[Security] Migrate the session on login only when the user changes

nicolas-grekas · wouterj · commit 0570380d0864 · 2023-02-26T13:08:44.000+01:00
diff --git a/Authentication/AuthenticatorManager.php b/Authentication/AuthenticatorManager.php
@@ -84,7 +84,7 @@ public function authenticateUser(UserInterface $user, AuthenticatorInterface $au
         $token = $this->eventDispatcher->dispatch(new AuthenticationTokenCreatedEvent($token, $passport))->getAuthenticatedToken();
 
         // authenticate this in the system
-        return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator);
+        return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator, $this->tokenStorage->getToken());
     }
 
     public function supports(Request $request): ?bool
@@ -174,6 +174,7 @@ private function executeAuthenticators(array $authenticators, Request $request):
     private function executeAuthenticator(AuthenticatorInterface $authenticator, Request $request): ?Response
     {
         $passport = null;
+        $previousToken = $this->tokenStorage->getToken();
 
         try {
             // get the passport from the Authenticator
@@ -224,7 +225,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
         }
 
         // success! (sets the token on the token storage, etc)
-        $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator);
+        $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator, $previousToken);
         if ($response instanceof Response) {
             return $response;
         }
@@ -236,7 +237,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
         return null;
     }
 
-    private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator): ?Response
+    private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator, ?TokenInterface $previousToken): ?Response
     {
         // @deprecated since Symfony 5.3
         $user = $authenticatedToken->getUser();
@@ -252,7 +253,7 @@ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken,
             $this->eventDispatcher->dispatch($loginEvent, SecurityEvents::INTERACTIVE_LOGIN);
         }
 
-        $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName));
+        $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName, $previousToken));
 
         return $loginSuccessEvent->getResponse();
     }
diff --git a/Event/LoginSuccessEvent.php b/Event/LoginSuccessEvent.php
@@ -37,14 +37,15 @@ class LoginSuccessEvent extends Event
     private $authenticator;
     private $passport;
     private $authenticatedToken;
+    private $previousToken;
     private $request;
     private $response;
     private $firewallName;
 
     /**
      * @param Passport $passport
      */
-    public function __construct(AuthenticatorInterface $authenticator, PassportInterface $passport, TokenInterface $authenticatedToken, Request $request, ?Response $response, string $firewallName)
+    public function __construct(AuthenticatorInterface $authenticator, PassportInterface $passport, TokenInterface $authenticatedToken, Request $request, ?Response $response, string $firewallName, TokenInterface $previousToken = null)
     {
         if (!$passport instanceof Passport) {
             trigger_deprecation('symfony/security-http', '5.4', 'Not passing an instance of "%s" as "$passport" argument of "%s()" is deprecated, "%s" given.', Passport::class, __METHOD__, get_debug_type($passport));
@@ -53,6 +54,7 @@ public function __construct(AuthenticatorInterface $authenticator, PassportInter
         $this->authenticator = $authenticator;
         $this->passport = $passport;
         $this->authenticatedToken = $authenticatedToken;
+        $this->previousToken = $previousToken;
         $this->request = $request;
         $this->response = $response;
         $this->firewallName = $firewallName;
@@ -83,6 +85,11 @@ public function getAuthenticatedToken(): TokenInterface
         return $this->authenticatedToken;
     }
 
+    public function getPreviousToken(): ?TokenInterface
+    {
+        return $this->previousToken;
+    }
+
     public function getRequest(): Request
     {
         return $this->request;
diff --git a/EventListener/SessionStrategyListener.php b/EventListener/SessionStrategyListener.php
@@ -43,6 +43,16 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void
             return;
         }
 
+        if ($previousToken = $event->getPreviousToken()) {
+            // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionAuthenticationStrategy->onAuthentication($request, $token);
     }
 
diff --git a/Firewall/AbstractAuthenticationListener.php b/Firewall/AbstractAuthenticationListener.php
@@ -133,12 +133,14 @@ public function authenticate(RequestEvent $event)
                 throw new SessionUnavailableException('Your session has timed out, or you have disabled cookies.');
             }
 
+            $previousToken = $this->tokenStorage->getToken();
+
             if (null === $returnValue = $this->attemptAuthentication($request)) {
                 return;
             }
 
             if ($returnValue instanceof TokenInterface) {
-                $this->sessionStrategy->onAuthentication($request, $returnValue);
+                $this->migrateSession($request, $returnValue, $previousToken);
 
