Merge branch '5.2' into 5.x
* 5.2: [Security\Core] Fix user enumeration via response body on invalid credentials Update VERSION for 3.4.48 Update CHANGELOG for 3.4.48
This commit is contained in:
commit
e34cd7dd2c
@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Exception\AccountStatusException;
|
|||||||
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
use Symfony\Component\Security\Core\Exception\AuthenticationException;
|
||||||
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
|
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
|
||||||
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
|
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
|
||||||
|
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
|
||||||
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
|
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
|
||||||
use Symfony\Component\Security\Core\User\UserCheckerInterface;
|
use Symfony\Component\Security\Core\User\UserCheckerInterface;
|
||||||
use Symfony\Component\Security\Core\User\UserInterface;
|
use Symfony\Component\Security\Core\User\UserInterface;
|
||||||
@ -84,8 +85,8 @@ abstract class UserAuthenticationProvider implements AuthenticationProviderInter
|
|||||||
$this->userChecker->checkPreAuth($user);
|
$this->userChecker->checkPreAuth($user);
|
||||||
$this->checkAuthentication($user, $token);
|
$this->checkAuthentication($user, $token);
|
||||||
$this->userChecker->checkPostAuth($user);
|
$this->userChecker->checkPostAuth($user);
|
||||||
} catch (AccountStatusException $e) {
|
} catch (AccountStatusException | BadCredentialsException $e) {
|
||||||
if ($this->hideUserNotFoundExceptions) {
|
if ($this->hideUserNotFoundExceptions && !$e instanceof CustomUserMessageAccountStatusException) {
|
||||||
throw new BadCredentialsException('Bad credentials.', 0, $e);
|
throw new BadCredentialsException('Bad credentials.', 0, $e);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -69,6 +69,24 @@ class UserAuthenticationProviderTest extends TestCase
|
|||||||
$provider->authenticate($this->getSupportedToken());
|
$provider->authenticate($this->getSupportedToken());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
|
||||||
|
{
|
||||||
|
$provider = $this->getProvider();
|
||||||
|
$provider->expects($this->once())
|
||||||
|
->method('retrieveUser')
|
||||||
|
->willReturn($this->createMock(UserInterface::class))
|
||||||
|
;
|
||||||
|
$provider->expects($this->once())
|
||||||
|
->method('checkAuthentication')
|
||||||
|
->willThrowException(new BadCredentialsException())
|
||||||
|
;
|
||||||
|
|
||||||
|
$this->expectException(BadCredentialsException::class);
|
||||||
|
$this->expectExceptionMessage('Bad credentials.');
|
||||||
|
|
||||||
|
$provider->authenticate($this->getSupportedToken());
|
||||||
|
}
|
||||||
|
|
||||||
public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
|
public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
|
||||||
{
|
{
|
||||||
$this->expectException(AuthenticationServiceException::class);
|
$this->expectException(AuthenticationServiceException::class);
|
||||||
|
Reference in New Issue
Block a user