NotificationsYou must be signed in to change notification settings
Fork9.6k
Star30.4k

Commit44b6ad7

committed

Show user account status errors

1 parent34994f1 commit44b6ad7Copy full SHA for 44b6ad7

File tree

10 files changed

+71

-10

lines changed

src/Symfony
- Bundle/SecurityBundle
  - DependencyInjection
    - MainConfiguration.php
    - SecurityExtension.php
  - Resources/config
- Component/Security
  - Core/Authentication/Provider
  - Guard/Firewall
    - GuardAuthenticationListener.php
  - Http/Authentication
    - AuthenticatorManager.php

10 files changed

+71

-10

lines changed

`‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -91,6 +91,7 @@ public function getConfigTreeBuilder()`
`91`	`91`	`->defaultValue(SessionAuthenticationStrategy::MIGRATE)`
`92`	`92`	`->end()`
`93`	`93`	`->booleanNode('hide_user_not_found')->defaultTrue()->end()`
	`94`	`+ ->booleanNode('show_account_status_exceptions')->defaultFalse()->end()`
`94`	`95`	`->booleanNode('always_authenticate_before_granting')`
`95`	`96`	`->defaultFalse()`
`96`	`97`	`->setDeprecated('symfony/security-bundle','5.4')`

`‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -170,6 +170,7 @@ public function load(array $configs, ContainerBuilder $container)`
`170`	`170`
`171`	`171`	`$container->setParameter('security.access.always_authenticate_before_granting',$config['always_authenticate_before_granting']);`
`172`	`172`	`$container->setParameter('security.authentication.hide_user_not_found',$config['hide_user_not_found']);`
	`173`	`+$container->setParameter('security.authentication.show_account_status_exceptions',$config['show_account_status_exceptions']);`
`173`	`174`
`174`	`175`	`if (class_exists(Application::class)) {`
`175`	`176`	`$loader->load('debug_console.php');`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,7 @@`
`50`	`50`	`service('logger')->nullOnInvalid(),`
`51`	`51`	`param('security.authentication.hide_user_not_found'),`
`52`	`52`	`service('security.token_storage'),`
	`53`	`+param('security.authentication.show_account_status_exceptions'),`
`53`	`54`	`])`
`54`	`55`	`->tag('monolog.logger', ['channel' =>'security'])`
`55`	`56`	`->deprecate('symfony/security-bundle','5.3','The "%service_id%" service is deprecated, use the new authenticator system instead.')`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php`

Lines changed: 1 addition & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -46,6 +46,7 @@`
`46`	`46`	`param('security.authentication.manager.erase_credentials'),`
`47`	`47`	`param('security.authentication.hide_user_not_found'),`
`48`	`48`	`abstract_arg('required badges'),`
	`49`	`+param('security.authentication.show_account_status_exceptions'),`
`49`	`50`	`])`
`50`	`51`	`->tag('monolog.logger', ['channel' =>'security'])`
`51`	`52`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_legacy.php`

Lines changed: 2 additions & 0 deletions

Original file line number	Diff line number	Diff line change
`@@ -122,6 +122,7 @@`
`122`	`122`	`abstract_arg('Provider-shared Key'),`
`123`	`123`	`service('security.password_hasher_factory'),`
`124`	`124`	`param('security.authentication.hide_user_not_found'),`
	`125`	`+param('security.authentication.show_account_status_exceptions'),`
`125`	`126`	`])`
`126`	`127`	`->deprecate('symfony/security-bundle','5.3','The "%service_id%" service is deprecated, use the new authenticator system instead.')`
`127`	`128`
`@@ -136,6 +137,7 @@`
`136`	`137`	`param('security.authentication.hide_user_not_found'),`
`137`	`138`	`abstract_arg('search dn'),`
`138`	`139`	`abstract_arg('search password'),`
	`140`	`+param('security.authentication.show_account_status_exceptions'),`
`139`	`141`	`])`
`140`	`142`	`->deprecate('symfony/security-bundle','5.3','The "%service_id%" service is deprecated, use the new authenticator system instead.')`
`141`	`143`

