bug symfony#27297 Triggering RememberMe's loginFail() when token cannot be created (weaverryan)

fabpot · fabpot · commit 148e7eff5001 · 2018-05-27T09:16:38.000+02:00
This PR was submitted for the 2.7 branch but it was merged into the 2.8 branch instead (closes symfony#27297). Discussion ---------- Triggering RememberMe's loginFail() when token cannot be created | Q | A | ------------- | --- | Branch? | 2.7 | Bug fix? | yes | New feature? | no | BC breaks? | no (but minor behavior change) | Deprecations? | no-> | Tests pass? | yes | Fixed tickets | n/a | License | MIT | Doc PR | not needed This is an edge-case bug fix. If, for example, someone tampers with the remember me cookie, and so it is invalid, this causes the `->autoLogin()` call to throw an `AuthenticationException`. But, this did not call the `loginFail()` method. Honestly, I'm not sure if the old or new behavior is correct. But, we should discuss and merge or close. Commits ------- e3412e6 Triggering RememberMe's loginFail() when token cannot be created
diff --git a/src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php b/src/Symfony/Component/Security/Http/Firewall/RememberMeListener.php
@@ -68,7 +68,25 @@ public function handle(GetResponseEvent $event)
         }
 
         $request = $event->getRequest();
-        if (null === $token = $this->rememberMeServices->autoLogin($request)) {
+        try {
+            if (null === $token = $this->rememberMeServices->autoLogin($request)) {
+                return;
+            }
+        } catch (AuthenticationException $e) {
+            if (null !== $this->logger) {
+                $this->logger->warning(
+                    'The token storage was not populated with remember-me token as the'
+                   .' RememberMeServices was not able to create a token from the remember'
+                   .' me information.', array('exception' => $e)
+                );
+            }
+
+            $this->rememberMeServices->loginFail($request);
+
+            if (!$this->catchExceptions) {
+                throw $e;
+            }
+
             return;
         }
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/RememberMeListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/RememberMeListenerTest.php
@@ -143,6 +143,43 @@ public function testOnCoreSecurityIgnoresAuthenticationOptionallyRethrowsExcepti
         $listener->handle($event);
     }
 
+    public function testOnCoreSecurityAuthenticationExceptionDuringAutoLoginTriggersLoginFail()
+    {
+        list($listener, $tokenStorage, $service, $manager) = $this->getListener();
+
+        $tokenStorage
+            ->expects($this->once())
+            ->method('getToken')
+            ->will($this->returnValue(null))
+        ;
+
+        $exception = new AuthenticationException('Authentication failed.');
+        $service
+            ->expects($this->once())
+            ->method('autoLogin')
+            ->will($this->throwException($exception))
+        ;
+
+        $service
+            ->expects($this->once())
+            ->method('loginFail')
+        ;
+
+        $manager
+            ->expects($this->never())
+            ->method('authenticate')
+        ;
+
+        $event = $this->getGetResponseEvent();
+        $event
+            ->expects($this->once())
+            ->method('getRequest')
+            ->will($this->returnValue(new Request()))
+        ;
+
+        $listener->handle($event);
+    }
+
     public function testOnCoreSecurity()
     {
         list($listener, $tokenStorage, $service, $manager) = $this->getListener();
