Skip to content

[Security] Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator #41993

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fabpot merged 1 commit into from
Oct 29, 2021
Merged

[Security] Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator #41993

fabpot merged 1 commit into from
Oct 29, 2021

Conversation

@abunch
Copy link
Contributor

@abunch abunch commented Jul 5, 2021
edited by wouterj
Loading

Q A
Branch? 5.4
Bug fix? No
New feature? No
Deprecations? No
Tickets Fix #41959
License MIT
Doc PR symfony/symfony-docs#...

Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator

@abunch abunch requested review from chalasr and wouterj as code owners July 5, 2021 14:15
@carsonbot
Copy link

carsonbot commented Jul 5, 2021

Hey!

I see that this is your first PR. That is great! Welcome!

Symfony has a contribution guide which I suggest you to read.

In short:

  • Always add tests
  • Keep backward compatibility (see https://symfony.com/bc).
  • Bug fixes must be submitted against the lowest maintained branch where they apply (see https://symfony.com/releases)
  • Features and deprecations must be submitted against the 5.4 branch.

Review the GitHub status checks of your pull request and try to solve the reported issues. If some tests are failing, try to see if they are failing because of this change.

When two Symfony core team members approve this change, it will be merged and you will become an official Symfony contributor!
If this PR is merged in a lower version branch, it will be merged up to all maintained branches within a few days.

I am going to sit back now and wait for the reviews.

Cheers!

Carsonbot

@abunch abunch mentioned this pull request Jul 5, 2021
Merged
wouterj
wouterj requested changes Jul 6, 2021
View reviewed changes
Copy link
Member

@wouterj wouterj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! Thanks for starting the PR!

I think we should change the implementation a bit. Relying on "not JSON" means this authenticator is suddenly aware of other authenticators in the system and, more importantly, it will fail as soon as someone adds an XmlLoginAuthenticator. I also think this is a BC break: Some people use form_login in API requests (i.e. not form submissions), see for instance lexik/LexikJWTAuthenticationBundle#123 and api-platform/core#563

What do you think about changing this PR to add a new option form_only, defaulting to false, in FormLoginFactory and then doing $this->options['form_only'] && 'application/x-www-form-urlencoded' === $request->getContentType()?

Less important: please remove the CHANGELOG.md file you've added. The one in the root is automatically generated by the release tool (based on the PR title). If you don't add any class or option, you don't need to edit any CHANGELOG manually. If you implement my suggestion above, you should add a "Add form_login.form_only option" to the changelog in the SecurityBundle directory. Thanks!

@carsonbot carsonbot changed the title #41959 - Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator [Security] #41959 - Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator Jul 6, 2021
@wouterj wouterj added this to the 5.4 milestone Jul 6, 2021
@wouterj wouterj changed the title [Security] #41959 - Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator [Security] Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator Jul 6, 2021
@abunch
Copy link
Contributor Author

abunch commented Jul 6, 2021

What do you think about changing this PR

I think your suggestions make much more sense. 👍

Changes implemented.

chalasr
chalasr requested changes Jul 6, 2021
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please add a test for this.

@abunch
Copy link
Contributor Author

abunch commented Jul 6, 2021

Please add a test for this.

Ugh..I'm not very strong at writing tests but I'll give it a go this evening once I'm off for the day.

How Do You Get To Carnegie Hall? Practice, practice, practice.

@wouterj
Copy link
Member

wouterj commented Jul 6, 2021
edited
Loading

If you have an account in the Symfony Slack, feel free to hop in #contribs and ask for help writing a test for this. I and other contributors will probably be around this evening or any time to offer some help :)

@OskarStark OskarStark changed the title [Security] Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator [Security] Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator Aug 1, 2021
@chalasr
Copy link
Member

chalasr commented Sep 16, 2021

friendly ping @abunch :) Do you want us to add a test for you?

@chalasr chalasr closed this Sep 16, 2021
@chalasr chalasr reopened this Sep 16, 2021
@fabpot
Copy link
Member

fabpot commented Oct 27, 2021

@chalasr Do you want to take over this one?

@chalasr
Copy link
Member

chalasr commented Oct 27, 2021

@fabpot done

@fabpot
Copy link
Member

fabpot commented Oct 29, 2021

Thank you @abunch.

@fabpot fabpot mentioned this pull request Oct 29, 2021
Closed
@fabpot fabpot merged commit c04478e into symfony:5.4 Oct 29, 2021
This was referenced Nov 5, 2021
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wouterj wouterj wouterj requested changes

@fabpot fabpot fabpot approved these changes

@chalasr chalasr chalasr approved these changes

Assignees

No one assigned

Labels

Feature Ready Security Status: Reviewed

Projects

None yet

Milestone

5.4

Development

Successfully merging this pull request may close these issues.

Is there a way to get FormLoginAuthenticator to not respond to json_login requests when using the same login route?

5 participants

@abunch @carsonbot @wouterj @chalasr @fabpot