[Security] Fix UsageTrackingTokenStorage outside the request cycle

wouterj · fabpot · commit 07de03809155 · 2021-04-13T08:27:14.000+02:00
diff --git a/Authentication/Token/Storage/UsageTrackingTokenStorage.php b/Authentication/Token/Storage/UsageTrackingTokenStorage.php
@@ -39,7 +39,7 @@ public function __construct(TokenStorageInterface $storage, ContainerInterface $
      */
     public function getToken(): ?TokenInterface
     {
-        if ($this->enableUsageTracking) {
+        if ($this->shouldTrackUsage()) {
             // increments the internal session usage index
             $this->getSession()->getMetadataBag();
         }
@@ -54,7 +54,7 @@ public function setToken(TokenInterface $token = null): void
     {
         $this->storage->setToken($token);
 
-        if ($token && $this->enableUsageTracking) {
+        if ($token && $this->shouldTrackUsage()) {
             // increments the internal session usage index
             $this->getSession()->getMetadataBag();
         }
@@ -88,4 +88,24 @@ private function getSession(): SessionInterface
 
         return $this->container->get('request_stack')->getSession();
     }
+
+    private function shouldTrackUsage(): bool
+    {
+        if (!$this->enableUsageTracking) {
+            return false;
+        }
+
+        // BC for symfony/security-bundle < 5.3
+        if ($this->container->has('session')) {
+            return true;
+        }
+
+        if (!$this->container->get('request_stack')->getMainRequest()) {
+            trigger_deprecation('symfony/security-core', '5.3', 'Using "%s" (service ID: "security.token_storage") outside the request-response cycle is deprecated, use the "%s" class (service ID: "security.untracked_token_storage") instead or disable usage tracking using "disableUsageTracking()".', __CLASS__, TokenStorage::class);
+
+            return false;
+        }
+
+        return true;
+    }
 }
diff --git a/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php b/Tests/Authentication/Token/Storage/UsageTrackingTokenStorageTest.php
@@ -13,31 +13,37 @@
 
 use PHPUnit\Framework\TestCase;
 use Psr\Container\ContainerInterface;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\UsageTrackingTokenStorage;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Contracts\Service\ServiceLocatorTrait;
 
 class UsageTrackingTokenStorageTest extends TestCase
 {
+    use ExpectDeprecationTrait;
+
     public function testGetSetToken()
     {
         $sessionAccess = 0;
         $sessionLocator = new class(['request_stack' => function () use (&$sessionAccess) {
-            ++$sessionAccess;
-
             $session = $this->createMock(SessionInterface::class);
-            $session->expects($this->once())
-                    ->method('getMetadataBag');
 
             $request = new Request();
             $request->setSession($session);
-            $requestStack = new RequestStack();
+            $requestStack = $this->getMockBuilder(RequestStack::class)->setMethods(['getSession'])->getMock();
             $requestStack->push($request);
+            $requestStack->expects($this->any())->method('getSession')->willReturnCallback(function () use ($session, &$sessionAccess) {
+                ++$sessionAccess;
+
+                $session->expects($this->once())
+                        ->method('getMetadataBag');
+
+                return $session;
+            });
 
             return $requestStack;
         }]) implements ContainerInterface {
@@ -62,4 +68,22 @@ public function testGetSetToken()
         $this->assertSame($token, $trackingStorage->getToken());
         $this->assertSame(1, $sessionAccess);
     }
+
+    /**
+     * @group legacy
+     */
+    public function testWithoutMainRequest()
+    {
+        $locator = new class(['request_stack' => function () {
+            return new RequestStack();
+        }]) implements ContainerInterface {
+            use ServiceLocatorTrait;
+        };
+        $tokenStorage = new TokenStorage();
+        $trackingStorage = new UsageTrackingTokenStorage($tokenStorage, $locator);
+        $trackingStorage->enableUsageTracking();
+
+        $this->expectDeprecation('Since symfony/security-core 5.3: Using "%s" (service ID: "security.token_storage") outside the request-response cycle is deprecated, use the "%s" class (service ID: "security.untracked_token_storage") instead or disable usage tracking using "disableUsageTracking()".');
+        $trackingStorage->getToken();
+    }
 }
