bug #39859 [Security] Replace message data in JSON security error response (wouterj)

chalasr · chalasr · commit 5ba4925c91aa · 2021-01-17T00:06:41.000+01:00
This PR was merged into the 5.2 branch. Discussion ---------- [Security] Replace message data in JSON security error response | Q | A | ------------- | --- | Branch? | 5.2 | Bug fix? | yes | New feature? | no | Deprecations? | no | Tickets | Fix #39663 | License | MIT | Doc PR | n/a Commits ------- 5e5795a [Security] Replace message data in JSON security error response
diff --git a/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php
@@ -126,10 +126,10 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
         if (null === $this->failureHandler) {
-            $errorMessage = $exception->getMessageKey();
-
             if (null !== $this->translator) {
                 $errorMessage = $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security');
+            } else {
+                $errorMessage = strtr($exception->getMessageKey(), $exception->getMessageData());
             }
 
             return new JsonResponse(['error' => $errorMessage], JsonResponse::HTTP_UNAUTHORIZED);
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php
@@ -147,6 +147,25 @@ public function testAuthenticationFailureWithTranslator()
         $this->assertSame(['error' => 'foo'], json_decode($response->getContent(), true));
     }
 
+    public function testOnFailureReplacesMessageDataWithoutTranslator()
+    {
+        $this->setUpAuthenticator();
+
+        $response = $this->authenticator->onAuthenticationFailure(new Request(), new class() extends AuthenticationException {
+            public function getMessageData(): array
+            {
+                return ['%failed_attempts%' => 3];
+            }
+
+            public function getMessageKey(): string
+            {
+                return 'Session locked after %failed_attempts% failed attempts.';
+            }
+        });
+
+        $this->assertSame(['error' => 'Session locked after 3 failed attempts.'], json_decode($response->getContent(), true));
+    }
+
     private function setUpAuthenticator(array $options = [])
     {
         $this->authenticator = new JsonLoginAuthenticator(new HttpUtils(), $this->userProvider, null, null, $options);

Original file line number	Diff line number	Diff line change
`@@ -126,10 +126,10 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,`
`126`	`126`	`public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response`
`127`	`127`	`{`
`128`	`128`	`if (null === $this->failureHandler) {`
`129`		`- $errorMessage = $exception->getMessageKey();`
`130`		`-`
`131`	`129`	`if (null !== $this->translator) {`
`132`	`130`	`$errorMessage = $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security');`
	`131`	`+ } else {`
	`132`	`+ $errorMessage = strtr($exception->getMessageKey(), $exception->getMessageData());`
`133`	`133`	`}`
`134`	`134`
`135`	`135`	`return new JsonResponse(['error' => $errorMessage], JsonResponse::HTTP_UNAUTHORIZED);`