This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[Security] Magic login link authentication
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | none
| License | MIT
| Doc PR | TODO
Hi!
This adds a Slack-style "magic link" login authenticator to the new login system: (A) enter your email into a form, (B) receive an email with a link in it (C) click that link and you are authenticated!
For most users, implementing this would require:
A) Create a [controller](https://github.com/weaverryan/symfony-magic-login-link-example/blob/master/src/Controller/MagicLinkLoginController.php) with the "enter your email" form and a route for the "check" functionality (similar to `form_login`)
B) Activate in `security.yaml`:
```yml
security:
enable_authenticator_manager: true
# ...
firewalls:
# ...
main:
# ...
login_link:
check_route: 'magic_link_verify'
# this is an important and powerful option
# An array of properties on your User that are used to sign the link.
# If any of these change, all existing links will become invalid
# tl;dr If you want the modification of ANY field to invalidate ALL existing magic links immediately,
# then you can add it to this list. You could even add a "lastLoginLinkSentAt" to invalid
# all existing login links when a new one is sent.
signature_properties: [id, password, email]
# optional - by default, links can be reused but have a 10 minute lifetime
#max_uses: 3
#used_link_cache: cache.app
```
Done! This will generate a URL that looks something like this:
> https://127.0.0.1:9033/login/verify?user=weaverryan@gmail.com&expires=1601342578&hash=YzE1ZDJlYjM3YTMyMjgwZDdkYzg2ZjFlMjZhN2E5ZWRmMzk3NjAxNjRjYThiMjMzNmIxYzAzYzQ4NmQ2Zjk4NA%3D%3D
We would implement a Maker command this config + login/controller. The implementation is done via a "signed URL" and an optional cache pool to "expire" links. The hash of the signed URL can contain any user fields you want, which give you a powerful mechanism to invalidate magic tokens on user data changes. See `signature_properties` above.
#### Security notes:
There is a LOT of variability about how secure these need to be:
* A) Many/most implementation only allow links to be used ONE time. That is *possible* with this implementation, but is not the *default*. You CAN add a `max_uses` config which stores the expired links in a cache so they cannot be re-used. However, to make this work, you need to do more work by adding some "page" between the link the users clicks and *actually* using the login link. Why? Because unless you do this, email clients may follow the link to "preview" it and will "consume" the link.
* B) Many implementations will invalidate all other login links for a user when a new one is created. We do *not* do that, but that IS possible (and we could even generate the code for it) by adding a `lastLoginLinkSentAt` field to `User` and including this in `signature_properties`.
* C) We *do* invalidate all links if the user's email address is changed (assuming the `email` is included in `signature_properties`, which it should be). You can also invalidate on password change or whatever you want.
* D) Some implementations add a "state" so that you can only use the link on the same device that created it. That is, in many cases, quite annoying. We do not currently support that, but we could in the future (and the user could add it themselves).
Thanks!
#### TODOS:
* [x] A) more tests: functional (?) traits
* [ ] B) documentation
* [ ] C) MakerBundle PR
* [ ] D) Make sure we have what we need to allow that "in between" page
* [ ] E) Create a new cache pool instead of relying on cache.app?
Commits
-------
a8afe109d8 [Security] Magic login link authentication
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[HttpFoundation] Add Request::toArray() for JSON content
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | ni
| New feature? | yes
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
The past few months I've been working more and more with javascript and APIs. I've written controllers that parse json from the request body. I've found myself copying code between projects so I looked at the possibility to add this code to the `Request` class itself.
### Usage
```http
POST /add-user
Content-Type: application/json
{"name": "Tobias", "email": "tobias.nyholm@gmail.com"}
```
```php
use Symfony\Component\HttpFoundation\Exception\JsonException;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\JsonResponse;
class MyController
// ...
public function addUser(Request $request): JsonResponse
{
try {
$data = $request->toArray();
} catch (JsonException $e) {
return new JsonResponse(['message'=>'Request does not contain valid json'], 415);
}
$command = new AddUser($data['email'] ?? '', $data['name'] ?? '');
try {
$this->commandBus->dispatch($command);
} catch (ValidationFailedException $e) {
return new JsonResponse(['message' => 'Unexpected JSON body'], 400);
}
return new JsonResponse(['message' => 'User successfully added']);
}
}
```
----------
I've searched but I have not found that this has been proposed before.. With is strange.. ¯\\_(ツ)_/¯
Commits
-------
83c1a2666d [HttpFoundation] Add Request::toArray() for JSON content
This PR was merged into the 5.2-dev branch.
