[Security] Check if firewall is stateless before checking for session/previous session
This commit is contained in:
Koen Reiniers
Nicolas Grekas
parent
5b5b61f425
commit
9bb1230525
|
|
@ -134,7 +134,7 @@ class GuardAuthenticatorHandler
|
|||
|
||||
private function migrateSession(Request $request, TokenInterface $token, $providerKey)
|
||||
{
|
||||
if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession() || \in_array($providerKey, $this->statelessProviderKeys, true)) {
|
||||
if (\in_array($providerKey, $this->statelessProviderKeys, true) || !$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
|
||||
return;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -149,6 +149,25 @@ class GuardAuthenticatorHandlerTest extends TestCase
|
|||
$handler->authenticateWithToken($this->token, $this->request, 'some_provider_key');
|
||||
}
|
||||
|
||||
/**
|
||||
* @requires function \Symfony\Component\HttpFoundation\Request::setSessionFactory
|
||||
*/
|
||||
public function testSessionIsNotInstantiatedOnStatelessFirewall()
|
||||
{
|
||||
$sessionFactory = $this->getMockBuilder(\stdClass::class)
|
||||
->setMethods(['__invoke'])
|
||||
->getMock();
|
||||
|
||||
$sessionFactory->expects($this->never())
|
||||
->method('__invoke');
|
||||
|
||||
$this->request->setSessionFactory($sessionFactory);
|
||||
|
||||
$handler = new GuardAuthenticatorHandler($this->tokenStorage, $this->dispatcher, ['stateless_provider_key']);
|
||||
$handler->setSessionAuthenticationStrategy($this->sessionStrategy);
|
||||
$handler->authenticateWithToken($this->token, $this->request, 'stateless_provider_key');
|
||||
}
|
||||
|
||||
protected function setUp()
|
||||
{
|
||||
$this->tokenStorage = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface')->getMock();
|
||||
|
|
|
|||
Reference in New Issue