation UsageTrackingTokenStorage and not against the abstraction/interface anymore.
There was a problem hiding this comment.
Also if someone decorated the original security.token_storage service this will not work properly, right? (as the argument will be missing in any parent::getToken() call because its simply not part of the contract).
There was a problem hiding this comment.
we kind of code against the implementation UsageTrackingTokenStorage
fixed by adding a new UsageTrackingTokenStorageInterface
if someone decorated the original security.token_storage service this will not work properly, right?
The behavior will be the same as currently. That's the typical downside with service decoration: you're required to adapt to changes done at the decorated level. It's not very different from being required to write new code to leverage any new features. There is no way around.
There was a problem hiding this comment.
the issue here is that your new interface adds a new argument to the same method, making it really weird for decorators
There was a problem hiding this comment.
I don't understand what/why this is weird. This works fine.
There was a problem hiding this comment.
@stof I think that's OK. We don't want ppl to have to use two different methods for fetching the token. And this is in a separate interface (UsageTrackingTokenStorageInterface) so that's documented. We don't want ppl to decorate blindly btw.
9acbebc to
2ee4f02
Compare
|
I'm putting this on-hold because I think we can get rid of the Status: needs work |
2ee4f02 to
4b1277a
Compare
|
Any news on this one? Can we close #27817? |
|
Not yet, I'll keep you posted. |
|
hello, I have just encountered this "issue". Which is not cool for performances :D My current workaround if (useful for others) is a listener where I disabled this feature for now Note that I agree with the concept when this will work. If we read the session, then that's private. That makes sense ;) (but only if we really read it) |
|
@nicolas-grekas using the usageIndex, seems like a hack. Could it be better to load/start the session only when the token is really used ? |
|
@wadjeroudi that wouldn't work as soon as subrequests are involved, especially when |
|
Continued in #33663, please review there now. |
…ate only when needed (nicolas-grekas) This PR was merged into the 4.4 branch. Discussion ---------- [Security] Make stateful firewalls turn responses private only when needed | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | #26769 *et al.* | License | MIT | Doc PR | - Replaces #28089 By taking over session usage tracking and replacing it with token usage tracking, we can prevent responses that don't actually use the token from turning responses private without changing anything to the lifecycle of security listeners. This makes the behavior much more seamless, allowing to still log the user with the monolog processor, and display it in the profiler toolbar. This works by using two separate token storage services: - `security.token_storage` now tracks access to the token and increments the session usage tracker when needed. This is the service that is injected in userland. - `security.untracked_token_storage` is a raw token storage that just stores the token and is disconnected from the session. This service is injected in places where reading the session doesn't impact the generated output in any way (as e.g. in Monolog processors, etc.) Commits ------- 20df3a1 [Security] Make stateful firewalls turn responses private only when needed
Replaces #27817
By taking over session usage tracking and replacing it with token usage tracking, we can prevent responses that don't actually use the token from turning responses private without changing anything to the lifecycle of security listeners. This makes the behavior much more seamless, allowing to still log the user with the monolog processor, and display it in the profiler toolbar.