Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Deprecate TokenInterface::isAuthenticated() #42050

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 14, 2021
Merged

[Security] Deprecate TokenInterface::isAuthenticated() #42050

merged 1 commit into from
Jul 14, 2021

Conversation

chalasr
Copy link
Member

@chalasr chalasr commented Jul 10, 2021
edited
Loading

Q A
Branch? 5.4
Bug fix? no
New feature? yes
Deprecations? no
Tickets -
License MIT
Doc PR todo

From #41613 (comment)

all unauthenticated token use-cases have been replaced with passports (and the removal of anonymous). This means that if you have a token, it should always be authenticated.

@chalasr chalasr requested a review from wouterj as a code owner July 10, 2021 16:32
@chalasr chalasr added this to the 5.4 milestone Jul 10, 2021
@chalasr chalasr force-pushed the deprecate-unauthenticated-tokens branch 13 times, most recently from f4497d8 to 4cfcf3d Compare July 11, 2021 09:44
@chalasr chalasr force-pushed the deprecate-unauthenticated-tokens branch from 4cfcf3d to 366e1e7 Compare July 11, 2021 09:59
@carsonbot

This comment has been minimized.

Sign in to view
@chalasr chalasr force-pushed the deprecate-unauthenticated-tokens branch from 366e1e7 to f892331 Compare July 11, 2021 15:51
@chalasr chalasr force-pushed the deprecate-unauthenticated-tokens branch 2 times, most recently from 36b1a3f to 6a2547f Compare July 11, 2021 18:40
nicolas-grekas
nicolas-grekas reviewed Jul 11, 2021
View reviewed changes
Copy link
Member

@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm wondering: how easy will it be for a bundle to support SF 5 & 6 at the same time? Will they be required to use the API that this PR adds to silence deprecations?

@chalasr
Copy link
Member Author

chalasr commented Jul 11, 2021
edited
Loading

Once a bundle provides an integration for the new authenticator system (available since 5.1, considered stable since 5.3), it really has no reason to use the API that this PR deprecates.
Why ? Because unauthenticated tokens do not mean anything in the new system: either the user is authenticated and it has a token in the storage, or it is not authenticated and it has no token at all.

The only way for a bundle to support both the old system and the new one is to provide two distinct implementations:
1 old authentication listener or guard authenticator that deals with tokens, and 1 new authenticator that deals with passports.

For e.g. scheb/2fa or lexik/jwt-authentication-bundle, the only thing needed to be deprecation-free on both 5.x and 6.x is to replace some TokenInterface mocks in favor of dummy implementations in their test suites.

@chalasr chalasr force-pushed the deprecate-unauthenticated-tokens branch from 6a2547f to 55cb0f6 Compare July 11, 2021 19:32
@chalasr chalasr force-pushed the deprecate-unauthenticated-tokens branch from 55cb0f6 to 3fe9eac Compare July 11, 2021 20:08
OskarStark
OskarStark reviewed Jul 13, 2021
View reviewed changes
@chalasr chalasr force-pushed the deprecate-unauthenticated-tokens branch from 3fe9eac to 33b8fbd Compare July 14, 2021 12:24
@chalasr chalasr mentioned this pull request Jul 14, 2021
Merged
@derrabus
Copy link
Member

Thank you Robin.

@derrabus derrabus merged commit 1834a4d into symfony:5.4 Jul 14, 2021
@derrabus derrabus mentioned this pull request Jul 14, 2021
Closed
@chalasr chalasr deleted the deprecate-unauthenticated-tokens branch July 14, 2021 16:33
@chalasr chalasr mentioned this pull request Jul 24, 2021
Merged
This was referenced Aug 8, 2021
Merged
Closed
fabpot added a commit that referenced this pull request Aug 13, 2021
@fabpot
feature #42423 [Security] Deprecate AnonymousToken, non-UserInterface…
76a7fe7 
… users, and token credentials (wouterj)

This PR was squashed before being merged into the 5.4 branch.

Discussion
----------

[Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | yes
| Tickets       | Ref #41613, #34909
| License       | MIT
| Doc PR        | -

This is a continuation of `@xabbuh`'s experiment in #34909 and `@chalasr`'s work in #42050. This hopefully is the last cleanup of `TokenInterface`:

* As tokens now always represent an authenticated user (and no longer e.g. the "username" input of the form), we can finally remove the weird `string|\Stringable` union from `Token::getUser()` and other helper methods and require a user to be an instance of `UserInterface`.
* For the same reason, we can also deprecate token credentials. I didn't deprecate `Token::eraseCredentials()` as this is still used to remove credentials from `UserInterface`.
* Meanwhile, this also deprecated the `AnonymousToken`, which we forgot in 5.3. This token is not used anymore in the new system (anonymous does no longer exists). This was also the only token in core that didn't fulfill the `UserInterface` requirement for authenticated tokens.

Commits
-------

44b843a [Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials
@chalasr chalasr mentioned this pull request Aug 29, 2021
Merged
fabpot added a commit that referenced this pull request Sep 1, 2021
@fabpot
bug #42776 [Security] Do not deauthenticate token on user change if n…
3c40300 
…ot an AbstractToken (chalasr)

This PR was merged into the 5.4 branch.

Discussion
----------

[Security] Do not deauthenticate token on user change if not an AbstractToken

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | -
| License       | MIT
| Doc PR        | -

In #42050, we moved the `hasUserChanged()` logic used for deauthentication from AbstractToken to ContextListener.
Problem is that this check is now done against on all kind of tokens, whereas it was only for `AbstractToken` instances before.
That breaks https://github.com/scheb/2fa, tokens get wrongly deauthenticated in the middle of the 2fa auth process.
This fixes it by skipping non-AbstractToken implementations.
We may want to provide a way to opt-in/out the `hasUserChanged()` logic on a custom token with e.g.  a marker interface, but that's not necessarily worth it for now IMHO.

Commits
-------

fe31fcb [Security] Do not deauthenticate token on user change if not an AbstractToken
This was referenced Nov 5, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OskarStark OskarStark OskarStark left review comments

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@derrabus derrabus derrabus approved these changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.
6 participants
@chalasr @carsonbot @derrabus @nicolas-grekas @wouterj @OskarStark