`‎src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -42,9 +42,9 @@ class DaoAuthenticationProvider extends UserAuthenticationProvider`
`42`	`42`	`/**`
`43`	`43`	`* @param PasswordHasherFactoryInterface $hasherFactory`
`44`	`44`	`*/`
`45`		`-publicfunction__construct(UserProviderInterface$userProvider,UserCheckerInterface$userChecker,string$providerKey,$hasherFactory,bool$hideUserNotFoundExceptions =true)`
	`45`	`+publicfunction__construct(UserProviderInterface$userProvider,UserCheckerInterface$userChecker,string$providerKey,$hasherFactory,bool$hideUserNotFoundExceptions =true,bool$showAccountStatusExceptions =false)`
`46`	`46`	`{`
`47`		`-parent::__construct($userChecker,$providerKey,$hideUserNotFoundExceptions);`
	`47`	`+parent::__construct($userChecker,$providerKey,$hideUserNotFoundExceptions,$showAccountStatusExceptions);`
`48`	`48`
`49`	`49`	`if ($hasherFactoryinstanceof EncoderFactoryInterface) {`
`50`	`50`	`trigger_deprecation('symfony/security-core','5.3','Passing a "%s" instance to the "%s" constructor is deprecated, use "%s" instead.', EncoderFactoryInterface::class,__CLASS__, PasswordHasherFactoryInterface::class);`

`‎src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php`

Lines changed: 2 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -42,9 +42,9 @@ class LdapBindAuthenticationProvider extends UserAuthenticationProvider`
`42`	`42`	`private$searchDn;`
`43`	`43`	`private$searchPassword;`
`44`	`44`
`45`		`-publicfunction__construct(UserProviderInterface$userProvider,UserCheckerInterface$userChecker,string$providerKey,LdapInterface$ldap,string$dnString ='{user_identifier}',bool$hideUserNotFoundExceptions =true,string$searchDn ='',string$searchPassword ='')`
	`45`	`+publicfunction__construct(UserProviderInterface$userProvider,UserCheckerInterface$userChecker,string$providerKey,LdapInterface$ldap,string$dnString ='{user_identifier}',bool$hideUserNotFoundExceptions =true,string$searchDn ='',string$searchPassword ='',bool$showAccountStatusExceptions =false)`
`46`	`46`	`{`
`47`		`-parent::__construct($userChecker,$providerKey,$hideUserNotFoundExceptions);`
	`47`	`+parent::__construct($userChecker,$providerKey,$hideUserNotFoundExceptions,$showAccountStatusExceptions);`
`48`	`48`
`49`	`49`	`$this->userProvider =$userProvider;`
`50`	`50`	`$this->ldap =$ldap;`