                 $response = $this->onSuccess($request, $returnValue);
             } elseif ($returnValue instanceof Response) {
@@ -226,4 +228,18 @@ private function onSuccess(Request $request, TokenInterface $token): Response
 
         return $response;
     }
+
+    private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)
+    {
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
+        $this->sessionStrategy->onAuthentication($request, $token);
+    }
 }
diff --git a/Firewall/AbstractPreAuthenticatedListener.php b/Firewall/AbstractPreAuthenticatedListener.php
@@ -98,13 +98,14 @@ public function authenticate(RequestEvent $event)
         }
 
         try {
+            $previousToken = $token;
             $token = $this->authenticationManager->authenticate(new PreAuthenticatedToken($user, $credentials, $this->providerKey));
 
             if (null !== $this->logger) {
                 $this->logger->info('Pre-authentication successful.', ['token' => (string) $token]);
             }
 
-            $this->migrateSession($request, $token);
+            $this->migrateSession($request, $token, $previousToken);
 
             $this->tokenStorage->setToken($token);
 
@@ -149,12 +150,21 @@ private function clearToken(AuthenticationException $exception)
      */
     abstract protected function getPreAuthenticatedData(Request $request);
 
-    private function migrateSession(Request $request, TokenInterface $token)
+    private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)
     {
         if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/Firewall/BasicAuthenticationListener.php b/Firewall/BasicAuthenticationListener.php
@@ -88,9 +88,10 @@ public function authenticate(RequestEvent $event)
         }
 
         try {
+            $previousToken = $token;
             $token = $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $request->headers->get('PHP_AUTH_PW'), $this->providerKey));
 
-            $this->migrateSession($request, $token);
+            $this->migrateSession($request, $token, $previousToken);
 
             $this->tokenStorage->setToken($token);
         } catch (AuthenticationException $e) {
@@ -121,12 +122,21 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn
         $this->sessionStrategy = $sessionStrategy;
     }
 
-    private function migrateSession(Request $request, TokenInterface $token)
+    private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)
     {
         if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/Firewall/UsernamePasswordJsonAuthenticationListener.php b/Firewall/UsernamePasswordJsonAuthenticationListener.php
@@ -101,6 +101,7 @@ public function authenticate(RequestEvent $event)
     {
         $request = $event->getRequest();
         $data = json_decode($request->getContent());
+        $previousToken = $this->tokenStorage->getToken();
 
         try {
             if (!$data instanceof \stdClass) {
@@ -134,7 +135,7 @@ public function authenticate(RequestEvent $event)
             $token = new UsernamePasswordToken($username, $password, $this->providerKey);
 
             $authenticatedToken = $this->authenticationManager->authenticate($token);
-            $response = $this->onSuccess($request, $authenticatedToken);
+            $response = $this->onSuccess($request, $authenticatedToken, $previousToken);
         } catch (AuthenticationException $e) {
             $response = $this->onFailure($request, $e);
         } catch (BadRequestHttpException $e) {
@@ -150,14 +151,14 @@ public function authenticate(RequestEvent $event)
         $event->setResponse($response);
     }
 
-    private function onSuccess(Request $request, TokenInterface $token): ?Response
+    private function onSuccess(Request $request, TokenInterface $token, ?TokenInterface $previousToken): ?Response
     {
         if (null !== $this->logger) {
             // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
             $this->logger->info('User has been authenticated successfully.', ['username' => method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()]);
         }
 
-        $this->migrateSession($request, $token);
+        $this->migrateSession($request, $token, $previousToken);
 
         $this->tokenStorage->setToken($token);
 
@@ -224,12 +225,21 @@ public function setTranslator(TranslatorInterface $translator)
         $this->translator = $translator;
     }
 
-    private function migrateSession(Request $request, TokenInterface $token)
+    private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)
     {
         if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
+        if ($previousToken) {
+            $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
+            $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionStrategy->onAuthentication($request, $token);
     }
 }
diff --git a/Tests/EventListener/PasswordMigratingListenerTest.php b/Tests/EventListener/PasswordMigratingListenerTest.php
@@ -15,6 +15,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;
 use Symfony\Component\PasswordHasher\PasswordHasherInterface;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
@@ -28,7 +29,6 @@
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\EventListener\PasswordMigratingListener;
 use Symfony\Component\Security\Http\Tests\Fixtures\DummyAuthenticator;
-use Symfony\Component\Security\Http\Tests\Fixtures\DummyToken;
 
 class PasswordMigratingListenerTest extends TestCase
 {
@@ -140,7 +140,7 @@ private static function createPasswordUpgrader()
 
