Skip to content

Navigation Menu

Sign in

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

[Security] Avoid refreshing user when TokenInterface::getUser() returns null #59560

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Security] Avoid refreshing user when TokenInterface::getUser() returns null #59560

wants to merge 1 commit into from

Conversation

alexandre-daubois
Copy link
Member

Q A
Branch? 6.4
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #59559
License MIT

@carsonbot carsonbot added this to the 6.4 milestone Jan 20, 2025
@MatTheCat
Copy link
Contributor

I don’t think this makes sense since only authenticated tokens (aka tokens with a user) are serialized into the session, meaning refreshUser should always retrieve a user from the token.

@alexandre-daubois
Copy link
Member Author

I think this should be covered, the added test shows that the code can fail with a token without a user. Also the issue author gives a reproducer. I suggest adding this check, so even in the case of an unlikely event of this happening, the component code doesn't crash.

@chalasr
Copy link
Member

chalasr commented Jan 20, 2025

A token is always considered authenticated and as such should hold a user IMHO. So we may rather want to enforce this e.g. by throwing an exception in case of null user. Pinging @wouterj and @Spomky for thoughts

@nicolas-grekas
Copy link
Member

/cc @jorrit WDYT?

@jorrit
Copy link
Contributor

jorrit commented Jan 21, 2025

I thought I was replying on the proposed code change.

Anyway, returning null is best for me as the code is not part of a path that I control. Otherwise, an exception handler in the stack until refreshUser needs to be added or used for this purpose.

This is the stack trace until ContextListener.refreshUser(). In Symfony 6.4, there seem to be no appropriate exception handlers in this stack.

image

If returning null is not acceptable, I could just try to return a user with a different identifier to get the behavior I want. I just need a way to deauthenticate a user automatically when its underlying token expires.

@chalasr
Copy link
Member

chalasr commented Jan 21, 2025

Listening on CheckPassportEvent to throw a BadCredentialsException when $event->getPassport->getAttribute(OidcToken::AUTH_DATA_ATTR) is expired should do the job.

@MatTheCat
Copy link
Contributor

Couldn’t this be implemented using the underlying library token constraints? https://github.com/Drenso/symfony-oidc?tab=readme-ov-file#additional-token-claim-validation

@chalasr
Copy link
Member

chalasr commented Jan 21, 2025

Looks like there are many alternatives to achieve what's needed. Considering this and PostAuthenticationToken expecting a User instance as constructor argument, I'd say there's nothing to do.

@chalasr chalasr closed this Jan 21, 2025
@chalasr chalasr mentioned this pull request Jan 21, 2025
Closed
@MatTheCat
Copy link
Contributor

MatTheCat commented Jan 22, 2025
edited
Loading

An exception could still be appropriate to inform the developer they made something unexpected?
Like an UnexpectedValueException

The "getUser" method of a token stored in session must not return "null".

?

@alexandre-daubois
Copy link
Member Author

Looks like there are many alternatives to achieve what's needed

Should a defensive mechanism still be added? In the current state, the underlying code and logic can fail and lead to an unmanaged PHP error

@xabbuh
Copy link
Member

xabbuh commented Jan 22, 2025

I agree that this would be better than running into a PHP error.

@chalasr
Copy link
Member

chalasr commented Jan 22, 2025

Fair, PR welcome 👍

@alexandre-daubois
Copy link
Member Author

Nice, I'll take care of it 🙂

@alexandre-daubois alexandre-daubois mentioned this pull request Jan 23, 2025
Merged
nicolas-grekas added a commit that referenced this pull request Jan 28, 2025
@nicolas-grekas
bug #59590 [Security] Throw an explicit error when refreshing a token…
4d4859a 
… with a null user (alexandre-daubois)

This PR was merged into the 6.4 branch.

Discussion
----------

[Security] Throw an explicit error when refreshing a token with a null user

| Q             | A
| ------------- | ---
| Branch?       | 6.4
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Issues        | Fix #59559
| License       | MIT

Follwing #59560 (comment), to prevent the code to simply fail and return an explicit message to the user.

Commits
-------

cd427c3 [Security] Throw an explicit error when authenticating a token with a null user
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
6.4
Development

Successfully merging this pull request may close these issues.
7 participants
@alexandre-daubois @MatTheCat @chalasr @nicolas-grekas @jorrit @xabbuh @carsonbot
Morty Proxy This is a proxified and sanitized view of the page, visit original site.