[SecurityBundle] Prevent to login/logout without a request context

symfonyaml · Nyholm · commit aaa9392dd799 · 2023-12-23T08:52:48.000+01:00
diff --git a/src/Symfony/Bundle/SecurityBundle/Security.php b/src/Symfony/Bundle/SecurityBundle/Security.php
@@ -60,6 +60,10 @@ public function getFirewallConfig(Request $request): ?FirewallConfig
     public function login(UserInterface $user, string $authenticatorName = null, string $firewallName = null): void
     {
         $request = $this->container->get('request_stack')->getCurrentRequest();
+        if (null === $request) {
+            throw new LogicException('Unable to login without a request context.');
+        }
+
         $firewallName ??= $this->getFirewallConfig($request)?->getName();
 
         if (!$firewallName) {
@@ -83,15 +87,18 @@ public function login(UserInterface $user, string $authenticatorName = null, str
      */
     public function logout(bool $validateCsrfToken = true): ?Response
     {
+        $request = $this->container->get('request_stack')->getMainRequest();
+        if (null === $request) {
+            throw new LogicException('Unable to logout without a request context.');
+        }
+
         /** @var TokenStorageInterface $tokenStorage */
         $tokenStorage = $this->container->get('security.token_storage');
 
         if (!($token = $tokenStorage->getToken()) || !$token->getUser()) {
             throw new LogicException('Unable to logout as there is no logged-in user.');
         }
 
-        $request = $this->container->get('request_stack')->getMainRequest();
-
         if (!$firewallConfig = $this->container->get('security.firewall.map')->getFirewallConfig($request)) {
             throw new LogicException('Unable to logout as the request is not behind a firewall.');
         }
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/SecurityTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/SecurityTest.php
@@ -201,6 +201,28 @@ public function testLoginWithoutAuthenticatorThrows()
         $security->login($user);
     }
 
+    public function testLoginWithoutRequestContext()
+    {
+        $requestStack = new RequestStack();
+        $user = $this->createMock(UserInterface::class);
+
+        $container = $this->createMock(ContainerInterface::class);
+        $container
+            ->expects($this->atLeastOnce())
+            ->method('get')
+            ->willReturnMap([
+                ['request_stack', $requestStack],
+            ])
+        ;
+
+        $security = new Security($container, ['main' => null]);
+
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('Unable to login without a request context.');
+
+        $security->login($user);
+    }
+
     public function testLogout()
     {
         $request = new Request();
@@ -407,6 +429,27 @@ public function testLogoutWithValidCsrf()
         $this->assertEquals('a custom response', $response->getContent());
     }
 
+    public function testLogoutWithoutRequestContext()
+    {
+        $requestStack = new RequestStack();
+
+        $container = $this->createMock(ContainerInterface::class);
+        $container
+            ->expects($this->atLeastOnce())
+            ->method('get')
+            ->willReturnMap([
+                ['request_stack', $requestStack],
+            ])
+        ;
+
+        $security = new Security($container, ['main' => null]);
+
+        $this->expectException(\LogicException::class);
+        $this->expectExceptionMessage('Unable to logout without a request context.');
+
+        $security->logout();
+    }
+
     private function createContainer(string $serviceId, object $serviceObject): ContainerInterface
     {
         return new ServiceLocator([$serviceId => fn () => $serviceObject]);
