Switch to knpuniversity/oauth2-client-bundle#824
Conversation
| use League\OAuth2\Client\Tool\BearerAuthorizationTrait; | ||
| use Psr\Http\Message\ResponseInterface; | ||
|
|
||
| final class ElifeProvider extends AbstractProvider |
There was a problem hiding this comment.
This could be a library.
|
|
||
| use Symfony\Component\Security\Core\User\UserInterface; | ||
|
|
||
| final class OAuthUser implements UserInterface |
There was a problem hiding this comment.
Might be useful upstream so will open a PR.
There was a problem hiding this comment.
|
|
||
| private function getClient() : OAuth2Client | ||
| { | ||
| return $this->clientRegistry->getClient('elife'); |
There was a problem hiding this comment.
This allows for lazy loading of the service (supports() is called on every request). Could use a proper lazy service instead.
|
|
||
| $parameters = array_filter($parameters); | ||
|
|
||
| ksort($parameters); |
There was a problem hiding this comment.
This all just makes the tests a bit simpler. However, it'd be better to compare URIs safely instead and not worry about order.
|
|
||
| private function normalize(RequestInterface $request) : RequestInterface | ||
| { | ||
| $headers = array_change_key_case($request->getHeaders()); |
There was a problem hiding this comment.
Need to finish off csarrazi/CsaGuzzleBundle#202 as it's an upstream bug.
…t be unserialized from the session (thewilkybarkid) This PR was merged into the 2.7 branch. Discussion ---------- [Security] Fail gracefully if the security token cannot be unserialized from the session | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | | License | MIT | Doc PR | If the security token in the session can't be unserialized, an `E_NOTICE` is issued. This prevents it (and provides a better log message if it's not even a `__PHP_Incomplete_Class`). This is similar to #24731, but I saw it triggered when changing OAuth library (elifesciences/journal#824), so the token class itself no longer exists. (I want to avoid having to manually invalidate all sessions, as not all sessions use that token class.) Commits ------- 053fa43 [Security] Fail gracefully if the security token cannot be unserialized from the session
| $subRequest = $request->duplicate([], null, $path); | ||
| if ($referer = trim($request->headers->get('Referer'))) { | ||
| $firewall = $this->get('security.firewall.map')->getFirewallConfig($request); | ||
| $this->saveTargetPath($request->getSession(), $firewall->getName(), $referer); |
There was a problem hiding this comment.
Is there any validation on the Referer that checks the host matches for example? Is it coincevable for someone external to send a user with its own Referer and getting it redirected there (and is it a problem?)
There was a problem hiding this comment.
Yep, already present
journal/test/Controller/AuthenticationTest.php
Lines 86 to 119 in f2ccd2f
|
|
||
| public function onAuthenticationFailure(Request $request, AuthenticationException $exception) : Response | ||
| { | ||
| $this->saveAuthenticationErrorToSession($request, $exception); |
There was a problem hiding this comment.
does this go to a flash message or similar user-visible place?
There was a problem hiding this comment.
AuthenticationErrorSubscriber turns it into a flash message.
| { | ||
| $this->saveAuthenticationErrorToSession($request, $exception); | ||
|
|
||
| return new RedirectResponse($this->urlGenerator->generate('home')); |
There was a problem hiding this comment.
and would it be actually shown on the homepage or would the user just see a cached version identical for everyone?
There was a problem hiding this comment.
There's a session so isn't cached.
| use Psr\Http\Message\UriInterface; | ||
| use function GuzzleHttp\Psr7\uri_for; | ||
|
|
||
| trait Assertions |
There was a problem hiding this comment.
a bit like the Utils class. Name it UriAssertions for cohesion?
There was a problem hiding this comment.
Could do, had though any other assertions could be put here but a trait each is also fine.
A little more code (have to implement a custom Guard authenticator), but I'm happier with how this bundle works.
I think that currently-logged-in users will see a 500 page (as their session contains a serialized class that no longer exists), but will be logged out and subsequent pages will work (sessions currently expire after 24 hours too). Trying to think of a way of invalidating existing sessions.