Discussion
----------
[PropertyInfo] Fix failure over array<string,mixed> PhpDoc type
| Q | A
| ------------- | ---
| Branch? | master (issue introduced in master)
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | /
| License | MIT
| Doc PR | /
**Background**
Since a few days ago ([this commit](80e5a7fbd8)), PropertyInfo 5.2 component supports array PhpDoc types, such as `array<string,string>`.
While testing SF 5.2 over my project, it was failing over:
```php
class SomeDoctrineEntityProxy implements \Doctrine\ORM\Proxy\Proxy
{
/**
* @var array<string, mixed> default values of properties to be lazy loaded, with keys being the property names
*
* @see \Doctrine\Common\Proxy\Proxy::__getLazyProperties
*/
public static $lazyPropertiesDefaults = array();
}
```
Upon investigation, it appears `array<string,mixed>` is causing the issue: `mixed` type is not handled.
**Expected behavior**
PropertyInfo component should not guess anything for `mixed` type (return `NULL`), but it should not throw any exception.
**Comment about my fix**
I added a test case (`arrayOfMixed`) you can use to reproduce the issue.
Since array PhpDoc types were not tested at all, I also added a test case over `array<string,string>`.
Commits
-------
590177ff8e [PropertyInfo] Fix failure over array<string,mixed> PhpDoc type
This PR was merged into the 5.2-dev branch.
Discussion
----------
[HttpClient] Fix exception triggered with AsyncResponse
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | https://github.com/symfony/symfony/pull/38289#issuecomment-702573975
| License | MIT
| Doc PR | /
When a request is replayed with the AsyncResponse and the 2nd request failed, users get an exception even when they pass `$throw=false`.
In fact, there are 2 exceptions:
1. Cannot get the content of the response twice: buffering is disabled.
73ca97c97a/src/Symfony/Component/HttpClient/Response/CommonResponseTrait.php (L51-L68)
Because CommonResponseTrait::$content is null and `self::stream` yield only the LastChunk. The content is stays null
2. HTTP/2 429 returned for "https://httpbin.org/status/429"
73ca97c97a/src/Symfony/Component/HttpClient/Response/AsyncResponse.php (L209-L225)
Because on the second request passthru is null, it didn't disable the the exception thrown on destruct for the wrapped response.
This
Commits
-------
3aedb51dd8 [HttpClient] Fix exception triggered with AsyncResponse
* 5.1:
[5.1] Ignore more deprecations for Mockery mocks
[PhpUnitBridge] Fix Deprecation file when it comes from the TestsListener
disallow FrameworkBundle 4.4+
propagate validation groups to subforms
[Form] [Validator] Add failing testcase to demonstrate group sequence issue
* 4.4:
disallow FrameworkBundle 4.4+
propagate validation groups to subforms
[Form] [Validator] Add failing testcase to demonstrate group sequence issue
* 3.4:
disallow FrameworkBundle 4.4+
propagate validation groups to subforms
[Form] [Validator] Add failing testcase to demonstrate group sequence issue
* 5.1:
[HttpClient] fix using proxies with NativeHttpClient
[4.4] Ignore more deprecations for Mockery mocks
[Routing] fix using !important and defaults/reqs in inline route definitions
[ErrorHandler][DebugClassLoader] Do not check Mockery mocks classes
[HttpClient] Fix using https with proxies
[TwigBundle] Only remove kernel exception listener if twig is used
[DI] Fix changelog
Remove CHANGELOG files for 4.x
Adjust expired range check
Fix redis connection error message
[DI] fix dumping non-shared lazy services
* 4.4:
[HttpClient] fix using proxies with NativeHttpClient
[4.4] Ignore more deprecations for Mockery mocks
[Routing] fix using !important and defaults/reqs in inline route definitions
[ErrorHandler][DebugClassLoader] Do not check Mockery mocks classes
[HttpClient] Fix using https with proxies
[TwigBundle] Only remove kernel exception listener if twig is used
Adjust expired range check
Fix redis connection error message
This PR was merged into the 4.4 branch.
Discussion
----------
[HttpClient] fix using proxies with NativeHttpClient
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
As spotted by @stof in https://github.com/symfony/symfony/pull/38368#issuecomment-702272737, we cannot use local DNS resolution with HTTP proxies.
Commits
-------
28f301bf03 [HttpClient] fix using proxies with NativeHttpClient
This PR was merged into the 4.4 branch.
