Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security] [LoginLink] Throw InvalidLoginLinkException on missing parameter #48292

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Nov 30, 2022
Merged

[Security] [LoginLink] Throw InvalidLoginLinkException on missing parameter #48292

merged 1 commit into from
Nov 30, 2022

Conversation

MatTheCat
Copy link
Contributor

Q A
Branch? 5.4
Bug fix? yes
New feature? no
Deprecations? no
Tickets Fix #48291
License MIT
Doc PR N/A

@carsonbot carsonbot added this to the 5.4 milestone Nov 23, 2022
@carsonbot carsonbot changed the title [Security][LoginLink] Throw InvalidLoginLinkException on missing parameter [Security] [LoginLink] Throw InvalidLoginLinkException on missing parameter Nov 23, 2022
chalasr
chalasr requested changes Nov 27, 2022
View reviewed changes
src/Symfony/Component/Security/Http/LoginLink/LoginLinkHandler.php
throw new InvalidLoginLinkException('Missing "hash" parameter.');
}
if (!$expires = $request->get('expires')) {
throw new InvalidLoginLinkException('Missing "expires" parameter.');
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Other authenticators throw a BadRequestHttpException in such cases, I would do the same here. See e.g.

symfony/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php

Line 161 in c79d4ab

throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['password_path']));

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm LoginLinkHandlerInterface::consumeLoginLink is supposed to throw InvalidLoginLinkException:

symfony/src/Symfony/Component/Security/Http/LoginLink/LoginLinkHandlerInterface.php

Lines 32 to 34 in f67ff76

* Throw InvalidLoginLinkExceptionInterface if the link is invalid.
*/
public function consumeLoginLink(Request $request): UserInterface;

The LoginLinkAuthenticator then converts it to InvalidLoginLinkAuthenticationException which triggers its onAuthenticationFailure method to be called.

Are you sure we should bypass this behavior?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thinking twice about it, I think it's safer to go with your approach.

@chalasr
Copy link
Member

chalasr commented Nov 30, 2022

Thank you @MatTheCat.

@chalasr chalasr merged commit 35a6b3c into symfony:5.4 Nov 30, 2022
@MatTheCat MatTheCat deleted the ticket_48291 branch November 30, 2022 12:16
This was referenced Nov 30, 2022
Merged
Merged
This was referenced Dec 28, 2022
Merged
Merged
Merged
@davidszkiba davidszkiba mentioned this pull request May 5, 2025
Closed
@chalasr chalasr mentioned this pull request May 5, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot requested changes

@chalasr chalasr chalasr approved these changes

@alamirault alamirault alamirault approved these changes

@wouterj wouterj Awaiting requested review from wouterj

Assignees
No one assigned
Labels
Bug Security Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.
5 participants
@MatTheCat @chalasr @fabpot @alamirault @carsonbot
Morty Proxy This is a proxified and sanitized view of the page, visit original site.