From cd427c310d8f7a6b722174f80d288a1e4b51c6fa Mon Sep 17 00:00:00 2001 From: Alexandre Daubois Date: Thu, 23 Jan 2025 09:38:36 +0100 Subject: [PATCH] [Security] Throw an explicit error when authenticating a token with a null user --- .../Http/Firewall/ContextListener.php | 4 +++ .../Tests/Firewall/ContextListenerTest.php | 25 +++++++++++++++++++ .../Http/Tests/Fixtures/NullUserToken.php | 23 +++++++++++++++++ 3 files changed, 52 insertions(+) create mode 100644 src/Symfony/Component/Security/Http/Tests/Fixtures/NullUserToken.php diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php index e8ad79d83cd40..d06b6d57ae32e 100644 --- a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php +++ b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php @@ -123,6 +123,10 @@ public function authenticate(RequestEvent $event): void ]); if ($token instanceof TokenInterface) { + if (!$token->getUser()) { + throw new \UnexpectedValueException(\sprintf('Cannot authenticate a "%s" token because it doesn\'t store a user.', $token::class)); + } + $originalToken = $token; $token = $this->refreshUser($token); diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php index 8d0ab72658aff..8dcf96ed6fb8a 100644 --- a/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php +++ b/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php @@ -36,6 +36,7 @@ use Symfony\Component\Security\Core\User\UserInterface; use Symfony\Component\Security\Core\User\UserProviderInterface; use Symfony\Component\Security\Http\Firewall\ContextListener; +use Symfony\Component\Security\Http\Tests\Fixtures\NullUserToken; use Symfony\Contracts\Service\ServiceLocatorTrait; class ContextListenerTest extends TestCase @@ -58,6 +59,30 @@ public function testUserProvidersNeedToImplementAnInterface() $this->handleEventWithPreviousSession([new \stdClass()]); } + public function testTokenReturnsNullUser() + { + $tokenStorage = new TokenStorage(); + $tokenStorage->setToken(new NullUserToken()); + + $session = new Session(new MockArraySessionStorage()); + $session->set('_security_context_key', serialize($tokenStorage->getToken())); + + $request = new Request(); + $request->setSession($session); + $request->cookies->set('MOCKSESSID', true); + + $listener = new ContextListener($tokenStorage, [], 'context_key'); + + $this->expectException(\UnexpectedValueException::class); + $this->expectExceptionMessage('Cannot authenticate a "Symfony\Component\Security\Http\Tests\Fixtures\NullUserToken" token because it doesn\'t store a user.'); + + $listener->authenticate(new RequestEvent( + $this->createMock(HttpKernelInterface::class), + $request, + HttpKernelInterface::MAIN_REQUEST, + )); + } + public function testOnKernelResponseWillAddSession() { $session = $this->runSessionOnKernelResponse( diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/NullUserToken.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/NullUserToken.php new file mode 100644 index 0000000000000..95048e464a3f9 --- /dev/null +++ b/src/Symfony/Component/Security/Http/Tests/Fixtures/NullUserToken.php @@ -0,0 +1,23 @@ + + * + * For the full copyright and license information, please view the LICENSE + * file that was distributed with this source code. + */ + +namespace Symfony\Component\Security\Http\Tests\Fixtures; + +use Symfony\Component\Security\Core\Authentication\Token\AbstractToken; +use Symfony\Component\Security\Core\User\UserInterface; + +class NullUserToken extends AbstractToken +{ + public function getUser(): ?UserInterface + { + return null; + } +}