`‎src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php`

Lines changed: 18 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`
`12`	`12`	`namespaceSymfony\Component\Security\Core\Authentication\Provider;`
`13`	`13`
	`14`	`+useException;`
`14`	`15`	`useSymfony\Component\Security\Core\Authentication\Token\SwitchUserToken;`
`15`	`16`	`useSymfony\Component\Security\Core\Authentication\Token\TokenInterface;`
`16`	`17`	`useSymfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;`
`@@ -37,11 +38,12 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter`
`37`	`38`	`private$hideUserNotFoundExceptions;`
`38`	`39`	`private$userChecker;`
`39`	`40`	`private$providerKey;`
	`41`	`+private$showAccountStatusExceptions;`
`40`	`42`
`41`	`43`	`/**`
`42`	`44`	`* @throws \InvalidArgumentException`
`43`	`45`	`*/`
`44`		`-publicfunction__construct(UserCheckerInterface$userChecker,string$providerKey,bool$hideUserNotFoundExceptions =true)`
	`46`	`+publicfunction__construct(UserCheckerInterface$userChecker,string$providerKey,bool$hideUserNotFoundExceptions =true,bool$showAccountStatusExceptions =false)`
`45`	`47`	`{`
`46`	`48`	`if (empty($providerKey)) {`
`47`	`49`	`thrownew \InvalidArgumentException('$providerKey must not be empty.');`
`@@ -50,6 +52,7 @@ public function __construct(UserCheckerInterface $userChecker, string $providerK`
`50`	`52`	`$this->userChecker =$userChecker;`
`51`	`53`	`$this->providerKey =$providerKey;`
`52`	`54`	`$this->hideUserNotFoundExceptions =$hideUserNotFoundExceptions;`
	`55`	`+$this->showAccountStatusExceptions =$showAccountStatusExceptions;`
`53`	`56`	`}`
`54`	`57`
`55`	`58`	`/**`
`@@ -86,7 +89,7 @@ public function authenticate(TokenInterface $token)`
`86`	`89`	`$this->checkAuthentication($user,$token);`
`87`	`90`	`$this->userChecker->checkPostAuth($user);`
`88`	`91`	`}catch (AccountStatusException\|BadCredentialsException$e) {`
`89`		`-if ($this->hideUserNotFoundExceptions && !$einstanceof CustomUserMessageAccountStatusException) {`
	`92`	`+if ($this->isFilteredException($e)) {`
`90`	`93`	`thrownewBadCredentialsException('Bad credentials.',0,$e);`
`91`	`94`	`}`
`92`	`95`
`@@ -131,4 +134,17 @@ abstract protected function retrieveUser(string $username, UsernamePasswordToken`
`131`	`134`	`* @throws AuthenticationException if the credentials could not be validated`
`132`	`135`	`*/`
`133`	`136`	`abstractprotectedfunctioncheckAuthentication(UserInterface$user,UsernamePasswordToken$token);`
	`137`	`+`
	`138`	`+privatefunctionisFilteredException(Exception$exception):bool`
	`139`	`+ {`
	`140`	`+if (!$this->hideUserNotFoundExceptions) {`
	`141`	`+returnfalse;`
	`142`	`+ }`
	`143`	`+`
	`144`	`+if ($this->showAccountStatusExceptions) {`
	`145`	`+returnfalse;`
	`146`	`+ }`
	`147`	`+`
	`148`	`+return !$exceptioninstanceof CustomUserMessageAccountStatusException;`
	`149`	`+ }`
`134`	`150`	`}`

