Merge branch '5.2' into 5.x
* 5.2: [Security\Core] Fix user enumeration via response body on invalid credentials Update VERSION for 3.4.48 Update CHANGELOG for 3.4.48
This commit is contained in:
commit
e34cd7dd2c
@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Exception\AccountStatusException;
|
||||
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
||||
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
|
||||
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
|
||||
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
|
||||
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
|
||||
use Symfony\Component\Security\Core\User\UserCheckerInterface;
|
||||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
@ -84,8 +85,8 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
|
||||
$this->userChecker->checkPreAuth($user);
|
||||
$this->checkAuthentication($user, $token);
|
||||
$this->userChecker->checkPostAuth($user);
|
||||
} catch (AccountStatusException $e) {
|
||||
if ($this->hideUserNotFoundExceptions) {
|
||||
} catch (AccountStatusException | BadCredentialsException $e) {
|
||||
if ($this->hideUserNotFoundExceptions && !$e instanceof CustomUserMessageAccountStatusException) {
|
||||
throw new BadCredentialsException('Bad credentials.', 0, $e);
|
||||
}
|
||||
|
||||
|
@ -69,6 +69,24 @@ class UserAuthenticationProviderTest extends TestCase
|
||||
$provider->authenticate($this->getSupportedToken());
|
||||
}
|
||||
|
||||
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
|
||||
{
|
||||
$provider = $this->getProvider();
|
||||
$provider->expects($this->once())
|
||||
->method('retrieveUser')
|
||||
->willReturn($this->createMock(UserInterface::class))
|
||||
;
|
||||
$provider->expects($this->once())
|
||||
->method('checkAuthentication')
|
||||
->willThrowException(new BadCredentialsException())
|
||||
;
|
||||
|
||||
$this->expectException(BadCredentialsException::class);
|
||||
$this->expectExceptionMessage('Bad credentials.');
|
||||
|
||||
$provider->authenticate($this->getSupportedToken());
|
||||
}
|
||||
|
||||
public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
|
||||
{
|
||||
$this->expectException(AuthenticationServiceException::class);
|
||||
|
Reference in New Issue
Block a user