From 35b97b920781ce6430fbb4ab1899463ae5c3fd5c Mon Sep 17 00:00:00 2001
From: Christian Flothmann <christian.flothmann@qossmic.com>
Date: Fri, 19 Jul 2024 09:42:17 +0200
Subject: [PATCH] pass the current token to the checkPostAuth() method of user
 checkers

---
 UPGRADE-7.2.md                                       |  1 +
 src/Symfony/Component/Security/Core/CHANGELOG.md     |  1 +
 .../Security/Core/User/ChainUserChecker.php          | 12 ++++++++++--
 .../Security/Core/User/UserCheckerInterface.php      |  2 +-
 src/Symfony/Component/Security/Http/CHANGELOG.md     |  1 +
 .../Http/EventListener/UserCheckerListener.php       |  2 +-
 .../Security/Http/Firewall/SwitchUserListener.php    |  2 +-
 .../Tests/EventListener/UserCheckerListenerTest.php  |  8 ++++++++
 .../Http/Tests/Firewall/SwitchUserListenerTest.php   |  2 +-
 9 files changed, 25 insertions(+), 6 deletions(-)

diff --git a/UPGRADE-7.2.md b/UPGRADE-7.2.md
index a9bb8322d15f3..d5c8c2911cd7d 100644
--- a/UPGRADE-7.2.md
+++ b/UPGRADE-7.2.md
@@ -11,6 +11,7 @@ If you're upgrading from a version below 7.1, follow the [7.1 upgrade guide](UPG
 Security
 --------
 
+ * Add `$token` argument to `UserCheckerInterface::checkPostAuth()`
  * Deprecate argument `$secret` of `RememberMeToken` and `RememberMeAuthenticator`
 
 String
diff --git a/src/Symfony/Component/Security/Core/CHANGELOG.md b/src/Symfony/Component/Security/Core/CHANGELOG.md
index 208f0d4854305..ac99a3c0b243f 100644
--- a/src/Symfony/Component/Security/Core/CHANGELOG.md
+++ b/src/Symfony/Component/Security/Core/CHANGELOG.md
@@ -4,6 +4,7 @@ CHANGELOG
 7.2
 ---
 
+ * Add `$token` argument to `UserCheckerInterface::checkPostAuth()`
  * Deprecate argument `$secret` of `RememberMeToken`
 
 7.0
diff --git a/src/Symfony/Component/Security/Core/User/ChainUserChecker.php b/src/Symfony/Component/Security/Core/User/ChainUserChecker.php
index f889d35d55145..67fd76b9c1a55 100644
--- a/src/Symfony/Component/Security/Core/User/ChainUserChecker.php
+++ b/src/Symfony/Component/Security/Core/User/ChainUserChecker.php
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\User;
 
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
 final class ChainUserChecker implements UserCheckerInterface
 {
     /**
@@ -27,10 +29,16 @@ public function checkPreAuth(UserInterface $user): void
         }
     }
 
-    public function checkPostAuth(UserInterface $user): void
+    public function checkPostAuth(UserInterface $user /*, TokenInterface $token*/): void
     {
+        $token = 1 < \func_num_args() ? func_get_arg(1) : null;
+
         foreach ($this->checkers as $checker) {
-            $checker->checkPostAuth($user);
+            if ($token instanceof TokenInterface) {
+                $checker->checkPostAuth($user, $token);
+            } else {
+                $checker->checkPostAuth($user);
+            }
         }
     }
 }
diff --git a/src/Symfony/Component/Security/Core/User/UserCheckerInterface.php b/src/Symfony/Component/Security/Core/User/UserCheckerInterface.php
index 480ba7b5c6176..2dc748aa7dc6b 100644
--- a/src/Symfony/Component/Security/Core/User/UserCheckerInterface.php
+++ b/src/Symfony/Component/Security/Core/User/UserCheckerInterface.php
@@ -35,5 +35,5 @@ public function checkPreAuth(UserInterface $user): void;
      *
      * @throws AccountStatusException
      */
-    public function checkPostAuth(UserInterface $user): void;
+    public function checkPostAuth(UserInterface $user /*, TokenInterface $token*/): void;
 }
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
index b3d38d924e7d1..487deb4674f05 100644
--- a/src/Symfony/Component/Security/Http/CHANGELOG.md
+++ b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -4,6 +4,7 @@ CHANGELOG
 7.2
 ---
 
+ * Pass the current token to the `checkPostAuth()` method of user checkers
  * Deprecate argument `$secret` of `RememberMeAuthenticator`
 
 7.1
diff --git a/src/Symfony/Component/Security/Http/EventListener/UserCheckerListener.php b/src/Symfony/Component/Security/Http/EventListener/UserCheckerListener.php
index d5e0cc5edf07f..9de200dd3af51 100644
--- a/src/Symfony/Component/Security/Http/EventListener/UserCheckerListener.php
+++ b/src/Symfony/Component/Security/Http/EventListener/UserCheckerListener.php
@@ -47,7 +47,7 @@ public function postCheckCredentials(AuthenticationSuccessEvent $event): void
             return;
         }
 
-        $this->userChecker->checkPostAuth($user);
+        $this->userChecker->checkPostAuth($user, $event->getAuthenticationToken());
     }
 
     public static function getSubscribedEvents(): array
diff --git a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
index 63b1f036b8abc..81707d75743ed 100644
--- a/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
+++ b/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php
@@ -163,7 +163,7 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
 
         $this->logger?->info('Attempting to switch to user.', ['username' => $username]);
 
-        $this->userChecker->checkPostAuth($user);
+        $this->userChecker->checkPostAuth($user, $token);
 
         $roles = $user->getRoles();
         $originatedFromUri = str_replace('/&', '/?', preg_replace('#[&?]'.$this->usernameParameter.'=[^&]*#', '', $request->getRequestUri()));
diff --git a/src/Symfony/Component/Security/Http/Tests/EventListener/UserCheckerListenerTest.php b/src/Symfony/Component/Security/Http/Tests/EventListener/UserCheckerListenerTest.php
index 3d9da4028300a..f47af8f5d7bd1 100644
--- a/src/Symfony/Component/Security/Http/Tests/EventListener/UserCheckerListenerTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/EventListener/UserCheckerListenerTest.php
@@ -58,6 +58,14 @@ public function testPostAuthValidCredentials()
         $this->listener->postCheckCredentials(new AuthenticationSuccessEvent(new PostAuthenticationToken($this->user, 'main', [])));
     }
 
+    public function testTokenIsPassedToPost()
+    {
+        $token = new PostAuthenticationToken($this->user, 'main', []);
+        $this->userChecker->expects($this->once())->method('checkPostAuth')->with($this->user, $token);
+
+        $this->listener->postCheckCredentials(new AuthenticationSuccessEvent($token));
+    }
+
     private function createCheckPassportEvent($passport = null)
     {
         $passport ??= new SelfValidatingPassport(new UserBadge('test', fn () => $this->user));
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
index 46da56485d529..e7e96f7257a67 100644
--- a/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
+++ b/src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php
@@ -184,7 +184,7 @@ public function testSwitchUser()
             ->willReturn(true);
 
         $this->userChecker->expects($this->once())
-            ->method('checkPostAuth')->with($this->callback(fn ($user) => 'kuba' === $user->getUserIdentifier()));
+            ->method('checkPostAuth')->with($this->callback(fn ($user) => 'kuba' === $user->getUserIdentifier()), $token);
 
         $listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager);
         $listener($this->event);