symfony
diff --git a/‎src/Symfony/Bridge/Doctrine/LoginLink/EntityLoginLinkUserHandler.php‎
Lines changed: 0 additions & 42 deletions b/‎src/Symfony/Bridge/Doctrine/LoginLink/EntityLoginLinkUserHandler.php‎
Lines changed: 0 additions & 42 deletions
diff --git a/‎src/Symfony/Bridge/Doctrine/Tests/LoginLink/EntityLoginLinkUserHandlerTest.php‎
Lines changed: 0 additions & 68 deletions b/‎src/Symfony/Bridge/Doctrine/Tests/LoginLink/EntityLoginLinkUserHandlerTest.php‎
Lines changed: 0 additions & 68 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginLinkFactory.php‎
Lines changed: 9 additions & 33 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginLinkFactory.php‎
Lines changed: 9 additions & 33 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_login_link.php‎
Lines changed: 2 additions & 2 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_login_link.php‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/LoginLinkAuthenticationTest.php‎
Lines changed: 3 additions & 4 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/LoginLinkAuthenticationTest.php‎
Lines changed: 3 additions & 4 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/LoginLink/config.yml‎
Lines changed: 3 additions & 3 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/LoginLink/config.yml‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/LoginLinkAuthenticator.php‎
Lines changed: 4 additions & 4 deletions b/‎src/Symfony/Component/Security/Http/Authenticator/LoginLinkAuthenticator.php‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎src/Symfony/Component/Security/Http/LoginLink/LoginLinkDetails.php‎
Lines changed: 1 addition & 1 deletion b/‎src/Symfony/Component/Security/Http/LoginLink/LoginLinkDetails.php‎
Lines changed: 1 addition & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/LoginLink/LoginLinkHandler.php‎
Lines changed: 27 additions & 47 deletions b/‎src/Symfony/Component/Security/Http/LoginLink/LoginLinkHandler.php‎
Lines changed: 27 additions & 47 deletions
@@ -38,15 +38,11 @@ public function addConfiguration(NodeDefinition $node)
                 ->isRequired()
                 ->info('Route that will validate the login link - e.g. app_login_link_verify')
             ->end()
-            ->scalarNode('user_email_property')
-                ->isRequired()
-                ->info('The property path on the User object where the email address is stored.')
-            ->end()
-            ->scalarNode('user_entity_class')
-                ->info('If your user class is a Doctrine entity, set to the full class name - e.g. App\\Entity\\User.')
-            ->end()
-            ->scalarNode('user_handler_service')
-                ->info(sprintf('If your User is not a Doctrine entity, a service that implements "%s".', LoginLinkUserHandlerInterface::class))
+            ->arrayNode('signature_properties')
+                ->prototype('scalar')->end()
+                ->requiresAtLeastOneElement()
+                ->info('An array of properties on your User that are used to sign the link. If any of these change, all existing links will become invalid')
+                ->example(['email', 'password'])
             ->end()
             ->integerNode('lifetime')
                 ->defaultValue(600)
@@ -65,18 +61,8 @@ public function addConfiguration(NodeDefinition $node)
             ->scalarNode('failure_handler')
                 ->info(sprintf('A service id that implements %s', AuthenticationFailureHandlerInterface::class))
             ->end()
-        ;
-
-        // get the parent array node builder ("firewalls") from inside the children builder
-        $factoryRootNode = $builder->end();
-        $factoryRootNode
-            ->validate()
-                ->ifTrue(function ($v) { return !isset($v['user_entity_class']) && !isset($v['user_handler_service']); })
-                ->thenInvalid('Either the "user_entity_class" or "user_handler_service" option must be configured.')
-            ->end()
-            ->validate()
-                ->ifTrue(function ($v) { return isset($v['user_entity_class']) && isset($v['user_handler_service']); })
-                ->thenInvalid('Either the "user_entity_class" or "user_handler_service" option must be configured, but not both.')
+            ->scalarNode('provider')
+                ->info('the user provider to load users from.')
             ->end()
         ;
 
@@ -105,16 +91,6 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             $loader->load('security_authenticator_login_link.php');
         }
 
