[Security][SecurityBundle] Show user account status errors

Author: core23

Authentication/AuthenticatorManager.php

@@ -46,6 +46,8 @@
  */
 class AuthenticatorManager implements AuthenticatorManagerInterface, UserAuthenticatorInterface
 {
+    private ExposeSecurityLevel $exposeSecurityErrors;
+
     /**
      * @param iterable<mixed, AuthenticatorInterface> $authenticators
      */
@@ -56,9 +58,17 @@ public function __construct(
         private string $firewallName,
         private ?LoggerInterface $logger = null,
         private bool $eraseCredentials = true,
-        private bool $hideUserNotFoundExceptions = true,
+        ExposeSecurityLevel|bool $exposeSecurityErrors = ExposeSecurityLevel::None,
         private array $requiredBadges = [],
     ) {
+        if (\is_bool($exposeSecurityErrors)) {
+            trigger_deprecation('symfony/security-http', '7.3', 'Passing a boolean as "exposeSecurityErrors" parameter is deprecated, use %s value instead.', ExposeSecurityLevel::class);
+
+            // The old parameter had an inverted meaning ($hideUserNotFoundExceptions), for that reason the current name does not reflect the behavior
+            $exposeSecurityErrors = $exposeSecurityErrors ? ExposeSecurityLevel::None : ExposeSecurityLevel::All;
+        }
+
+        $this->exposeSecurityErrors = $exposeSecurityErrors;
     }
 
     /**
@@ -250,7 +260,7 @@ private function handleAuthenticationFailure(AuthenticationException $authentica
 
         // Avoid leaking error details in case of invalid user (e.g. user not found or invalid account status)
         // to prevent user enumeration via response content comparison
-        if ($this->hideUserNotFoundExceptions && ($authenticationException instanceof UserNotFoundException || ($authenticationException instanceof AccountStatusException && !$authenticationException instanceof CustomUserMessageAccountStatusException))) {
+        if ($this->isSensitiveException($authenticationException)) {
             $authenticationException = new BadCredentialsException('Bad credentials.', 0, $authenticationException);
         }
 
@@ -264,4 +274,17 @@ private function handleAuthenticationFailure(AuthenticationException $authentica
         // returning null is ok, it means they want the request to continue
         return $loginFailureEvent->getResponse();
     }
+
+    private function isSensitiveException(AuthenticationException $exception): bool
+    {
+        if (ExposeSecurityLevel::All !== $this->exposeSecurityErrors && $exception instanceof UserNotFoundException) {
+            return true;
+        }
+
+        if (ExposeSecurityLevel::None === $this->exposeSecurityErrors && $exception instanceof AccountStatusException && !$exception instanceof CustomUserMessageAccountStatusException) {
+            return true;
+        }
+
+        return false;
+    }
 }

Authentication/ExposeSecurityLevel.php

@@ -0,0 +1,22 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authentication;
+
+/**
+ * @author Christian Gripp <mail@core23.de>
+ */
+enum ExposeSecurityLevel: string
+{
+    case None = 'none';
+    case AccountStatus = 'account_status';
+    case All = 'all';
+}

CHANGELOG.md

@@ -5,6 +5,7 @@ CHANGELOG
 ---
 
  * Add encryption support to `OidcTokenHandler` (JWE)
+ * Replace `$hideAccountStatusExceptions` argument with `$exposeSecurityErrors` in `AuthenticatorManager` constructor
 
 7.2
 ---