`‎src/Symfony/Component/Security/Guard/Firewall/GuardAuthenticationListener.php`

Lines changed: 22 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -11,6 +11,7 @@`
`11`	`11`
`12`	`12`	`namespaceSymfony\Component\Security\Guard\Firewall;`
`13`	`13`
	`14`	`+useException;`
`14`	`15`	`usePsr\Log\LoggerInterface;`
`15`	`16`	`useSymfony\Component\HttpFoundation\Request;`
`16`	`17`	`useSymfony\Component\HttpFoundation\Response;`
`@@ -51,12 +52,13 @@ class GuardAuthenticationListener extends AbstractListener`
`51`	`52`	`private$rememberMeServices;`
`52`	`53`	`private$hideUserNotFoundExceptions;`
`53`	`54`	`private$tokenStorage;`
	`55`	`+private$showAccountStatusExceptions;`
`54`	`56`
`55`	`57`	`/**`
`56`	`58`	`* @param string $providerKey The provider (i.e. firewall) key`
`57`	`59`	`* @param iterable<array-key, AuthenticatorInterface> $guardAuthenticators The authenticators, with keys that match what's passed to GuardAuthenticationProvider`
`58`	`60`	`*/`
`59`		`-publicfunction__construct(GuardAuthenticatorHandler$guardHandler,AuthenticationManagerInterface$authenticationManager,string$providerKey,iterable$guardAuthenticators, ?LoggerInterface$logger =null,bool$hideUserNotFoundExceptions =true, ?TokenStorageInterface$tokenStorage =null)`
	`61`	`+publicfunction__construct(GuardAuthenticatorHandler$guardHandler,AuthenticationManagerInterface$authenticationManager,string$providerKey,iterable$guardAuthenticators, ?LoggerInterface$logger =null,bool$hideUserNotFoundExceptions =true, ?TokenStorageInterface$tokenStorage =null,bool$showAccountStatusExceptions =false)`
`60`	`62`	`{`
`61`	`63`	`if (empty($providerKey)) {`
`62`	`64`	`thrownew \InvalidArgumentException('$providerKey must not be empty.');`
`@@ -69,6 +71,7 @@ public function __construct(GuardAuthenticatorHandler $guardHandler, Authenticat`
`69`	`71`	`$this->logger =$logger;`
`70`	`72`	`$this->hideUserNotFoundExceptions =$hideUserNotFoundExceptions;`
`71`	`73`	`$this->tokenStorage =$tokenStorage;`
	`74`	`+$this->showAccountStatusExceptions =$showAccountStatusExceptions;`
`72`	`75`	`}`
`73`	`76`
`74`	`77`	`/**`
`@@ -180,7 +183,7 @@ private function executeGuardAuthenticator(string $uniqueGuardKey, Authenticator`
`180`	`183`
`181`	`184`	`// Avoid leaking error details in case of invalid user (e.g. user not found or invalid account status)`
`182`	`185`	`// to prevent user enumeration via response content`
`183`		`-if ($this->hideUserNotFoundExceptions &&($einstanceof UsernameNotFoundException \|\| ($einstanceof AccountStatusException && !$einstanceof CustomUserMessageAccountStatusException))) {`
	`186`	`+if ($this->isFilteredException($e)) {`
`184`	`187`	`$e =newBadCredentialsException('Bad credentials.',0,$e);`
`185`	`188`	`}`
`186`	`189`
`@@ -247,4 +250,21 @@ private function triggerRememberMe(AuthenticatorInterface $guardAuthenticator, R`
`247`	`250`
`248`	`251`	`$this->rememberMeServices->loginSuccess($request,$response,$token);`
`249`	`252`	`}`
	`253`	`+`
	`254`	`+privatefunctionisFilteredException(Exception$exception):bool`
	`255`	`+ {`
	`256`	`+if (!$this->hideUserNotFoundExceptions) {`
	`257`	`+returnfalse;`
	`258`	`+ }`
	`259`	`+`
	`260`	`+if ($exceptioninstanceof UsernameNotFoundException) {`
	`261`	`+returntrue;`
	`262`	`+ }`
	`263`	`+`
	`264`	`+if ($this->showAccountStatusExceptions) {`
	`265`	`+returnfalse;`
	`266`	`+ }`
	`267`	`+`
	`268`	`+return$exceptioninstanceof AccountStatusException && !$exceptioninstanceof CustomUserMessageAccountStatusException;`
	`269`	`+ }`
`250`	`270`	`}`

