symfony · nicolas-grekas · Nov 24, 2022 · Nov 22, 2022
@@ -79,9 +79,9 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal

        $container
            ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.access_token'))
-            ->replaceArgument(0, $userProvider)
-            ->replaceArgument(1, new Reference($config['token_handler']))
-            ->replaceArgument(2, new Reference($extractorId))
+            ->replaceArgument(0, new Reference($config['token_handler']))
+            ->replaceArgument(1, new Reference($extractorId))
+            ->replaceArgument(2, $userProvider)
            ->replaceArgument(3, $successHandler)
            ->replaceArgument(4, $failureHandler)
            ->replaceArgument(5, $config['realm'])

@@ -26,12 +26,12 @@
        ->set('security.authenticator.access_token', AccessTokenAuthenticator::class)
            ->abstract()
            ->args([
-                abstract_arg('user provider'),
                abstract_arg('access token handler'),
                abstract_arg('access token extractor'),
                null,
                null,
                null,
+                null,
            ])
            ->call('setTranslator', [service('translator')->ignoreOnInvalid()])


@@ -13,17 +13,18 @@

 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;

 class AccessTokenHandler implements AccessTokenHandlerInterface
 {
    public function __construct()
    {
    }

-    public function getUserIdentifierFrom(string $accessToken): string
+    public function getUserBadgeFrom(string $accessToken): UserBadge
    {
        return match ($accessToken) {
-            'VALID_ACCESS_TOKEN' => 'dunglas',
+            'VALID_ACCESS_TOKEN' => new UserBadge('dunglas'),
            default => throw new BadCredentialsException('Invalid credentials.'),
        };
    }

@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Http\AccessToken;

 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;

 /**
 * The token handler retrieves the user identifier from the token.
@@ -24,5 +25,5 @@ interface AccessTokenHandlerInterface
    /**
     * @throws AuthenticationException
     */
-    public function getUserIdentifierFrom(#[\SensitiveParameter] string $accessToken): string;
+    public function getUserBadgeFrom(#[\SensitiveParameter] string $accessToken): UserBadge;
 }
@@ -21,7 +21,6 @@
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
-use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken;
@@ -38,9 +37,9 @@ class AccessTokenAuthenticator implements AuthenticatorInterface
    private ?TranslatorInterface $translator = null;

    public function __construct(
-        private readonly UserProviderInterface $userProvider,
        private readonly AccessTokenHandlerInterface $accessTokenHandler,
        private readonly AccessTokenExtractorInterface $accessTokenExtractor,
+        private readonly ?UserProviderInterface $userProvider = null,
        private readonly ?AuthenticationSuccessHandlerInterface $successHandler = null,
        private readonly ?AuthenticationFailureHandlerInterface $failureHandler = null,
        private readonly ?string $realm = null,
@@ -58,11 +57,13 @@ public function authenticate(Request $request): Passport
        if (!$accessToken) {
            throw new BadCredentialsException('Invalid credentials.');
        }
-        $userIdentifier = $this->accessTokenHandler->getUserIdentifierFrom($accessToken);

-        return new SelfValidatingPassport(
-            new UserBadge($userIdentifier, $this->userProvider->loadUserByIdentifier(...))
-        );
+        $userBadge = $this->accessTokenHandler->getUserBadgeFrom($accessToken);
+        if (null === $userBadge->getUserLoader() && $this->userProvider) {
+            $userBadge->setUserLoader($this->userProvider->loadUserByIdentifier(...));
+        }
+
+        return new SelfValidatingPassport($userBadge);
    }

    public function createToken(Passport $passport, string $firewallName): TokenInterface

@@ -22,6 +22,7 @@
 use Symfony\Component\Security\Http\AccessToken\HeaderAccessTokenExtractor;
 use Symfony\Component\Security\Http\AccessToken\QueryAccessTokenExtractor;
 use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Tests\Authenticator\InMemoryAccessTokenHandler;

@@ -40,7 +41,7 @@ protected function setUp(): void
    /**
     * @dataProvider provideSupportData
     */
-    public function testSupport($request): void
+    public function testSupport($request)
    {
        $this->setUpAuthenticator();

@@ -53,9 +54,9 @@ public function provideSupportData(): iterable
        yield [new Request([], [], [], [], [], ['HTTP_AUTHORIZATION' => 'Bearer INVALID_ACCESS_TOKEN'])];
    }

-    public function testAuthenticate(): void
+    public function testAuthenticate()
    {
-        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', 'foo');
+        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', new UserBadge('foo'));
        $this->setUpAuthenticator();