-        if (isset($config['user_entity_class'])) {
-            $userHandlerId = 'security.authenticator.entity_login_link_user_handler_'.$firewallName;
-            $container
-                ->setDefinition($userHandlerId, new ChildDefinition('security.authenticator.entity_login_link_user_handler'))
-                ->replaceArgument(1, $config['user_entity_class'])
-            ;
-        } else {
-            $userHandlerId = $config['user_handler_service'];
-        }
-
         if (null !== $config['max_uses'] && !isset($config['used_link_cache'])) {
             $config['used_link_cache'] = 'cache.app';
         }
@@ -135,8 +111,8 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         ];
         $container
             ->setDefinition($linkerId, new ChildDefinition('security.authenticator.abstract_login_link_handler'))
-            ->replaceArgument(1, new Reference($userHandlerId))
-            ->replaceArgument(3, $config['user_email_property'])
+            ->replaceArgument(1, new Reference($userProviderId))
+            ->replaceArgument(3, $config['signature_properties'])
             ->replaceArgument(5, $linkerOptions)
             ->replaceArgument(6, $expiredStorageId ? new Reference($expiredStorageId) : null)
             ->addTag('security.authenticator.login_linker', ['firewall' => $firewallName])
 
@@ -34,9 +34,9 @@
             ->abstract()
             ->args([
                 service('router'),
-                abstract_arg('user handler'),
+                abstract_arg('user provider'),
                 service('property_accessor'),
-                abstract_arg('email_property'),
+                abstract_arg('signature properties'),
                 '%kernel.secret%',
                 abstract_arg('options'),
                 abstract_arg('expired login link storage'),
 
@@ -36,17 +36,16 @@ public function testLoginLinkSuccess()
 
         /** @var LoginLinkHandlerInterface $loginLinkHandler */
         $loginLinkHandler = self::$container->get(LoginLinkHandlerInterface::class);
-        $user = new User('major_tom@example.com', 'passwordz');
+        $user = new User('weaverryan', 'foo');
         $loginLink = $loginLinkHandler->createLoginLink($user);
-        $this->assertStringContainsString('id=10', $loginLink);
-        $this->assertStringContainsString('email=', $loginLink);
+        $this->assertStringContainsString('user=weaverryan', $loginLink);
         $this->assertStringContainsString('hash=', $loginLink);
         $this->assertStringContainsString('expires=', $loginLink);
         $client->request('GET', $loginLink->getUrl());
         $response = $client->getResponse();
 
         $this->assertSame(200, $response->getStatusCode());
-        $this->assertSame(['message' => 'Welcome major_tom@example.com!'], json_decode($response->getContent(), true));
+        $this->assertSame(['message' => 'Welcome weaverryan!'], json_decode($response->getContent(), true));
 
         $client->request('GET', $loginLink->getUrl());
         $response = $client->getResponse();
 
@@ -7,16 +7,16 @@ security:
     providers:
         in_memory:
             memory:
-                users: []
+                users:
+                    weaverryan: { password: foo, roles: [ROLE_USER] }
 
     firewalls:
         main:
             pattern: ^/
             login_link:
                 check_route:    login_link_check
-                user_email_property: 'username'
+                signature_properties: ['password']
                 max_uses: 2
-                user_handler_service: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\LoginLink\TestLoginLinkUserHandler
                 success_handler: Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\LoginLink\TestCustomLoginLinkSuccessHandler
 
 services:
 
@@ -52,14 +52,14 @@ public function supports(Request $request): ?bool
 
     public function authenticate(Request $request): PassportInterface
     {
-        $id = $request->get('id');
+        $username = $request->get('user');
 
-        if (!$id) {
-            throw new InvalidLoginLinkAuthenticationException('Missing user id from link.');
+        if (!$username) {
+            throw new InvalidLoginLinkAuthenticationException('Missing user from link.');
         }
 
         return new SelfValidatingPassport(
-            new UserBadge($id, function () use ($request) {
+            new UserBadge($username, function () use ($request) {
                 try {
                     $user = $this->loginLinkHandler
                         ->consumeLoginLink($request);
 
@@ -14,7 +14,7 @@
 /**
  * @author Ryan Weaver <ryan@symfonycasts.com>
  */
-final class LoginLinkDetails
+class LoginLinkDetails
 {
     private $url;
     private $expiresAt;
 
@@ -12,10 +12,11 @@
 namespace Symfony\Component\Security\Http\LoginLink;
 
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpKernel\UriSigner;
 use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
 use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\LoginLink\Exception\ExpiredLoginLinkException;
 use Symfony\Component\Security\Http\LoginLink\Exception\InvalidLoginLinkException;
 
@@ -25,20 +26,19 @@
 final class LoginLinkHandler implements LoginLinkHandlerInterface
 {
     private $urlGenerator;
-    private $userHandler;
+    private $userProvider;
     private $propertyAccessor;
-    private $emailProperty;
+    private $signatureProperties;
     private $secret;
     private $options;
     private $expiredStorage;
-    private $uriSigner;
 
-    public function __construct(UrlGeneratorInterface $urlGenerator, LoginLinkUserHandlerInterface $userHandler, PropertyAccessorInterface $propertyAccessor, string $emailProperty, string $secret, array $options, ?ExpiredLoginLinkStorage $expiredStorage)
+    public function __construct(UrlGeneratorInterface $urlGenerator, UserProviderInterface $userProvider, PropertyAccessorInterface $propertyAccessor, array $signatureProperties, string $secret, array $options, ?ExpiredLoginLinkStorage $expiredStorage)
     {
         $this->urlGenerator = $urlGenerator;
-        $this->userHandler = $userHandler;
+        $this->userProvider = $userProvider;
         $this->propertyAccessor = $propertyAccessor;
-        $this->emailProperty = $emailProperty;
+        $this->signatureProperties = $signatureProperties;
         $this->secret = $secret;
         $this->options = array_merge([
             'route_name' => null,
@@ -52,10 +52,11 @@ public function createLoginLink(UserInterface $user): LoginLinkDetails
     {
         $expiresAt = new \DateTimeImmutable(sprintf('+%d seconds', $this->options['lifetime']));
 
+        $expires = $expiresAt->format('U');
         $parameters = [
-            'id' => $this->userHandler->getUserIdentifier($user),
-            'email' => $this->extractEmailAndHash($user),
-            'expires' => $expiresAt->format('U'),
+            'user' => $user->getUsername(),
+            'expires' => $expires,
+            'hash' => $this->computeSignatureHash($user, $expires),
         ];
 
         $url = $this->urlGenerator->generate(
@@ -64,30 +65,25 @@ public function createLoginLink(UserInterface $user): LoginLinkDetails
             UrlGeneratorInterface::ABSOLUTE_URL
         );
 
-        $signedUrl = $this->getUriSigner()->sign($url);
-
-        return new LoginLinkDetails($signedUrl, $expiresAt);
+        return new LoginLinkDetails($url, $expiresAt);
     }
 
     public function consumeLoginLink(Request $request): UserInterface
     {
-        if (!$this->getUriSigner()->checkRequest($request)) {
-            throw new InvalidLoginLinkException('Invalid signature.');
-        }
+        $username = $request->get('user');
 
-        $id = $request->get('id');
-        $user = $this->userHandler->loadUserByIdentifier($id);
-
-        if (!$user) {
-            throw new InvalidLoginLinkException('User not found.');
+        try {
+            $user = $this->userProvider->loadUserByUsername($username);
+        } catch (UsernameNotFoundException $exception) {
+            throw new InvalidLoginLinkException('User not found.', 0, $exception);
         }
 
-        $hashedEmail = $request->get('email');
-        if (false === hash_equals($hashedEmail, $this->extractEmailAndHash($user))) {
-            throw new InvalidLoginLinkException('Login link is for the wrong email.');
+        $hash = $request->get('hash');
+        $expires = $request->get('expires');
+        if (false === hash_equals($hash, $this->computeSignatureHash($user, $expires))) {
+            throw new InvalidLoginLinkException('User has changed since link was sent.');
         }
 
-        $expires = $request->get('expires');
         if ($expires < time()) {
             throw new ExpiredLoginLinkException('Login link has expired.');
         }
@@ -104,31 +100,15 @@ public function consumeLoginLink(Request $request): UserInterface
         return $user;
     }
 
-    private function extractEmailAndHash(UserInterface $user): string
+    private function computeSignatureHash(UserInterface $user, int $expires): string
     {
-        $email = $this->propertyAccessor->getValue($user, $this->emailProperty);
+        $signatureFields = [base64_encode($user->getUsername()), $expires];
 
-        if (!$email) {
-            throw new \LogicException('The email cannot be blank.');
+        foreach ($this->signatureProperties as $property) {
+            $value = $this->propertyAccessor->getValue($user, $property);
+            $signatureFields[] = base64_encode($value);
         }
 
-        return hash_hmac('sha256', $email, $this->secret);
-    }
-
-    private function getUriSigner(): UriSigner
-    {
-        if (null === $this->uriSigner) {
-            $this->uriSigner = new UriSigner($this->secret, 'hash');
-        }
-
-        return $this->uriSigner;
-    }
-
-    /**
-     * @internal
-     */
-    public function setUriSigner(UriSigner $uriSigner)
-    {
-        $this->uriSigner = $uriSigner;
+        return base64_encode(hash_hmac('sha256', implode(':', $signatureFields), $this->secret));
     }
 }
Original file line number	Diff line number	Diff line change
`@@ -14,7 +14,7 @@`
`14`	`14`	`/**`
`15`	`15`	`* @author Ryan Weaver <ryan@symfonycasts.com>`
`16`	`16`	`*/`
`17`		`-final class LoginLinkDetails`
	`17`	`+class LoginLinkDetails`
`18`	`18`	`{`
`19`	`19`	`private $url;`
`20`	`20`	`private $expiresAt;`