Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[KernelBrowser] loginUser does not work with lazy session #49116

Open
micheh opened this issue Jan 26, 2023 · 5 comments
Open

[KernelBrowser] loginUser does not work with lazy session #49116

micheh opened this issue Jan 26, 2023 · 5 comments
Labels
Bug HttpKernel Security Status: Needs Review

Comments

@micheh
Copy link
Contributor

micheh commented Jan 26, 2023

Symfony version(s) affected

5.4.19

Description

In functional tests, the KernelBrowser::loginUser() does not seem to support lazy sessions.

For example, Symfony\Bundle\FrameworkBundle\KernelBrowser::loginUser creates a session with MOCKSESSID=d3d.... The specified user is now in the token storage as expected.

Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext::__invoke then sets the initializer of the token storage, which will call Symfony\Component\Security\Http\Firewall\ContextListener::authenticate when needed.

But then ContextListener::authenticate() will use a different session (e.g. MOCKSESSID=25f...) than the one created by the KernelBrowser. Therefore the context listener cannot fetch the token from the session and will overwrite the existing user set by the KernelBrowser with null. The request in ContextListener::authenticate() has the correct cookie with the expected session id (MOCKSESSID=d3d...), but somehow a different session id is used.

The test works with lazy: false, but fails with lazy: true.

How to reproduce

Security configuration:

security:
    enable_authenticator_manager: true
    firewalls:
        main:
            lazy: true

Test:

$client = self::createClient();
// create $user from somewhere ...
 
$client->loginUser($user);
$client->request('GET', '/admin'); // Route which needs authentication

Controller:

$this->denyAccessUnlessGranted('ROLE_ADMIN');

Possible Solution

No response

Additional Context

No response
@micheh micheh added the Bug label Jan 26, 2023
@mikeyudin
Copy link

mikeyudin commented Jan 26, 2023
edited

Confirming an issue here as well. After upgrading to 5.4.19, loginUser() stopped working completely, regardless of the lazy flag setting. All of my tests redirect to the main firewall's login page, even though I have tests set to http_basic as described below:

when@test:
  security:
    firewalls:
      main:
        http_basic: ~

Test:

$user = //retrieve user object
$client = static::createClient();
$client->loginUser($user, 'main');
$client->get('/admin/');
$this->assertEquals(200, $client->getResponse()->getStatusCode());

Response:

Request was not successful for: /admin/
Failed asserting that 302 matches expected 200.
Expected :200
Actual   :302

@nicolas-grekas
Copy link
Member

Can you figure out the issue? Or maybe which PR introduced the regression among #49086 maybe?

@micheh
Copy link
Contributor Author

micheh commented Jan 26, 2023

The SessionListener is used to return the session (session from the container)
https://github.com/symfony/symfony/blob/5.4/src/Symfony/Component/HttpKernel/EventListener/SessionListener.php#L51

With lazy: true, the listener returns a different session than the one from KernelBrowser. The problem exists in all 5.4 versions.

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Jan 26, 2023
edited

Thanks @micheh. Can you provide a small reproducing app? That'd help a lot the person that will work on the fix (could be you ;))

@mikeyudin looks like you're having another issue since this looks like a regression for you. Can you try figuring out either a reproducing app or at least the PR that introduced the issue?

@mikeyudin
Copy link

@nicolas-grekas -- Yes, I'm looking into it. It appears as though a transitive dependency is pulling in http-kernel@6.0.x which is causing an issue. Manually adding http-kernel@5.4.19 resolved the issue for me. Trying to figure out what is causing the issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug HttpKernel Security Status: Needs Review
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@nicolas-grekas @mikeyudin @micheh @xabbuh @carsonbot