Discussion
----------
[Routing] fix using !important and defaults/reqs in inline route definitions
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#33224
| License | MIT
| Doc PR | -
Commits
-------
826db225b7 [Routing] fix using !important and defaults/reqs in inline route definitions
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[RateLimiter] Fix cache storage (use namespaced pool + remove \Serializable)
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#38365, fix#38338
| License | MIT
| Doc PR | -
Commits
-------
251c202874 Use a dedicated cache.rate_limiter cache pool
5dc562a318 Use __sleep/__wakeup instead of Serializable
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Messenger] Added ErrorDetailsStamp
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| BC breaks? | yes
| Deprecations? | no
| Tests pass? | yes
| Fixed tickets | #32311
| License | MIT
| Doc PR | No doc changes are needed
#SymfonyHackday
This PR is part of the work started in #32341. That PR has a workaround for showing exceptions added to a previous retry. This PR stores error messages in a separate stamp, so they're more easily accessed.
I also added the exceptionClass as a separate string (independant of FlattenException), so that information is always available, even if the trace is not (due to FlattenException not being available).
Duplicated exceptions (compared to the last one) are not stored separately.
**Questions:**
- Should we limit the total amount of exceptions (remove the oldest when adding a new one)?
- Yes, but in a new PR
- The current implementation adds this stamp in the Worker instead of the listeners to prevent duplicate code (due to the immutability of the envelope in the event). Is this the proper way to do this?
- No, create a new listener and a way to add stamps to the envelope inside the event.
- When adding details of a `HandlerFailedException`, should we add a stamp per wrapped `Throwable`? There can be multiple errors wrapped by a single `HandlerFailedException`.
- Yes, but in a later PR
**Todo:**
- [x] only add new information if it differs from the previous exception
- [x] add deprecations
- [x] fall back to old stamp data if no new stamp is available
- [x] rebase and retarget to master
- [x] update CHANGELOG.md
- [x] check for docs PR
**BC Breaks:**
When this PR is merged, RedeliveryStamps will no longer be populated with exception data. Any implementations that use `RedeliveryStamp::getExceptionMessage()` or `RedeliveryStamp::getFlattenedException()` will receive an empty string or `null` respectively for stamps added after this update. They should rely on `ErrorDetailsStamp` instead.
**New stuff:**
- New stamp `ErrorDetailsStamp`.
- New event subscriber `AddErrorDetailsStampListener`.
- New method `AbstractWorkerMessageEvent::addStamps`.
Commits
-------
cd27b863f9 [Messenger] Added FailedMessageErrorDetailsStamp
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[Messenger] dispatch event when a message is retried
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
Hello,
i'm working on a bundle which helps to monitor messenger queues (add some stats for queues/transports + ability to manage failed messages from the browser)
https://github.com/SymfonyCasts/messenger-monitor-bundle/
and we're missing some hooks in the messaging system:
1. a way to know when a message has been retried (fixed by dispatching a new `WorkerMessageRetriedEvent` in `SendFailedMessageForRetryListener::onMessageFailed()`)
2. a way to update the enveloppe in worker message events (fixed by adding `AbstractWorkerMessageEvent::setEnvelope()`)
if needed i can provide some precise use cases.
thanks.
Commits
-------
55bddcb721 [Messenger] dispatch event when a message is retried
This PR was merged into the 5.2-dev branch.
Discussion
----------
[HttpClient] provide response body to the RetryDecider
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes but for not-yet released 5.2 feature
| Tickets | /
| License | MIT
| Doc PR | TODO
Some servers, like AWS, does not always return standard HTTP code. The strategy needs to parse the body to take a decision.
example:
```
400
x-amzn-requestid: XXXXX
content-type: application/x-amz-json-1.1
content-length: 58
date: Thu, 24 Sep 2020 11:17:35 GMT
connection: close
{"__type":"ThrottlingException","message":"Rate exceeded"}
````
This PR update the `RetryDeciderInterface` interface to let the decider notifying the Client when it need the body to take a decision. in that case, the Client, fetch te client, and call again the decider with the full body.
usage
```php
class Decider implements RetryDeciderInterface {
public function shouldRetry(string $requestMethod, string $requestUrl, array $requestOptions, int $responseCode, array $responseHeaders, ?string $responseContent, \Throwable $throwable = null): ?bool
{
if (null !== $throwable) {
return true;
}
if (in_array($responseCode, [423, 425, 429, 500, 502, 503, 504, 507, 510])) {
return true;
}
if (
$responseCode !== 400
|| $headers['content-type'][0] ?? null !== 'application/x-amz-json-1.1'
|| (int) $headers['content-length'][0] ?? '0' > 1024
) {
return false;
}
if (null === $responseContent) {
return null; // null mean no decision taken and need to be called again with the body
}
$data = json_decode($responseContent, true);
return $data['__type'] ?? '' === 'ThrottlingException';
}
}
```
Commits
-------
321be5884d [HttpClient] provide response body to the RetryDecider
