Merge remote-tracking branch 'origin/5.4' into 6.2

* origin/5.4:
  [Security] Migrate the session on login only when the user changes

Author: wouterj

Authentication/AuthenticatorManager.php

@@ -83,7 +83,7 @@ public function authenticateUser(UserInterface $user, AuthenticatorInterface $au
         $token = $this->eventDispatcher->dispatch(new AuthenticationTokenCreatedEvent($token, $passport))->getAuthenticatedToken();
 
         // authenticate this in the system
-        return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator);
+        return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator, $this->tokenStorage->getToken());
     }
 
     public function supports(Request $request): ?bool
@@ -165,6 +165,7 @@ private function executeAuthenticators(array $authenticators, Request $request):
     private function executeAuthenticator(AuthenticatorInterface $authenticator, Request $request): ?Response
     {
         $passport = null;
+        $previousToken = $this->tokenStorage->getToken();
 
         try {
             // get the passport from the Authenticator
@@ -213,7 +214,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
         }
 
         // success! (sets the token on the token storage, etc)
-        $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator);
+        $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator, $previousToken);
         if ($response instanceof Response) {
             return $response;
         }
@@ -223,7 +224,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
         return null;
     }
 
-    private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, Passport $passport, Request $request, AuthenticatorInterface $authenticator): ?Response
+    private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, Passport $passport, Request $request, AuthenticatorInterface $authenticator, ?TokenInterface $previousToken): ?Response
     {
         $this->tokenStorage->setToken($authenticatedToken);
 
@@ -233,7 +234,7 @@ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken,
             $this->eventDispatcher->dispatch($loginEvent, SecurityEvents::INTERACTIVE_LOGIN);
         }
 
-        $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName));
+        $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName, $previousToken));
 
         return $loginSuccessEvent->getResponse();
     }

Event/LoginSuccessEvent.php

@@ -34,15 +34,17 @@ class LoginSuccessEvent extends Event
     private AuthenticatorInterface $authenticator;
     private Passport $passport;
     private TokenInterface $authenticatedToken;
+    private ?TokenInterface $previousToken;
     private Request $request;
     private ?Response $response;
     private string $firewallName;
 
-    public function __construct(AuthenticatorInterface $authenticator, Passport $passport, TokenInterface $authenticatedToken, Request $request, ?Response $response, string $firewallName)
+    public function __construct(AuthenticatorInterface $authenticator, Passport $passport, TokenInterface $authenticatedToken, Request $request, ?Response $response, string $firewallName, TokenInterface $previousToken = null)
     {
         $this->authenticator = $authenticator;
         $this->passport = $passport;
         $this->authenticatedToken = $authenticatedToken;
+        $this->previousToken = $previousToken;
         $this->request = $request;
         $this->response = $response;
         $this->firewallName = $firewallName;
@@ -68,6 +70,11 @@ public function getAuthenticatedToken(): TokenInterface
         return $this->authenticatedToken;
     }
 
+    public function getPreviousToken(): ?TokenInterface
+    {
+        return $this->previousToken;
+    }
+
     public function getRequest(): Request
     {
         return $this->request;

EventListener/SessionStrategyListener.php

@@ -43,6 +43,15 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void
             return;
         }
 
+        if ($previousToken = $event->getPreviousToken()) {
+            $user = $token->getUserIdentifier();
+            $previousUser = $previousToken->getUserIdentifier();
+
+            if ('' !== ($user ?? '') && $user === $previousUser) {
+                return;
+            }
+        }
+
         $this->sessionAuthenticationStrategy->onAuthentication($request, $token);
     }
 

Tests/EventListener/PasswordMigratingListenerTest.php

@@ -15,6 +15,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface;
 use Symfony\Component\PasswordHasher\PasswordHasherInterface;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
@@ -27,7 +28,6 @@
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\EventListener\PasswordMigratingListener;
 use Symfony\Component\Security\Http\Tests\Fixtures\DummyAuthenticator;
-use Symfony\Component\Security\Http\Tests\Fixtures\DummyToken;
 
 class PasswordMigratingListenerTest extends TestCase
 {
@@ -112,7 +112,7 @@ private static function createPasswordUpgrader()
 
     private static function createEvent(Passport $passport)
     {
-        return new LoginSuccessEvent(new DummyAuthenticator(), $passport, new DummyToken(), new Request(), null, 'main');
+        return new LoginSuccessEvent(new DummyAuthenticator(), $passport, new NullToken(), new Request(), null, 'main');
     }
 }
 

Tests/EventListener/SessionStrategyListenerTest.php

@@ -14,7 +14,7 @@
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
@@ -35,7 +35,7 @@ protected function setUp(): void
         $this->sessionAuthenticationStrategy = $this->createMock(SessionAuthenticationStrategyInterface::class);
         $this->listener = new SessionStrategyListener($this->sessionAuthenticationStrategy);
         $this->request = new Request();
-        $this->token = $this->createMock(TokenInterface::class);
+        $this->token = $this->createMock(NullToken::class);
     }
 
     public function testRequestWithSession()
@@ -62,6 +62,25 @@ public function testStatelessFirewalls()
         $listener->onSuccessfulLogin($this->createEvent('api_firewall'));
     }
 
+    public function testRequestWithSamePreviousUser()
+    {
+        $this->configurePreviousSession();
+        $this->sessionAuthenticationStrategy->expects($this->never())->method('onAuthentication');
+
+        $token = $this->createMock(NullToken::class);
+        $token->expects($this->once())
+            ->method('getUserIdentifier')
+            ->willReturn('test');
+        $previousToken = $this->createMock(NullToken::class);
+        $previousToken->expects($this->once())
+            ->method('getUserIdentifier')
+            ->willReturn('test');
+
+        $event = new LoginSuccessEvent($this->createMock(AuthenticatorInterface::class), new SelfValidatingPassport(new UserBadge('test', function () {})), $token, $this->request, null, 'main_firewall', $previousToken);
+
+        $this->listener->onSuccessfulLogin($event);
+    }
+
     private function createEvent($firewallName)
     {
         return new LoginSuccessEvent($this->createMock(AuthenticatorInterface::class), new SelfValidatingPassport(new UserBadge('test', function ($username) { return new InMemoryUser($username, null); })), $this->token, $this->request, null, $firewallName);

Tests/Fixtures/DummySupportsAuthenticator.php

@@ -12,12 +12,6 @@
 namespace Symfony\Component\Security\Http\Tests\Fixtures;
 
 use Symfony\Component\HttpFoundation\Request;
-use Symfony\Component\HttpFoundation\Response;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
-use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
-use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
 
 class DummySupportsAuthenticator extends DummyAuthenticator
 {