     private static function createEvent(PassportInterface $passport)
     {
-        return new LoginSuccessEvent(new DummyAuthenticator(), $passport, new DummyToken(), new Request(), null, 'main');
+        return new LoginSuccessEvent(new DummyAuthenticator(), $passport, new NullToken(), new Request(), null, 'main');
     }
 }
 
diff --git a/Tests/EventListener/SessionStrategyListenerTest.php b/Tests/EventListener/SessionStrategyListenerTest.php
@@ -14,7 +14,7 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
@@ -35,7 +35,7 @@ protected function setUp(): void
         $this->sessionAuthenticationStrategy = $this->createMock(SessionAuthenticationStrategyInterface::class);
         $this->listener = new SessionStrategyListener($this->sessionAuthenticationStrategy);
         $this->request = new Request();
-        $this->token = $this->createMock(TokenInterface::class);
+        $this->token = $this->createMock(NullToken::class);
     }
 
     public function testRequestWithSession()
@@ -62,6 +62,25 @@ public function testStatelessFirewalls()
         $listener->onSuccessfulLogin($this->createEvent('api_firewall'));
     }
 
+    public function testRequestWithSamePreviousUser()
+    {
+        $this->configurePreviousSession();
+        $this->sessionAuthenticationStrategy->expects($this->never())->method('onAuthentication');
+
+        $token = $this->createMock(NullToken::class);
+        $token->expects($this->once())
+            ->method('getUserIdentifier')
+            ->willReturn('test');
+        $previousToken = $this->createMock(NullToken::class);
+        $previousToken->expects($this->once())
+            ->method('getUserIdentifier')
+            ->willReturn('test');
+
+        $event = new LoginSuccessEvent($this->createMock(AuthenticatorInterface::class), new SelfValidatingPassport(new UserBadge('test', function () {})), $token, $this->request, null, 'main_firewall', $previousToken);
+
+        $this->listener->onSuccessfulLogin($event);
+    }
+
     private function createEvent($firewallName)
     {
         return new LoginSuccessEvent($this->createMock(AuthenticatorInterface::class), new SelfValidatingPassport(new UserBadge('test', function ($username) { return new InMemoryUser($username, null); })), $this->token, $this->request, null, $firewallName);
diff --git a/Tests/Fixtures/DummySupportsAuthenticator.php b/Tests/Fixtures/DummySupportsAuthenticator.php
@@ -12,12 +12,6 @@
 namespace Symfony\Component\Security\Http\Tests\Fixtures;
 
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
-use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
-use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
 
 class DummySupportsAuthenticator extends DummyAuthenticator
 {
diff --git a/Tests/Fixtures/DummyToken.php b/Tests/Fixtures/DummyToken.php

