Added support for lazy firewalls

wouterj · wouterj · commit 9782b52c925b · 2020-04-20T14:20:56.000+02:00
diff --git a/Authenticator/AnonymousAuthenticator.php b/Authenticator/AnonymousAuthenticator.php
@@ -41,7 +41,8 @@ public function __construct(string $secret, TokenStorageInterface $tokenStorage)
     public function supports(Request $request): ?bool
     {
         // do not overwrite already stored tokens (i.e. from the session)
-        return null === $this->tokenStorage->getToken();
+        // the `null` return value indicates that this authenticator supports lazy firewalls
+        return null === $this->tokenStorage->getToken() ? null : false;
     }
 
     public function getCredentials(Request $request)
diff --git a/Firewall/AuthenticatorManagerListener.php b/Firewall/AuthenticatorManagerListener.php
@@ -13,6 +13,7 @@
 
 use Psr\Log\LoggerInterface;
 use Symfony\Component\EventDispatcher\EventDispatcherInterface;
+use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Event\RequestEvent;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
@@ -30,10 +31,8 @@
  *
  * @experimental in 5.1
  */
-class AuthenticatorManagerListener
+class AuthenticatorManagerListener extends AbstractListener
 {
-    use AuthenticatorManagerListenerTrait;
-
     private $authenticationManager;
     private $authenticatorHandler;
     private $authenticators;
@@ -54,15 +53,58 @@ public function __construct(AuthenticationManagerInterface $authenticationManage
         $this->eventDispatcher = $eventDispatcher;
     }
 
-    public function __invoke(RequestEvent $requestEvent)
+    public function supports(Request $request): ?bool
     {
-        $request = $requestEvent->getRequest();
-        $authenticators = $this->getSupportingAuthenticators($request);
+        if (null !== $this->logger) {
+            $context = ['firewall_key' => $this->providerKey];
+
+            if ($this->authenticators instanceof \Countable || \is_array($this->authenticators)) {
+                $context['authenticators'] = \count($this->authenticators);
+            }
+
+            $this->logger->debug('Checking for guard authentication credentials.', $context);
+        }
+
+        [$authenticators, $lazy] = $this->getSupportingAuthenticators($request);
+        if (!$authenticators) {
+            return false;
+        }
+
+        $request->attributes->set('_guard_authenticators', $authenticators);
+
+        return $lazy ? null : true;
+    }
+
+    public function authenticate(RequestEvent $event)
+    {
+        $request = $event->getRequest();
+        $authenticators = $request->attributes->get('_guard_authenticators');
+        $request->attributes->remove('_guard_authenticators');
         if (!$authenticators) {
             return;
         }
 
-        $this->executeAuthenticators($authenticators, $requestEvent);
+        $this->executeAuthenticators($authenticators, $event);
+    }
+
+    protected function getSupportingAuthenticators(Request $request): array
+    {
+        $authenticators = [];
+        $lazy = true;
+        foreach ($this->authenticators as $key => $authenticator) {
+            if (null !== $this->logger) {
+                $this->logger->debug('Checking support on authenticator.', ['firewall_key' => $this->providerKey, 'authenticator' => \get_class($authenticator)]);
+            }
+
+            if (false !== $supports = $authenticator->supports($request)) {
+                $authenticators[$key] = $authenticator;
+                $lazy = $lazy && null === $supports;
+            } elseif (null !== $this->logger) {
+                $this->logger->debug('Authenticator does not support the request.', ['firewall_key' => $this->providerKey, 'authenticator' => \get_class($authenticator)]);
+            }
+        }
+
+        return [$authenticators, $lazy];
     }
 
     /**
@@ -71,6 +113,15 @@ public function __invoke(RequestEvent $requestEvent)
     protected function executeAuthenticators(array $authenticators, RequestEvent $event): void
     {
         foreach ($authenticators as $key => $authenticator) {
+            // recheck if the authenticator still supports the listener. support() is called
+            // eagerly (before token storage is initialized), whereas authenticate() is called
+            // lazily (after initialization). This is important for e.g. the AnonymousAuthenticator
+            // as its support is relying on the (initialized) token in the TokenStorage.
+            if (false === $authenticator->supports($event->getRequest())) {
+                $this->logger->debug('Skipping the "{authenticator}" authenticator as it did not support the request.', ['authenticator' => \get_class($authenticator)]);
+                continue;
+            }
+
             $this->executeAuthenticator($key, $authenticator, $event);
 
             if ($event->hasResponse()) {
diff --git a/Firewall/AuthenticatorManagerListenerTrait.php b/Firewall/AuthenticatorManagerListenerTrait.php

Original file line number	Diff line number	Diff line change
`@@ -41,7 +41,8 @@ public function __construct(string $secret, TokenStorageInterface $tokenStorage)`
`41`	`41`	`public function supports(Request $request): ?bool`
`42`	`42`	`{`
`43`	`43`	`// do not overwrite already stored tokens (i.e. from the session)`
`44`		`- return null === $this->tokenStorage->getToken();`
	`44`	+ // the `null` return value indicates that this authenticator supports lazy firewalls
	`45`	`+ return null === $this->tokenStorage->getToken() ? null : false;`
`45`	`46`	`}`
`46`	`47`
`47`	`48`	`public function getCredentials(Request $request)`