[Security] Handle bad request format in json auth listener
This commit is contained in:
Maxime Steinhausser
parent
9d9f628d92
commit
93a8cb9cd4
@ -17,6 +17,7 @@ use Symfony\Component\HttpFoundation\JsonResponse;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\Response;
|
||||
use Symfony\Component\HttpKernel\Event\GetResponseEvent;
|
||||
use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
|
||||
use Symfony\Component\PropertyAccess\Exception\AccessException;
|
||||
use Symfony\Component\PropertyAccess\PropertyAccess;
|
||||
use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
|
||||
@ -83,23 +84,23 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
|
||||
|
||||
try {
|
||||
if (!$data instanceof \stdClass) {
|
||||
throw new BadCredentialsException('Invalid JSON.');
|
||||
throw new BadRequestHttpException('Invalid JSON.');
|
||||
}
|
||||
|
||||
try {
|
||||
$username = $this->propertyAccessor->getValue($data, $this->options['username_path']);
|
||||
} catch (AccessException $e) {
|
||||
throw new BadCredentialsException(sprintf('The key "%s" must be provided.', $this->options['username_path']));
|
||||
throw new BadRequestHttpException(sprintf('The key "%s" must be provided.', $this->options['username_path']), $e);
|
||||
}
|
||||
|
||||
try {
|
||||
$password = $this->propertyAccessor->getValue($data, $this->options['password_path']);
|
||||
} catch (AccessException $e) {
|
||||
throw new BadCredentialsException(sprintf('The key "%s" must be provided.', $this->options['password_path']));
|
||||
throw new BadRequestHttpException(sprintf('The key "%s" must be provided.', $this->options['password_path']), $e);
|
||||
}
|
||||
|
||||
if (!is_string($username)) {
|
||||
throw new BadCredentialsException(sprintf('The key "%s" must be a string.', $this->options['username_path']));
|
||||
throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['username_path']));
|
||||
}
|
||||
|
||||
if (strlen($username) > Security::MAX_USERNAME_LENGTH) {
|
||||
@ -107,7 +108,7 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
|
||||
}
|
||||
|
||||
if (!is_string($password)) {
|
||||
throw new BadCredentialsException(sprintf('The key "%s" must be a string.', $this->options['password_path']));
|
||||
throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['password_path']));
|
||||
}
|
||||
|
||||
$token = new UsernamePasswordToken($username, $password, $this->providerKey);
|
||||
|
||||
@ -93,6 +93,23 @@ class UsernamePasswordJsonAuthenticationListenerTest extends TestCase
|
||||
$this->assertEquals('ok', $event->getResponse()->getContent());
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
||||
* @expectedExceptionMessage Invalid JSON
|
||||
*/
|
||||
public function testAttemptAuthenticationNoJson()
|
||||
{
|
||||
$this->createListener();
|
||||
$request = new Request();
|
||||
$event = new GetResponseEvent($this->getMockBuilder(KernelInterface::class)->getMock(), $request, KernelInterface::MASTER_REQUEST);
|
||||
|
||||
$this->listener->handle($event);
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
||||
* @expectedExceptionMessage The key "username" must be provided
|
||||
*/
|
||||
public function testAttemptAuthenticationNoUsername()
|
||||
{
|
||||
$this->createListener();
|
||||
@ -100,9 +117,12 @@ class UsernamePasswordJsonAuthenticationListenerTest extends TestCase
|
||||
$event = new GetResponseEvent($this->getMockBuilder(KernelInterface::class)->getMock(), $request, KernelInterface::MASTER_REQUEST);
|
||||
|
||||
$this->listener->handle($event);
|
||||
$this->assertSame('ko', $event->getResponse()->getContent());
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
||||
* @expectedExceptionMessage The key "password" must be provided
|
||||
*/
|
||||
public function testAttemptAuthenticationNoPassword()
|
||||
{
|
||||
$this->createListener();
|
||||
@ -110,9 +130,12 @@ class UsernamePasswordJsonAuthenticationListenerTest extends TestCase
|
||||
$event = new GetResponseEvent($this->getMockBuilder(KernelInterface::class)->getMock(), $request, KernelInterface::MASTER_REQUEST);
|
||||
|
||||
$this->listener->handle($event);
|
||||
$this->assertSame('ko', $event->getResponse()->getContent());
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
||||
* @expectedExceptionMessage The key "username" must be a string.
|
||||
*/
|
||||
public function testAttemptAuthenticationUsernameNotAString()
|
||||
{
|
||||
$this->createListener();
|
||||
@ -120,9 +143,12 @@ class UsernamePasswordJsonAuthenticationListenerTest extends TestCase
|
||||
$event = new GetResponseEvent($this->getMockBuilder(KernelInterface::class)->getMock(), $request, KernelInterface::MASTER_REQUEST);
|
||||
|
||||
$this->listener->handle($event);
|
||||
$this->assertSame('ko', $event->getResponse()->getContent());
|
||||
}
|
||||
|
||||
/**
|
||||
* @expectedException \Symfony\Component\HttpKernel\Exception\BadRequestHttpException
|
||||
* @expectedExceptionMessage The key "password" must be a string.
|
||||
*/
|
||||
public function testAttemptAuthenticationPasswordNotAString()
|
||||
{
|
||||
$this->createListener();
|
||||
@ -130,7 +156,6 @@ class UsernamePasswordJsonAuthenticationListenerTest extends TestCase
|
||||
$event = new GetResponseEvent($this->getMockBuilder(KernelInterface::class)->getMock(), $request, KernelInterface::MASTER_REQUEST);
|
||||
|
||||
$this->listener->handle($event);
|
||||
$this->assertSame('ko', $event->getResponse()->getContent());
|
||||
}
|
||||
|
||||
public function testAttemptAuthenticationUsernameTooLong()
|
||||
|
||||
Reference in New Issue
Block a user