8000 Returning null from SimplePreAuthenticatorInterface::createToken · Issue #11490 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

Returning null from SimplePreAuthenticatorInterface::createToken #11490

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
igorpan opened this issue Jul 27, 2014 · 5 comments
Closed

Returning null from SimplePreAuthenticatorInterface::createToken #11490

igorpan opened this issue Jul 27, 2014 · 5 comments
Labels
Security

Comments

@igorpan
Copy link
igorpan commented Jul 27, 2014

Symfony cookbook entry for Api Key Authentication states that you can return null from SimplePreAuthenticatorInterface::createToken. If you don't want to authenticate at certain url:

public function createToken(Request $request, $providerKey)
{
    // set the only URL where we should look for auth information
    // and only return the token if we're at that URL
    $targetUrl = '/login/check';
    if (!$this->httpUtils->checkRequestPath($request, $targetUrl)) {
        return;
    }

    // ...
}

However, when I did it, I got the following error:

Catchable Fatal Error: Argument 1 passed to Symfony\Component\Security\Core\Authentication\AuthenticationProviderManager::authenticate() must be an instance of Symfony\Component\Security\Core\Authentication\Token\TokenInterface, null given

createToken method is called from SimplePreAuthenticationListener and when I examined it, this looked like the part that is problematic:

$token = $this->simpleAuthenticator->createToken($request, $this->providerKey);
$token = $this->authenticationManager->authenticate($token);

So when SimpleAuthenticator returns null, it passes that null to AuthenticationManager::authenticate which doesn't accept nulls:

interface AuthenticationManagerInterface
{
    public function authenticate(TokenInterface $token);
}
@peterrehm
Copy link
Contributor

I stumbled across the same issue the last days. I resolved it in my case by returning an anonymous token with empty credentials like:

    if (!$this->httpUtils->checkRequestPath($request, $targetUrl)) {
        return new PreAuthenticatedToken(
            'anon.',
            '',
            $providerKey
        );
    }

So according to my implementation the authenticateToken() won't authenticate the provided token due to the empty credentials.

However it is either an issue with the docs or the actual implementation. If it is an issue just with the docs and my suggestion is ok, I could create an docs PR. /CC @weaverryan @Seldaek

@weaverryan
Copy link
Member

It's technically an issue with the docs, but I want to fix it in the code because it should allow for a null token in my opinion :).

There's actually already a PR open for this - #11414.

Nice workaround for the time being @peterrehm

@peterrehm peterrehm mentioned this issue Jul 28, 2014
Closed
@cirovargas
Copy link

watching

@peterrehm
Copy link
Contributor

@cirovargas You can watch a repository by setting the notification setting. You do not need to actually comment an issue/PR.

@weaverryan weaverryan mentioned this issue Aug 5, 2014
Closed
@stof
Copy link
Member
stof commented Aug 14, 2014

and if you want to watch a single issue, you can use the button in the right column

@stof stof mentioned this issue Aug 14, 2014
Closed
@fabpot fabpot mentioned this issue Sep 23, 2014
Merged
fabpot added a commit that referenced this issue Sep 24, 2014
@fabpot
bug #12002 [Security] [Firewall] Bug fixed in SimplePreAuthentication…
9333395 
…Listener when createToken() not return TokenInterface object (adenkejawen, fabpot)

This PR was merged into the 2.4 branch.

Discussion
----------

[Security] [Firewall] Bug fixed in SimplePreAuthenticationListener when createToken() not return TokenInterface object

| Q             | A
| ------------- | ---
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | no
| Fixed tickets | #11490, #11414
| License       | MIT
| Doc PR        |

This is a follow-up for #11414 on the right branch.

Commits
-------

faa8e98 fixed bug
e85cb7f added the possibility to return null from SimplePreAuthenticationListener
@fabpot fabpot closed this as completed Sep 24, 2014
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Security
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@fabpot @weaverryan @stof @cirovargas @peterrehm @igorpan
0