Original file line number	Diff line number	Diff line change
`@@ -84,7 +84,7 @@ public function authenticateUser(UserInterface $user, AuthenticatorInterface $au`
`84`	`84`	`$token = $this->eventDispatcher->dispatch(new AuthenticationTokenCreatedEvent($token, $passport))->getAuthenticatedToken();`
`85`	`85`
`86`	`86`	`// authenticate this in the system`
`87`		`- return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator);`
	`87`	`+ return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator, $this->tokenStorage->getToken());`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`public function supports(Request $request): ?bool`
`@@ -174,6 +174,7 @@ private function executeAuthenticators(array $authenticators, Request $request):`
`174`	`174`	`private function executeAuthenticator(AuthenticatorInterface $authenticator, Request $request): ?Response`
`175`	`175`	`{`
`176`	`176`	`$passport = null;`
	`177`	`+ $previousToken = $this->tokenStorage->getToken();`
`177`	`178`
`178`	`179`	`try {`
`179`	`180`	`// get the passport from the Authenticator`
`@@ -224,7 +225,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req`
`224`	`225`	`}`
`225`	`226`
`226`	`227`	`// success! (sets the token on the token storage, etc)`
`227`		`- $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator);`
	`228`	`+ $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator, $previousToken);`
`228`	`229`	`if ($response instanceof Response) {`
`229`	`230`	`return $response;`
`230`	`231`	`}`
`@@ -236,7 +237,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req`
`236`	`237`	`return null;`
`237`	`238`	`}`
`238`	`239`
`239`		`- private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator): ?Response`
	`240`	`+ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator, ?TokenInterface $previousToken): ?Response`
`240`	`241`	`{`
`241`	`242`	`// @deprecated since Symfony 5.3`
`242`	`243`	`$user = $authenticatedToken->getUser();`
`@@ -252,7 +253,7 @@ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken,`
`252`	`253`	`$this->eventDispatcher->dispatch($loginEvent, SecurityEvents::INTERACTIVE_LOGIN);`
`253`	`254`	`}`
`254`	`255`
`255`		`- $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName));`
	`256`	`+ $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName, $previousToken));`
`256`	`257`
`257`	`258`	`return $loginSuccessEvent->getResponse();`
`258`	`259`	`}`
Original file line number	Diff line number	Diff line change
`@@ -98,13 +98,14 @@ public function authenticate(RequestEvent $event)`
`98`	`98`	`}`
`99`	`99`
`100`	`100`	`try {`
	`101`	`+ $previousToken = $token;`
`101`	`102`	`$token = $this->authenticationManager->authenticate(new PreAuthenticatedToken($user, $credentials, $this->providerKey));`
`102`	`103`
`103`	`104`	`if (null !== $this->logger) {`
`104`	`105`	`$this->logger->info('Pre-authentication successful.', ['token' => (string) $token]);`
`105`	`106`	`}`
`106`	`107`
`107`		`- $this->migrateSession($request, $token);`
	`108`	`+ $this->migrateSession($request, $token, $previousToken);`
`108`	`109`
`109`	`110`	`$this->tokenStorage->setToken($token);`
`110`	`111`
`@@ -149,12 +150,21 @@ private function clearToken(AuthenticationException $exception)`
`149`	`150`	`*/`
`150`	`151`	`abstract protected function getPreAuthenticatedData(Request $request);`
`151`	`152`
`152`		`- private function migrateSession(Request $request, TokenInterface $token)`
	`153`	`+ private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)`
`153`	`154`	`{`
`154`	`155`	`if (!$this->sessionStrategy \|\| !$request->hasSession() \|\| !$request->hasPreviousSession()) {`
`155`	`156`	`return;`
`156`	`157`	`}`
`157`	`158`
	`159`	`+ if ($previousToken) {`
	`160`	`+ $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();`
	`161`	`+ $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();`
	`162`	`+`
	`163`	`+ if ('' !== ($user ?? '') && $user === $previousUser) {`
	`164`	`+ return;`
	`165`	`+ }`
	`166`	`+ }`
	`167`	`+`
`158`	`168`	`$this->sessionStrategy->onAuthentication($request, $token);`
`159`	`169`	`}`
`160`	`170`	`}`
Original file line number	Diff line number	Diff line change
`@@ -88,9 +88,10 @@ public function authenticate(RequestEvent $event)`
`88`	`88`	`}`
`89`	`89`
`90`	`90`	`try {`
	`91`	`+ $previousToken = $token;`
`91`	`92`	`$token = $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $request->headers->get('PHP_AUTH_PW'), $this->providerKey));`
`92`	`93`
`93`		`- $this->migrateSession($request, $token);`
	`94`	`+ $this->migrateSession($request, $token, $previousToken);`
`94`	`95`
`95`	`96`	`$this->tokenStorage->setToken($token);`
`96`	`97`	`} catch (AuthenticationException $e) {`
`@@ -121,12 +122,21 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn`
`121`	`122`	`$this->sessionStrategy = $sessionStrategy;`
`122`	`123`	`}`
`123`	`124`
`124`		`- private function migrateSession(Request $request, TokenInterface $token)`
	`125`	`+ private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)`