        $request = new Request([], [], [], [], [], ['HTTP_AUTHORIZATION' => 'Bearer VALID_ACCESS_TOKEN']);
@@ -66,7 +67,7 @@ public function testAuthenticate(): void
    /**
     * @dataProvider provideInvalidAuthenticateData
     */
-    public function testAuthenticateInvalid($request, $errorMessage, $exceptionType = BadRequestHttpException::class): void
+    public function testAuthenticateInvalid($request, $errorMessage, $exceptionType = BadRequestHttpException::class)
    {
        $this->expectException($exceptionType);
        $this->expectExceptionMessage($errorMessage);
@@ -100,13 +101,13 @@ public function provideInvalidAuthenticateData(): iterable
    private function setUpAuthenticator(): void
    {
        $this->authenticator = new AccessTokenAuthenticator(
-            $this->userProvider,
            $this->accessTokenHandler,
            new ChainAccessTokenExtractor([
                new FormEncodedBodyExtractor(),
                new QueryAccessTokenExtractor(),
                new HeaderAccessTokenExtractor(),
-            ])
+            ]),
+            $this->userProvider
        );
    }
 }
@@ -19,6 +19,7 @@
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\AccessToken\FormEncodedBodyExtractor;
 use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Tests\Authenticator\InMemoryAccessTokenHandler;

@@ -34,7 +35,7 @@ protected function setUp(): void
        $this->accessTokenHandler = new InMemoryAccessTokenHandler();
    }

-    public function testSupport(): void
+    public function testSupport()
    {
        $this->setUpAuthenticator();
        $request = new Request([], [], [], [], [], ['CONTENT_TYPE' => 'application/x-www-form-urlencoded']);
@@ -44,7 +45,7 @@ public function testSupport(): void
        $this->assertNull($this->authenticator->supports($request));
    }

-    public function testSupportsWithCustomParameter(): void
+    public function testSupportsWithCustomParameter()
    {
        $this->setUpAuthenticator('protection-token');
        $request = new Request([], [], [], [], [], ['CONTENT_TYPE' => 'application/x-www-form-urlencoded']);
@@ -54,9 +55,9 @@ public function testSupportsWithCustomParameter(): void
        $this->assertNull($this->authenticator->supports($request));
    }

-    public function testAuthenticate(): void
+    public function testAuthenticate()
    {
-        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', 'foo');
+        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', new UserBadge('foo'));
        $this->setUpAuthenticator();
        $request = new Request([], [], [], [], [], ['CONTENT_TYPE' => 'application/x-www-form-urlencoded'], 'access_token=VALID_ACCESS_TOKEN');
        $request->request->set('access_token', 'VALID_ACCESS_TOKEN');
@@ -66,9 +67,9 @@ public function testAuthenticate(): void
        $this->assertInstanceOf(SelfValidatingPassport::class, $passport);
    }

-    public function testAuthenticateWithCustomParameter(): void
+    public function testAuthenticateWithCustomParameter()
    {
-        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', 'foo');
+        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', new UserBadge('foo'));
        $this->setUpAuthenticator('protection-token');
        $request = new Request([], [], [], [], [], ['CONTENT_TYPE' => 'application/x-www-form-urlencoded']);
        $request->request->set('protection-token', 'VALID_ACCESS_TOKEN');
@@ -81,7 +82,7 @@ public function testAuthenticateWithCustomParameter(): void
    /**
     * @dataProvider provideInvalidAuthenticateData
     */
-    public function testAuthenticateInvalid($request, $errorMessage, $exceptionType = BadRequestHttpException::class): void
+    public function testAuthenticateInvalid($request, $errorMessage, $exceptionType = BadRequestHttpException::class)
    {
        $this->expectException($exceptionType);
        $this->expectExceptionMessage($errorMessage);
@@ -119,9 +120,9 @@ public function provideInvalidAuthenticateData(): iterable
    private function setUpAuthenticator(string $parameter = 'access_token'): void
    {
        $this->authenticator = new AccessTokenAuthenticator(
-            $this->userProvider,
            $this->accessTokenHandler,
-            new FormEncodedBodyExtractor($parameter)
+            new FormEncodedBodyExtractor($parameter),
+            $this->userProvider
        );
    }
 }
@@ -19,6 +19,7 @@
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\AccessToken\HeaderAccessTokenExtractor;
 use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Tests\Authenticator\InMemoryAccessTokenHandler;

@@ -37,7 +38,7 @@ protected function setUp(): void
    /**
     * @dataProvider provideSupportData
     */
-    public function testSupport($request): void
+    public function testSupport($request)
    {
        $this->setUpAuthenticator();

@@ -53,7 +54,7 @@ public function provideSupportData(): iterable
    /**
     * @dataProvider provideSupportsWithCustomTokenTypeData
     */
-    public function testSupportsWithCustomTokenType($request, $result): void
+    public function testSupportsWithCustomTokenType($request, $result)
    {
        $this->setUpAuthenticator('Authorization', 'JWT');

@@ -71,7 +72,7 @@ public function provideSupportsWithCustomTokenTypeData(): iterable
    /**
     * @dataProvider provideSupportsWithCustomHeaderParameter
     */
-    public function testSupportsWithCustomHeaderParameter($request, $result): void
+    public function testSupportsWithCustomHeaderParameter($request, $result)
    {
        $this->setUpAuthenticator('X-FOO');

