[SECURITY] AbstractAuthenticationListener.php error instead info. #28462
Conversation
```
[2018-09-13 20:43:38] security.INFO: Authentication request failed. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException(code: 0): An exception occurred while executing
...
Doctrine\\DBAL\\Driver\\PDOException(code: 42S22): SQLSTATE[42S22]: Column not found: 1054 Unknown column 't0.phone' in 'field list' at
```
Defenitely I think this is NOT info, but error.
| Q | A
| ------------- | ---
| Branch? | 3.8
| Bug fix? | yes
| New feature? | no
| BC breaks? | no I think
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | ...
| License | MIT
|
This means all failed authentication attempts will now be logged as error which is not right either. We need to differentiate between errors in the authentication process and failed authentication attempts to determine the logging level here. |
|
@jvasseur thank you for your response. How do we do that? What are exceptions for non-errors? What about that: at the top of that exception it says:
|
|
@Warxcell checking if the exception is an instance of |
Use Symfony\Component\Security\Core\Exception\AuthenticationServiceException to determine logging level
Fix coding standarts
|
What I would do is in case of But that means BC-Break - so I'm just changing the logging level. |
|
I've done a quick search where this exception is being used.
|
|
I can help with a patch (reviewing), but I do not have time myself to do this in-between at the moment |
|
So what should be done? If it's error log in app channel, if not - log in security channel? |
|
@iltar I think we need your help here :) |
That's actually not a bad idea at all 😮 |
|
@iltar how can this be done? sending 2 different loggers with tag |
|
@linaori Might be a great PR for the upcoming hackaton :) |
|
Do we have a label for the hackathon? It might be nice to tag a bunch of issues so we can plow through them. |
|
@linaori yes, we've created a special label for that event:
|
|
@linaori I've just read the entire discussion and your well researched arguments, and I'm now thinking why we're not raising the log level to ERROR as a whole as indeed our existing implementations act like that and the class is documented to work like that. I don't see the INFO case any more other than to maintain some kind of fake B/C with existing applications and bundles that somehow count on it being info. To be honest, I don't consider that a B/C breakage as the docs were there to indicate it always should have been an error. |
|
(rebase needed) |
…ror instead info.
…stead info. Rebase of #28462 (berezuev) This PR was merged into the 4.4 branch. Discussion ---------- [SECURITY] AbstractAuthenticationListener.php error instead info. Rebase of #28462 | Q | A | ------------- | --- | Branch? | 4.4 | -- | -- | Bug fix? | yes | New feature? | no | BC breaks? | no I think | Deprecations? | no | Tests pass? | yes | Fixed tickets | ... | License | MIT Rebase of #28462. Origin description: > ``` > [2018-09-13 20:43:38] security.INFO: Authentication request failed. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\AuthenticationServiceException(code: 0): An exception occurred while executing > ... > Doctrine\\DBAL\\Driver\\PDOException(code: 42S22): SQLSTATE[42S22]: Column not found: 1054 Unknown column 't0.phone' in 'field list' at > ``` > > Definitely I think this is NOT info, but error. > And since it's info, it's not logged in production because of `fingers_crossed` with `action_level: error` - so to actually see the real error behind `Authentication request could not be processed due to a system problem.` I had to debug on production. Very bad practice IMHO. Commits ------- 867eb78 [SECURITY] AbstractAuthenticationListener.php error instead info. Rebase of #28462
|
Something seems to wrong with this commit. Now every failed login attempts are logged as errors.
... and every time I receive a mail to warn me about this... |
|
@Fl0ux it's not because of that. As you can see - it's closed, not merged. |
|
It's merged in 87a6f04 actually. |
|
Ok, I will create a new bug report in this case. |
|
@nicolas-grekas but it's slightly different from my PR. I excluded these exceptions. I was logging only system errors, not every failed login because of credentials. |
…nfo. Rebase of symfony#28462" This reverts commit 867eb78.
…nfo. Rebase of symfony#28462" This reverts commit 867eb78.