`‎src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php`

Lines changed: 21 additions & 2 deletions

Original file line number	Diff line number	Diff line change
`@@ -54,11 +54,12 @@ class AuthenticatorManager implements AuthenticatorManagerInterface, UserAuthent`
`54`	`54`	`private$firewallName;`
`55`	`55`	`private$hideUserNotFoundExceptions;`
`56`	`56`	`private$requiredBadges;`
	`57`	`+private$showAccountStatusExceptions;`
`57`	`58`
`58`	`59`	`/**`
`59`	`60`	`* @param iterable<mixed, AuthenticatorInterface> $authenticators`
`60`	`61`	`*/`
`61`		`-publicfunction__construct(iterable$authenticators,TokenStorageInterface$tokenStorage,EventDispatcherInterface$eventDispatcher,string$firewallName, ?LoggerInterface$logger =null,bool$eraseCredentials =true,bool$hideUserNotFoundExceptions =true,array$requiredBadges = [])`
	`62`	`+publicfunction__construct(iterable$authenticators,TokenStorageInterface$tokenStorage,EventDispatcherInterface$eventDispatcher,string$firewallName, ?LoggerInterface$logger =null,bool$eraseCredentials =true,bool$hideUserNotFoundExceptions =true,array$requiredBadges = [],bool$showAccountStatusExceptions =false)`
`62`	`63`	`{`
`63`	`64`	`$this->authenticators =$authenticators;`
`64`	`65`	`$this->tokenStorage =$tokenStorage;`
`@@ -68,6 +69,7 @@ public function __construct(iterable $authenticators, TokenStorageInterface $tok`
`68`	`69`	`$this->eraseCredentials =$eraseCredentials;`
`69`	`70`	`$this->hideUserNotFoundExceptions =$hideUserNotFoundExceptions;`
`70`	`71`	`$this->requiredBadges =$requiredBadges;`
	`72`	`+$this->showAccountStatusExceptions =$showAccountStatusExceptions;`
`71`	`73`	`}`
`72`	`74`
`73`	`75`	`/**`
`@@ -269,7 +271,7 @@ private function handleAuthenticationFailure(AuthenticationException $authentica`
`269`	`271`
`270`	`272`	`// Avoid leaking error details in case of invalid user (e.g. user not found or invalid account status)`
`271`	`273`	`// to prevent user enumeration via response content comparison`
`272`		`-if ($this->hideUserNotFoundExceptions &&($authenticationExceptioninstanceof UserNotFoundException \|\| ($authenticationExceptioninstanceof AccountStatusException && !$authenticationExceptioninstanceof CustomUserMessageAccountStatusException))) {`
	`274`	`+if ($this->isFilteredException($authenticationException)) {`
`273`	`275`	`$authenticationException =newBadCredentialsException('Bad credentials.',0,$authenticationException);`
`274`	`276`	`}`
`275`	`277`
`@@ -283,4 +285,21 @@ private function handleAuthenticationFailure(AuthenticationException $authentica`
`283`	`285`	`// returning null is ok, it means they want the request to continue`
`284`	`286`	`return$loginFailureEvent->getResponse();`
`285`	`287`	`}`
	`288`	`+`
	`289`	`+privatefunctionisFilteredException(AuthenticationException$exception):bool`
	`290`	`+ {`
	`291`	`+if (!$this->hideUserNotFoundExceptions) {`
	`292`	`+returnfalse;`
	`293`	`+ }`
	`294`	`+`
	`295`	`+if ($exceptioninstanceof UserNotFoundException) {`
	`296`	`+returntrue;`
	`297`	`+ }`
	`298`	`+`
	`299`	`+if ($this->showAccountStatusExceptions) {`
	`300`	`+returnfalse;`
	`301`	`+ }`
	`302`	`+`
	`303`	`+return$exceptioninstanceof AccountStatusException && !$exceptioninstanceof CustomUserMessageAccountStatusException;`
	`304`	`+ }`
`286`	`305`	`}`

0 commit comments

Comments

(0)

Movatterモバイル変換

Navigation Menu

Search code, repositories, users, issues, pull requests...

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Commit44b6ad7

File tree

10 files changed

10 files changed

`‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/MainConfiguration.php`

`‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/guard.php`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.php`

`‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_legacy.php`

`‎src/Symfony/Component/Security/Core/Authentication/Provider/DaoAuthenticationProvider.php`

`‎src/Symfony/Component/Security/Core/Authentication/Provider/LdapBindAuthenticationProvider.php`

`‎src/Symfony/Component/Security/Core/Authentication/Provider/UserAuthenticationProvider.php`

`‎src/Symfony/Component/Security/Guard/Firewall/GuardAuthenticationListener.php`

`‎src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php`

0 commit comments