@@ -86,19 +87,19 @@ public function provideSupportsWithCustomHeaderParameter(): iterable
        yield [new Request([], [], [], [], [], ['HTTP_AUTHORIZATION' => 'Bearer INVALID_ACCESS_TOKEN']), false];
    }

-    public function testAuthenticate(): void
+    public function testAuthenticate()
    {
-        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', 'foo');
+        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', new UserBadge('foo'));
        $this->setUpAuthenticator();

        $request = new Request([], [], [], [], [], ['HTTP_AUTHORIZATION' => 'Bearer VALID_ACCESS_TOKEN']);
        $passport = $this->authenticator->authenticate($request);
        $this->assertInstanceOf(SelfValidatingPassport::class, $passport);
    }

-    public function testAuthenticateWithCustomTokenType(): void
+    public function testAuthenticateWithCustomTokenType()
    {
-        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', 'foo');
+        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', new UserBadge('foo'));
        $this->setUpAuthenticator('Authorization', 'JWT');

        $request = new Request([], [], [], [], [], ['HTTP_AUTHORIZATION' => 'JWT VALID_ACCESS_TOKEN']);
@@ -109,7 +110,7 @@ public function testAuthenticateWithCustomTokenType(): void
    /**
     * @dataProvider provideInvalidAuthenticateData
     */
-    public function testAuthenticateInvalid($request, $errorMessage, $exceptionType = BadRequestHttpException::class): void
+    public function testAuthenticateInvalid($request, $errorMessage, $exceptionType = BadRequestHttpException::class)
    {
        $this->expectException($exceptionType);
        $this->expectExceptionMessage($errorMessage);
@@ -143,9 +144,9 @@ public function provideInvalidAuthenticateData(): iterable
    private function setUpAuthenticator(string $headerParameter = 'Authorization', string $tokenType = 'Bearer'): void
    {
        $this->authenticator = new AccessTokenAuthenticator(
-            $this->userProvider,
            $this->accessTokenHandler,
-            new HeaderAccessTokenExtractor($headerParameter, $tokenType)
+            new HeaderAccessTokenExtractor($headerParameter, $tokenType),
+            $this->userProvider
        );
    }
 }
@@ -19,6 +19,7 @@
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\AccessToken\QueryAccessTokenExtractor;
 use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Tests\Authenticator\InMemoryAccessTokenHandler;

@@ -34,7 +35,7 @@ protected function setUp(): void
        $this->accessTokenHandler = new InMemoryAccessTokenHandler();
    }

-    public function testSupport(): void
+    public function testSupport()
    {
        $this->setUpAuthenticator();
        $request = new Request();
@@ -43,7 +44,7 @@ public function testSupport(): void
        $this->assertNull($this->authenticator->supports($request));
    }

-    public function testSupportsWithCustomParameter(): void
+    public function testSupportsWithCustomParameter()
    {
        $this->setUpAuthenticator('protection-token');
        $request = new Request();
@@ -52,9 +53,9 @@ public function testSupportsWithCustomParameter(): void
        $this->assertNull($this->authenticator->supports($request));
    }

-    public function testAuthenticate(): void
+    public function testAuthenticate()
    {
-        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', 'foo');
+        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', new UserBadge('foo'));
        $this->setUpAuthenticator();
        $request = new Request();
        $request->query->set('access_token', 'VALID_ACCESS_TOKEN');
@@ -63,9 +64,9 @@ public function testAuthenticate(): void
        $this->assertInstanceOf(SelfValidatingPassport::class, $passport);
    }

-    public function testAuthenticateWithCustomParameter(): void
+    public function testAuthenticateWithCustomParameter()
    {
-        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', 'foo');
+        $this->accessTokenHandler->add('VALID_ACCESS_TOKEN', new UserBadge('foo'));
        $this->setUpAuthenticator('protection-token');
        $request = new Request();
        $request->query->set('protection-token', 'VALID_ACCESS_TOKEN');
@@ -77,7 +78,7 @@ public function testAuthenticateWithCustomParameter(): void
    /**
     * @dataProvider provideInvalidAuthenticateData
     */
-    public function testAuthenticateInvalid($request, $errorMessage, $exceptionType = BadRequestHttpException::class): void
+    public function testAuthenticateInvalid($request, $errorMessage, $exceptionType = BadRequestHttpException::class)
    {
        $this->expectException($exceptionType);
        $this->expectExceptionMessage($errorMessage);
@@ -111,9 +112,9 @@ public function provideInvalidAuthenticateData(): iterable
    private function setUpAuthenticator(string $parameter = 'access_token'): void
    {
        $this->authenticator = new AccessTokenAuthenticator(
-            $this->userProvider,
            $this->accessTokenHandler,
-            new QueryAccessTokenExtractor($parameter)
+            new QueryAccessTokenExtractor($parameter),
+            $this->userProvider
        );
    }
 }