`125`	`126`	`{`
`126`	`127`	`if (!$this->sessionStrategy \|\| !$request->hasSession() \|\| !$request->hasPreviousSession()) {`
`127`	`128`	`return;`
`128`	`129`	`}`
`129`	`130`
	`131`	`+ if ($previousToken) {`
	`132`	`+ $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();`
	`133`	`+ $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();`
	`134`	`+`
	`135`	`+ if ('' !== ($user ?? '') && $user === $previousUser) {`
	`136`	`+ return;`
	`137`	`+ }`
	`138`	`+ }`
	`139`	`+`
`130`	`140`	`$this->sessionStrategy->onAuthentication($request, $token);`
`131`	`141`	`}`
`132`	`142`	`}`
Original file line number	Diff line number	Diff line change
`@@ -101,6 +101,7 @@ public function authenticate(RequestEvent $event)`
`101`	`101`	`{`
`102`	`102`	`$request = $event->getRequest();`
`103`	`103`	`$data = json_decode($request->getContent());`
	`104`	`+ $previousToken = $this->tokenStorage->getToken();`
`104`	`105`
`105`	`106`	`try {`
`106`	`107`	`if (!$data instanceof \stdClass) {`
`@@ -134,7 +135,7 @@ public function authenticate(RequestEvent $event)`
`134`	`135`	`$token = new UsernamePasswordToken($username, $password, $this->providerKey);`
`135`	`136`
`136`	`137`	`$authenticatedToken = $this->authenticationManager->authenticate($token);`
`137`		`- $response = $this->onSuccess($request, $authenticatedToken);`
	`138`	`+ $response = $this->onSuccess($request, $authenticatedToken, $previousToken);`
`138`	`139`	`} catch (AuthenticationException $e) {`
`139`	`140`	`$response = $this->onFailure($request, $e);`
`140`	`141`	`} catch (BadRequestHttpException $e) {`
`@@ -150,14 +151,14 @@ public function authenticate(RequestEvent $event)`
`150`	`151`	`$event->setResponse($response);`
`151`	`152`	`}`
`152`	`153`
`153`		`- private function onSuccess(Request $request, TokenInterface $token): ?Response`
	`154`	`+ private function onSuccess(Request $request, TokenInterface $token, ?TokenInterface $previousToken): ?Response`
`154`	`155`	`{`
`155`	`156`	`if (null !== $this->logger) {`
`156`	`157`	`// @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0`
`157`	`158`	`$this->logger->info('User has been authenticated successfully.', ['username' => method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()]);`
`158`	`159`	`}`
`159`	`160`
`160`		`- $this->migrateSession($request, $token);`
	`161`	`+ $this->migrateSession($request, $token, $previousToken);`
`161`	`162`
`162`	`163`	`$this->tokenStorage->setToken($token);`
`163`	`164`
`@@ -224,12 +225,21 @@ public function setTranslator(TranslatorInterface $translator)`
`224`	`225`	`$this->translator = $translator;`
`225`	`226`	`}`
`226`	`227`
`227`		`- private function migrateSession(Request $request, TokenInterface $token)`
	`228`	`+ private function migrateSession(Request $request, TokenInterface $token, ?TokenInterface $previousToken)`
`228`	`229`	`{`
`229`	`230`	`if (!$this->sessionStrategy \|\| !$request->hasSession() \|\| !$request->hasPreviousSession()) {`
`230`	`231`	`return;`
`231`	`232`	`}`
`232`	`233`
	`234`	`+ if ($previousToken) {`
	`235`	`+ $user = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();`
	`236`	`+ $previousUser = method_exists($previousToken, 'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();`
	`237`	`+`
	`238`	`+ if ('' !== ($user ?? '') && $user === $previousUser) {`
	`239`	`+ return;`
	`240`	`+ }`
	`241`	`+ }`
	`242`	`+`
`233`	`243`	`$this->sessionStrategy->onAuthentication($request, $token);`
`234`	`244`	`}`
`235`	`245`	`}`
Original file line number	Diff line number	Diff line change
`@@ -15,6 +15,7 @@`
`15`	`15`	`use Symfony\Component\HttpFoundation\Request;`
`16`	`16`	`use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;`
`17`	`17`	`use Symfony\Component\PasswordHasher\PasswordHasherInterface;`
	`18`	`+use Symfony\Component\Security\Core\Authentication\Token\NullToken;`
`18`	`19`	`use Symfony\Component\Security\Core\User\InMemoryUser;`
`19`	`20`	`use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;`
`20`	`21`	`use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;`
`@@ -28,7 +29,6 @@`
`28`	`29`	`use Symfony\Component\Security\Http\Event\LoginSuccessEvent;`
`29`	`30`	`use Symfony\Component\Security\Http\EventListener\PasswordMigratingListener;`
`30`	`31`	`use Symfony\Component\Security\Http\Tests\Fixtures\DummyAuthenticator;`
`31`		`-use Symfony\Component\Security\Http\Tests\Fixtures\DummyToken;`
`32`	`32`
`33`	`33`	`class PasswordMigratingListenerTest extends TestCase`
`34`	`34`	`{`
`@@ -140,7 +140,7 @@ private static function createPasswordUpgrader()`
`140`	`140`
`141`	`141`	`private static function createEvent(PassportInterface $passport)`
`142`	`142`	`{`
`143`		`- return new LoginSuccessEvent(new DummyAuthenticator(), $passport, new DummyToken(), new Request(), null, 'main');`
	`143`	`+ return new LoginSuccessEvent(new DummyAuthenticator(), $passport, new NullToken(), new Request(), null, 'main');`
`144`	`144`	`}`
`145`	`145`	`}`
`146`	`146`