Thanks to visit codestin.com
Credit goes to github.com

Skip to content

CsrfTokenClearingLogoutListener trying to clear storage on logout from stateless firewall #50310

New issue
New issue
Closed
Closed
CsrfTokenClearingLogoutListener trying to clear storage on logout from stateless firewall#50310
Labels
BugSecurityStatus: Needs Review
@mbabker

Description

@mbabker
mbabker
opened on May 12, 2023

Symfony version(s) affected

6.3

Description

We have a functional test that covers checking login and logout through our internal API firewall to make sure tokens generated with LexikJWTAuthenticationBundle and JWTRefreshTokenBundle are properly invalidated. As this API only uses token authentication, the full firewall is configured as stateless. Rather basic test scenario:

<?php

use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;

final class AuthTest extends WebTestCase
{
    public function testLogoutTokenInvalidation(): void
    {
        $client = self::createClient();

        // Load database fixtures

        $client->jsonRequest(
            'POST',
            '/api/internal/login',
            ['username' => '[email protected]', 'password' => 'password'],
        );

        $this->assertResponseIsSuccessful('Could not authenticate to the internal API.');

        $response = $client->getResponse();

        if ($response->getContent() === false) {
            $this->fail('The API did not send a proper response.');
        }

        $data = json_decode($response->getContent(), true, flags: \JSON_THROW_ON_ERROR);

        if (!isset($data['refresh_token'])) {
            $this->fail('The refresh token was not included in the authentication response.');
        }

        $client->jsonRequest(
            'POST',
            '/api/internal/logout',
            ['refresh_token' => $data['refresh_token']],
            ['HTTP_Authorization' => sprintf('Bearer %s', $data['token'])],
        );

        $this->assertResponseIsSuccessful();

        // Check token validity
    }
}

This test case passes on 6.2 but fails with 6.3 beta

Failed asserting that the Response is successful.
HTTP/1.1 500 Internal Server Error
Cache-Control: max-age=0, must-revalidate, private
Content-Type:  application/problem+json
Date:          Fri, 12 May 2023 19:57:13 GMT
Expires:       Fri, 12 May 2023 19:57:13 GMT
Vary:          Accept
X-Robots-Tag:  noindex

{"type":"https:\/\/tools.ietf.org\/html\/rfc2616#section-10","title":"An error occurred","status":500,"detail":"Session was used while the request was declared stateless."}
 /app/vendor/symfony/framework-bundle/Test/BrowserKitAssertionsTrait.php:142
 /app/vendor/symfony/framework-bundle/Test/BrowserKitAssertionsTrait.php:33
 /app/tests/functional/AuthTest.php:175

After debugging, the session use is being logged from a call inside the Symfony\Component\Security\Http\EventListener\CsrfTokenClearingLogoutListener::onLogout() event listener.

How to reproduce

Logout from a stateless firewall (haven't taken the time to get down to a smaller reproducing scenario)

Possible Solution

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions