Triggering RememberMe's loginFail() when token cannot be created #27297
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
weaverryan
commented
May 17, 2018
| } | ||
|
|
||
| return; | ||
| } |
Member
Author
There was a problem hiding this comment.
Look at the rest of this method for full context. The new code basically tries to treat a failure from autoLogin just like the failure below. I only didn't move the call into the try-catch, so that we could have slightly different log messages.
fabpot
approved these changes
May 18, 2018
Contributor
|
As a remember me doesn't have an actual authentication attempt, but only refreshes, I think it's safe to assume that all behavior should be consistent for a refresh. If that means that in this scenario the loginfail was not triggered, it probably should be. |
chalasr
approved these changes
May 27, 2018
Member
|
merging into 2.8 as 2.7 is not maintained anymore. |
fabpot
force-pushed
the
remember_me_login_fail
branch
from
924e381 to
e3412e6
Compare
Member
|
Thank you @weaverryan. |
fabpot
added a commit
that referenced
this pull request
May 27, 2018
…reated (weaverryan) This PR was submitted for the 2.7 branch but it was merged into the 2.8 branch instead (closes #27297). Discussion ---------- Triggering RememberMe's loginFail() when token cannot be created | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no (but minor behavior change) | Deprecations? | no-> | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | not needed This is an edge-case bug fix. If, for example, someone tampers with the remember me cookie, and so it is invalid, this causes the `->autoLogin()` call to throw an `AuthenticationException`. But, this did not call the `loginFail()` method. Honestly, I'm not sure if the old or new behavior is correct. But, we should discuss and merge or close. Commits ------- e3412e6 Triggering RememberMe's loginFail() when token cannot be created
This was referenced Jun 25, 2018
Merged
Merged
Merged
Merged
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is an edge-case bug fix. If, for example, someone tampers with the remember me cookie, and so it is invalid, this causes the
->autoLogin()call to throw anAuthenticationException. But, this did not call theloginFail()method.Honestly, I'm not sure if the old or new behavior is correct. But, we should discuss and merge or close.