Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Security - Custom login authenticator #45070

Closed
hracik opened this issue Jan 19, 2022 · 1 comment · Fixed by #45452
Closed

Security - Custom login authenticator #45070

hracik opened this issue Jan 19, 2022 · 1 comment · Fixed by #45452
Labels
Bug Security Status: Needs Review

Comments

@hracik
Copy link

@hracik hracik commented Jan 19, 2022

Symfony version(s) affected

5.4

Description

In documentation here https://symfony.com/doc/5.4/security/custom_authenticator.html is written:

You can optionally pass a user loader as second argument to the UserBadge. This callable receives the $userIdentifier and must return a UserInterface object (otherwise a UserNotFoundException is thrown):

return new Passport(
    new UserBadge($email, function ($userIdentifier) {
        return $this->userRepository->findOneBy(['email' => $userIdentifier]);
    }),
    $credentials
);

Problem is that UserNotFoundException is not thrown, but AuthenticationServiceException is instead, which results in weird message when logging in "Authentication request could not be processed due to a system problem." instead of simple "Invalid credentials".

For example this works as expected:

return new Passport(
    new UserBadge($email),
    $credentials
);

How to reproduce

Create custom login authenticator and compare different behaviour between new UserBadge when no $userLoader is provided and when $userLoader is provided while trying to login with non-existing user email address.

Possible Solution

No response

Additional Context

Symfony\Component\Security\Core\Exception\AuthenticationServiceException: The user provider must return a UserInterface object, "null" given. in ...\vendor\symfony\security-http\Authenticator\Passport\Badge\UserBadge.php:69
@hracik hracik added the Bug label Jan 19, 2022
@damienfa
Copy link
Contributor

@damienfa damienfa commented Feb 16, 2022
edited

Same problem here.

In my humble opinion, it comes from Symfony\Component\Security\Http\Authenticator\Passport\Badge.
The getUser method will call the custom callback given to the second argument of the Badge class. If the custom callback returns "null" (which is "normal" when the request doesn't match to any user), it throws an AuthenticationServiceException because null is not an instanceof UserInterface … (see here)
I think it should throws an UserNotFoundException if null is found.

Here is a pull-request : #45452

damienfa added a commit to damienfa/symfony that referenced this issue Feb 17, 2022
@damienfa
Fix issue 45070 : UserNotFoundException is not thrown
9c6f2b0 
See symfony#45070.
@damienfa damienfa mentioned this issue Feb 17, 2022
Merged
fabpot added a commit to damienfa/symfony that referenced this issue Mar 27, 2022
@damienfa @fabpot
Fix issue 45070 : UserNotFoundException is not thrown
7e0ed85 
See symfony#45070.
symfony-splitter pushed a commit to symfony/security-http that referenced this issue Mar 27, 2022
@damienfa @fabpot
Fix issue 45070 : UserNotFoundException is not thrown
3e352b7 
See symfony/symfony#45070.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Linked pull requests

Successfully merging a pull request may close this issue.

[Security] Fix UserNotFoundException is not thrown
4 participants
@xabbuh @damienfa @carsonbot @hracik