bug #36176 [Security] Check if firewall is stateless before checking for session/previous session (koenreiniers)

nicolas-grekas · nicolas-grekas · commit 881fa02c8fc4 · 2020-03-23T13:10:36.000+01:00
This PR was submitted for the 4.4 branch but it was squashed and merged into the 3.4 branch instead. Discussion ---------- [Security] Check if firewall is stateless before checking for session/previous session | Q | A | ------------- | --- | Branch? | 4.4  | Bug fix? | yes | New feature? | no  | Deprecations? | no  | Tickets | -  | License | MIT | Doc PR | - For one of our applications we had the issue that the session was always initialized, even for routes behind stateless firewalls. Using the redis session adapter this sometimes lead to exceptions if the connection failed. This change prevents the session from being initialized in the guard authentication handler for stateless firewalls Commits ------- 9bb1230 [Security] Check if firewall is stateless before checking for session/previous session
diff --git a/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php b/src/Symfony/Component/Security/Guard/GuardAuthenticatorHandler.php
@@ -134,7 +134,7 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn
 
     private function migrateSession(Request $request, TokenInterface $token, $providerKey)
     {
-        if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession() || \in_array($providerKey, $this->statelessProviderKeys, true)) {
+        if (\in_array($providerKey, $this->statelessProviderKeys, true) || !$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
             return;
         }
 
diff --git a/src/Symfony/Component/Security/Guard/Tests/GuardAuthenticatorHandlerTest.php b/src/Symfony/Component/Security/Guard/Tests/GuardAuthenticatorHandlerTest.php
@@ -149,6 +149,25 @@ public function testSessionStrategyIsNotCalledWhenStateless()
         $handler->authenticateWithToken($this->token, $this->request, 'some_provider_key');
     }
 
+    /**
+     * @requires function \Symfony\Component\HttpFoundation\Request::setSessionFactory
+     */
+    public function testSessionIsNotInstantiatedOnStatelessFirewall()
+    {
+        $sessionFactory = $this->getMockBuilder(\stdClass::class)
+            ->setMethods(['__invoke'])
+            ->getMock();
+
+        $sessionFactory->expects($this->never())
+            ->method('__invoke');
+
+        $this->request->setSessionFactory($sessionFactory);
+
+        $handler = new GuardAuthenticatorHandler($this->tokenStorage, $this->dispatcher, ['stateless_provider_key']);
+        $handler->setSessionAuthenticationStrategy($this->sessionStrategy);
+        $handler->authenticateWithToken($this->token, $this->request, 'stateless_provider_key');
+    }
+
     protected function setUp()
     {
         $this->tokenStorage = $this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface')->getMock();

Original file line number	Diff line number	Diff line change
`@@ -134,7 +134,7 @@ public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyIn`
`134`	`134`
`135`	`135`	`private function migrateSession(Request $request, TokenInterface $token, $providerKey)`
`136`	`136`	`{`
`137`		`- if (!$this->sessionStrategy \|\| !$request->hasSession() \|\| !$request->hasPreviousSession() \|\| \in_array($providerKey, $this->statelessProviderKeys, true)) {`
	`137`	`+ if (\in_array($providerKey, $this->statelessProviderKeys, true) \|\| !$this->sessionStrategy \|\| !$request->hasSession() \|\| !$request->hasPreviousSession()) {`
`138`	`138`	`return;`
`139`	`139`	`}`
`140`	`140`