Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security] Do not deauthenticate token on user change if not an AbstractToken #42776

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Sep 1, 2021
Merged

[Security] Do not deauthenticate token on user change if not an AbstractToken #42776

merged 1 commit into from
Sep 1, 2021

Conversation

chalasr
Copy link
Member

@chalasr chalasr commented Aug 29, 2021
edited
Loading

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets -
License MIT
Doc PR -

In #42050, we moved the hasUserChanged() logic used for deauthentication from AbstractToken to ContextListener.
Problem is that this check is now done against on all kind of tokens, whereas it was only for AbstractToken instances before.
That breaks https://github.com/scheb/2fa, tokens get wrongly deauthenticated in the middle of the 2fa auth process.
This fixes it by skipping non-AbstractToken implementations.
We may want to provide a way to opt-in/out the hasUserChanged() logic on a custom token with e.g. a marker interface, but that's not necessarily worth it for now IMHO.

@chalasr chalasr requested a review from wouterj as a code owner August 29, 2021 14:16
@chalasr chalasr added this to the 5.4 milestone Aug 29, 2021
@chalasr chalasr force-pushed the fix-isauthenticated-layer branch from 511d604 to fe31fcb Compare August 29, 2021 14:26
@carsonbot
Copy link

Hey!

I think @dmaicher has recently worked with this code. Maybe they can help review this?

Cheers!

Carsonbot

@fabpot
Copy link
Member

fabpot commented Sep 1, 2021

Thank you @chalasr.

@fabpot fabpot merged commit 3c40300 into symfony:5.4 Sep 1, 2021
@chalasr chalasr deleted the fix-isauthenticated-layer branch September 1, 2021 13:31
@scheb
Copy link
Contributor

scheb commented Sep 1, 2021

Thanks for merging. Will run my test suite somewhen in the next days once I find time for it. I'm relatively confident that this is fixing the issue with 2fa-bundle on Symfony 5.4 πŸ‘

@scheb
Copy link
Contributor

scheb commented Sep 4, 2021

Confirmed. 2fa-bundle is all green on the latest 5.4.x-dev, both old security system and authenticator-based system πŸ‘

@fabpot
Copy link
Member

fabpot commented Sep 4, 2021

That's great news!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@fabpot fabpot fabpot approved these changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees

No one assigned

Labels

Bug Security Status: Reviewed

Projects

None yet

Milestone

5.4

Development

Successfully merging this pull request may close these issues.

4 participants

@chalasr @carsonbot @fabpot @scheb