[Security] Replace message data in JSON security error response

wouterj · wouterj · commit 13cdedb94a67 · 2021-01-16T16:38:40.000+01:00
diff --git a/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php
@@ -126,10 +126,10 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
         if (null === $this->failureHandler) {
-            $errorMessage = $exception->getMessageKey();
-
             if (null !== $this->translator) {
                 $errorMessage = $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security');
+            } else {
+                $errorMessage = strtr($exception->getMessageKey(), $exception->getMessageData());
             }
 
             return new JsonResponse(['error' => $errorMessage], JsonResponse::HTTP_UNAUTHORIZED);
diff --git a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php
@@ -188,10 +188,10 @@ private function onFailure(Request $request, AuthenticationException $failed): R
         }
 
         if (!$this->failureHandler) {
-            $errorMessage = $failed->getMessageKey();
-
             if (null !== $this->translator) {
                 $errorMessage = $this->translator->trans($failed->getMessageKey(), $failed->getMessageData(), 'security');
+            } else {
+                $errorMessage = strtr($failed->getMessageKey(), $failed->getMessageData());
             }
 
             return new JsonResponse(['error' => $errorMessage], 401);
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Exception\TooManyLoginAttemptsAuthenticationException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Authenticator\JsonLoginAuthenticator;
@@ -147,8 +148,29 @@ public function testAuthenticationFailureWithTranslator()
         $this->assertSame(['error' => 'foo'], json_decode($response->getContent(), true));
     }
 
+    public function testOnFailureReplacesMessageDataWithoutTranslator()
+    {
+        $this->setUpAuthenticator();
+
+        $response = $this->authenticator->onAuthenticationFailure(new Request(), new class extends AuthenticationException {
+            public function getMessageData(): array
+            {
+                return ['%failed_attempts%' => 3];
+            }
+
+            public function getMessageKey(): string
+            {
+                return 'Session locked after %failed_attempts% failed attempts.';
+            }
+        });
+
+        $this->assertSame(['error' => 'Session locked after 3 failed attempts.'], json_decode($response->getContent(), true));
+    }
+
     private function setUpAuthenticator(array $options = [])
     {
         $this->authenticator = new JsonLoginAuthenticator(new HttpUtils(), $this->userProvider, null, null, $options);
     }
 }
+
+

Original file line number	Diff line number	Diff line change
`@@ -126,10 +126,10 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,`
`126`	`126`	`public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response`
`127`	`127`	`{`
`128`	`128`	`if (null === $this->failureHandler) {`
`129`		`- $errorMessage = $exception->getMessageKey();`
`130`		`-`
`131`	`129`	`if (null !== $this->translator) {`
`132`	`130`	`$errorMessage = $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security');`
	`131`	`+ } else {`
	`132`	`+ $errorMessage = strtr($exception->getMessageKey(), $exception->getMessageData());`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`return new JsonResponse(['error' => $errorMessage], JsonResponse::HTTP_UNAUTHORIZED);`
Original file line number	Diff line number	Diff line change
`@@ -188,10 +188,10 @@ private function onFailure(Request $request, AuthenticationException $failed): R`
`188`	`188`	`}`
`189`	`189`
`190`	`190`	`if (!$this->failureHandler) {`
`191`		`- $errorMessage = $failed->getMessageKey();`
`192`		`-`
`193`	`191`	`if (null !== $this->translator) {`
`194`	`192`	`$errorMessage = $this->translator->trans($failed->getMessageKey(), $failed->getMessageData(), 'security');`
	`193`	`+ } else {`
	`194`	`+ $errorMessage = strtr($failed->getMessageKey(), $failed->getMessageData());`
`195`	`195`	`}`
`196`	`196`
`197`	`197`	`return new JsonResponse(['error' => $errorMessage], 401);`