[Security] Check if firewall is stateless before checking for session/previous session
This commit is contained in:
parent
5b5b61f425
commit
9bb1230525
@ -134,7 +134,7 @@ class GuardAuthenticatorHandler
|
|||||||
|
|
||||||
private function migrateSession(Request $request, TokenInterface $token, $providerKey)
|
private function migrateSession(Request $request, TokenInterface $token, $providerKey)
|
||||||
{
|
{
|
||||||
if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession() || \in_array($providerKey, $this->statelessProviderKeys, true)) {
|
if (\in_array($providerKey, $this->statelessProviderKeys, true) || !$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -149,6 +149,25 @@ class GuardAuthenticatorHandlerTest extends TestCase
|
|||||||
$handler->authenticateWithToken($this->token, $this->request, 'some_provider_key');
|
$handler->authenticateWithToken($this->token, $this->request, 'some_provider_key');
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/**
|
||||||
|
* @requires function \Symfony\Component\HttpFoundation\Request::setSessionFactory
|
||||||
|
*/
|
||||||
|
public function testSessionIsNotInstantiatedOnStatelessFirewall()
|
||||||
|
{
|
||||||
|
$sessionFactory = $this->getMockBuilder(\stdClass::class)
|
||||||
|
->setMethods(['__invoke'])
|
||||||
|
->getMock();
|
||||||
|
|
||||||
|
$sessionFactory->expects($this->never())
|
||||||
|
->method('__invoke');
|
||||||
|
|
||||||
|
$this->request->setSessionFactory($sessionFactory);
|
||||||
|
|
||||||
|
$handler = new GuardAuthenticatorHandler($this->tokenStorage, $this->dispatcher, ['stateless_provider_key']);
|
||||||
|
$handler->setSessionAuthenticationStrategy($this->sessionStrategy);
|
||||||
|
$handler->authenticateWithToken($this->token, $this->request, 'stateless_provider_key');
|
||||||
|
}
|
||||||
|
|
||||||
protected function setUp()
|
protected function setUp()
|
||||||
{
|
{
|
||||||
$this->tokenStorage = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface')->getMock();
|
$this->tokenStorage = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface')->getMock();
|
||||||
|
Reference in New Issue
Block a user