…r instead info" (larzuk91) This PR was submitted for the master branch but it was merged into the 4.4 branch instead. Discussion ---------- [Security] Revert "AbstractAuthenticationListener.php error instead info" | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #34836 | License | MIT This reverts commit 867eb78. After that change, every failed login attempt is logged as an error. It's flooding our errors log channel Commits ------- 9d306f9 [SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of #28462"
* 4.4: (21 commits) fix merge CS [FrameworkBundle][ContainerLintCommand] Improve messages when the kernel or the container is not supported [Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer stop using deprecated Doctrine persistence classes [Cache] Fix wrong classname in deprecation message Fix regex lookahead syntax in ApplicationTest Fixed syntax in comment [SecurityBundle][FirewallMap] Remove unused property [Messenger][AMQP] Use delivery_mode=2 by default [FrameworkBundle][DependencyInjection] Skip removed ids in the lint container command and its associated pass [SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of #28462" [FrameworkBundle][Secrets] Hook configured local dotenv file [DI] Improve performance of processDefinition fix redis multi host dsn not recognized fix constructor argument type declaration Fix invalid Windows path normalization [Validator][ConstraintValidator] Safe fail on invalid timezones [DoctrineBridge] Fixed submitting invalid ids when using queries with limit [FrameworkBundle] Add info & example to auto_mapping config ...
* 5.0: (21 commits) fix merge CS [FrameworkBundle][ContainerLintCommand] Improve messages when the kernel or the container is not supported [Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer stop using deprecated Doctrine persistence classes [Cache] Fix wrong classname in deprecation message Fix regex lookahead syntax in ApplicationTest Fixed syntax in comment [SecurityBundle][FirewallMap] Remove unused property [Messenger][AMQP] Use delivery_mode=2 by default [FrameworkBundle][DependencyInjection] Skip removed ids in the lint container command and its associated pass [SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of #28462" [FrameworkBundle][Secrets] Hook configured local dotenv file [DI] Improve performance of processDefinition fix redis multi host dsn not recognized fix constructor argument type declaration Fix invalid Windows path normalization [Validator][ConstraintValidator] Safe fail on invalid timezones [DoctrineBridge] Fixed submitting invalid ids when using queries with limit [FrameworkBundle] Add info & example to auto_mapping config ...
…nfo. Rebase of symfony#28462" This reverts commit 867eb78.
* 4.4: (21 commits) fix merge CS [FrameworkBundle][ContainerLintCommand] Improve messages when the kernel or the container is not supported [Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer stop using deprecated Doctrine persistence classes [Cache] Fix wrong classname in deprecation message Fix regex lookahead syntax in ApplicationTest Fixed syntax in comment [SecurityBundle][FirewallMap] Remove unused property [Messenger][AMQP] Use delivery_mode=2 by default [FrameworkBundle][DependencyInjection] Skip removed ids in the lint container command and its associated pass [SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of symfony#28462" [FrameworkBundle][Secrets] Hook configured local dotenv file [DI] Improve performance of processDefinition fix redis multi host dsn not recognized fix constructor argument type declaration Fix invalid Windows path normalization [Validator][ConstraintValidator] Safe fail on invalid timezones [DoctrineBridge] Fixed submitting invalid ids when using queries with limit [FrameworkBundle] Add info & example to auto_mapping config ...
* 5.0: (21 commits) fix merge CS [FrameworkBundle][ContainerLintCommand] Improve messages when the kernel or the container is not supported [Serializer] Skip uninitialized (PHP 7.4) properties in PropertyNormalizer and ObjectNormalizer stop using deprecated Doctrine persistence classes [Cache] Fix wrong classname in deprecation message Fix regex lookahead syntax in ApplicationTest Fixed syntax in comment [SecurityBundle][FirewallMap] Remove unused property [Messenger][AMQP] Use delivery_mode=2 by default [FrameworkBundle][DependencyInjection] Skip removed ids in the lint container command and its associated pass [SECURITY] Revert "AbstractAuthenticationListener.php error instead info. Rebase of symfony#28462" [FrameworkBundle][Secrets] Hook configured local dotenv file [DI] Improve performance of processDefinition fix redis multi host dsn not recognized fix constructor argument type declaration Fix invalid Windows path normalization [Validator][ConstraintValidator] Safe fail on invalid timezones [DoctrineBridge] Fixed submitting invalid ids when using queries with limit [FrameworkBundle] Add info & example to auto_mapping config ...
Definitely I think this is NOT info, but error.
And since it's info, it's not logged in production because of
fingers_crossedwithaction_level: error- so to actually see the real error behindAuthentication request could not be processed due to a system problem.I had to debug on production. Very bad practice IMHO.