forked from https://github.com/symfony/symfony
69a0b29fab
This PR was squashed before being merged into the 5.3-dev branch.
Discussion
----------
[Security] [RememberMe] Add support for parallel requests doing remember-me re-authentication
| Q | A
| ------------- | ---
| Branch? | 5.x
| Bug fix? | yes
| New feature? | yes ish <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix #40971, Fix #28314, Fix #18384
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
This is a possible implementation to gather feedback mostly..
`TokenVerifierInterface` naming is kinda bad perhaps.. But my goal would be to merge it in TokenProviderInterface for 6.0 so it's not so important. Not sure if/how to best indicate this in terms of deprecation notices.
Anyway wondering if this would be an acceptable implementation (ideally in an application I would probably override the new methods from DoctrineTokenProvider to something like this which is less of a hack and does expiration properly:
```php
public function verifyToken(PersistentTokenInterface $token, string $tokenValue)
{
if (hash_equals($token->getTokenValue(), $tokenValue)) {
return true;
}
if (!$this->cache->hasItem('rememberme-' . $token->getSeries())) {
return false;
}
/** `@var` CacheItem $item */
$item = $this->cache->getItem('rememberme-' . $token->getSeries());
$oldToken = $item->get();
return hash_equals($oldToken, $tokenValue);
}
public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void
{
$this->updateToken($token->getSeries(), $tokenValue, $lastUsed);
/** `@var` CacheItem $item */
$item = $this->cache->getItem('rememberme-'.$token->getSeries());
$item->set($token->getTokenValue());
$item->expiresAfter(60);
$this->cache->save($item);
}
```
If you think it'd be fine to require optionally the cache inside DoctrineTokenProvider to enable this feature instead of the hackish way I did it, that'd be ok for me too.
The current `DoctrineTokenProvider` implementation of `TokenVerifierInterface` relies on the lucky fact that series are generated using `base64_encode(random_bytes(64))` which always ends in the `==` padding of base64, so that allowed me to store an alternative token value temporarily by replacing `==` with `_`.
Alternative implementation options:
1. Inject cache in `DoctrineTokenProvider` and do a proper implementation (as shown above) that way
2. Do not implement at all in `DoctrineTokenProvider` and let users who care implement this themselves.
3. Implement as a new `token_verifier` option that could be configured on the `firewall->remember_me` key so you can pass an implementation if needed, and possibly ship a default one using cache that could be autoconfigured
4. Add events that allow modifying the token to be verified, and allow receiving the newly updated token incl series, instead of TokenVerifierInterface, but then we need to inject a dispatcher in RememberMeAuthenticator.
`@chalasr` `@wouterj` sorry for the long description but in the hope of getting this included in 5.3.0, if you can provide guidance I will happily work on this further tomorrow to try and wrap it up ASAP.
Commits
-------
|
||
---|---|---|
.github | ||
src/Symfony | ||
.appveyor.yml | ||
.editorconfig | ||
.gitattributes | ||
.gitignore | ||
.php-cs-fixer.dist.php | ||
.travis.yml | ||
CHANGELOG-5.0.md | ||
CHANGELOG-5.1.md | ||
CHANGELOG-5.2.md | ||
CHANGELOG-5.3.md | ||
CODE_OF_CONDUCT.md | ||
composer.json | ||
CONTRIBUTING.md | ||
CONTRIBUTORS.md | ||
LICENSE | ||
link | ||
phpunit | ||
phpunit.xml.dist | ||
psalm.xml | ||
README.md | ||
UPGRADE-5.0.md | ||
UPGRADE-5.1.md | ||
UPGRADE-5.2.md | ||
UPGRADE-5.3.md | ||
UPGRADE-6.0.md |
Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Symfony is used by thousands of web applications (including BlaBlaCar.com and Spotify.com) and most of the popular PHP projects (including Drupal and Magento).
Installation
- Install Symfony with Composer (see requirements details).
- Symfony follows the semantic versioning strictly, publishes "Long Term Support" (LTS) versions and has a release process that is predictable and business-friendly.
Documentation
- Read the Getting Started guide if you are new to Symfony.
- Try the Symfony Demo application to learn Symfony in practice.
- Discover Symfony ecosystem in detail with Symfony The Fast Track.
- Master Symfony with the Guides and Tutorials, the Components docs and the Best Practices reference.
Community
- Join the Symfony Community and meet other members at the Symfony events.
- Get Symfony support on Stack Overflow, Slack, IRC, etc.
- Follow us on GitHub, Twitter and Facebook.
- Read our Code of Conduct and meet the CARE Team.
Contributing
Symfony is an Open Source, community-driven project with thousands of contributors. Join them contributing code or contributing documentation.
Security Issues
If you discover a security vulnerability within Symfony, please follow our disclosure procedure.
About Us
Symfony development is sponsored by SensioLabs, led by the Symfony Core Team and supported by Symfony contributors.