forked from https://github.com/symfony/symfony
2248639fb3
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Lazily load the user during the check passport event
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes
| Tickets | Fix #37436
| License | MIT
| Doc PR | tbd
**Before**
```php
class ApiKeyAuthenticator extends AbstractAuthenticator
{
// ...
public function authenticate(Request $request): PassportInterface
{
$email = $request->headers->get('X-USER-EMAIL');
if (false === strpos($email, '@')) {
throw new BadCredentialsException('Email is not a valid email address.');
}
$user = $this->userRepository->findOneBy(['email' => $email]);
if (null === $user) {
throw new UsernameNotFoundException();
}
return new SelfValidatingPassport($user);
}
}
```
**After**
```php
class ApiKeyAuthenticator extends AbstractAuthenticator
{
// ...
public function authenticate(Request $request): PassportInterface
{
$email = $request->headers->get('X-USER-EMAIL');
if (false === strpos($email, '@')) {
throw new BadCredentialsException('Email is not a valid email address.');
}
// a global ChainUserProvider (or firewall provider if explicitly configured) will be
// used to load the User with $email as username
return new SelfValidatingPassport($email);
// or a custom closure to load the user
return new SelfValidatingPassport(new UserBadge($email, function ($username) {
return $this->userRepository->findOneBy(['email' => $username]);
});
}
}
```
Doing it this way has a couple advantages (some of which are already mentioned in the issue):
* Some listeners on `CheckPassportEvent` need to execute *before* loading the user - to reduce resources (e.g. CSRF protection, if CSRF fails, no DB call should be made to load user - and also login throttling);
* Some listeners require knowing the username of the login action (e.g. login throttling on IP and username);
* The `UserProviderListener` allows to remove yet another centralized action in the authentication process from the authenticator class to the Symfony framework.
Automatic User Provider integration
---
Instead of passing the credentials and a closure to `UserBadge`, you can also just pass a (string) username. The user provider will then be used to load the user. This only works for `custom_authenticators` as of this moment.
* By default, a chain user provider with all configured `user_providers` will be used as the user provider;
* However, if you explicitly configure a `provider` for that firewall, that provider will be used (using a listener with higher priority).
Commits
-------
|
||
---|---|---|
.github | ||
src/Symfony | ||
.appveyor.yml | ||
.editorconfig | ||
.gitignore | ||
.php_cs.dist | ||
.travis.yml | ||
CHANGELOG-4.0.md | ||
CHANGELOG-4.1.md | ||
CHANGELOG-4.2.md | ||
CHANGELOG-4.3.md | ||
CHANGELOG-4.4.md | ||
CHANGELOG-5.0.md | ||
CHANGELOG-5.1.md | ||
CODE_OF_CONDUCT.md | ||
composer.json | ||
CONTRIBUTING.md | ||
CONTRIBUTORS.md | ||
LICENSE | ||
link | ||
phpunit | ||
phpunit.xml.dist | ||
README.md | ||
UPGRADE-5.0.md | ||
UPGRADE-5.1.md | ||
UPGRADE-5.2.md | ||
UPGRADE-6.0.md |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony is used by thousands of web applications (including BlaBlaCar.com and Spotify.com) and most of the popular PHP projects (including Drupal and Magento).
Installation
- Install Symfony with Composer (see requirements details).
- Symfony follows the semantic versioning strictly, publishes "Long Term Support" (LTS) versions and has a release process that is predictable and business-friendly.
Documentation
- Read the Getting Started guide if you are new to Symfony.
- Try the Symfony Demo application to learn Symfony in practice.
- Master Symfony with the Guides and Tutorials, the Components docs and the Best Practices reference.
Community
- Join the Symfony Community and meet other members at the Symfony events.
- Get Symfony support on Stack Overflow, Slack, IRC, etc.
- Follow us on GitHub, Twitter and Facebook.
- Read our Code of Conduct and meet the CARE Team.
Contributing
Symfony is an Open Source, community-driven project with thousands of contributors. Join them contributing code or contributing documentation.
Security Issues
If you discover a security vulnerability within Symfony, please follow our disclosure procedure.
About Us
Symfony development is sponsored by SensioLabs, led by the Symfony Core Team and supported by Symfony contributors.