[security] There is no user provider for user #35435

thewalkingcoder · 2020-01-22T13:04:26Z

Symfony version(s) affected: 4.4.3

Description
After update to 4.4.3 i have a RuntimeException "There is no user provider for user"

How to reproduce
if you have custom provider update to 4.4.3

Sample

security:
    providers:
        custom-security:
            id: custom.user_provider
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        login:
            pattern: ^/login
            security: false
        secured_area:
            pattern: ^/
            guard:
                authenticators:
                    - custom.authentificator
                entry_point: custom.authentificator
            logout:
                path: /logout

Possible Solution
Problem is on the file Symfony/Component/Security/Http/Firewall/ContextListener.php method refreshUser

Follows #35065

thewalkingcoder · 2020-01-22T13:22:08Z

After more analyse, my customProvider return bad Class on method supportClass

Pi-r- · 2020-01-22T13:24:01Z

Hi I am having the same issue but with version 3.4.37 https://stackoverflow.com/questions/59858525/there-is-no-user-provider-for-user-symfony-3-4-37

Wen downgrading to 3.4.36 everything works fine.

Pi-r- · 2020-01-22T14:02:31Z

Same thing with version 3.4.37 the issue was from my custom user provider supportsClass methode returning a wrong class

ahundiak · 2020-01-22T14:14:36Z

Just in case anybody is wondering, the 3.4.37 problem was also the result of an invalid supportsClass method. Looks like the older code was not properly using the method.

terox · 2020-01-23T08:32:53Z

Hello everybody!

I am experiencing the same issue on the Symfony 4.4.3. As all other guys before me, the issue is on the method supportsClass on my custom user provider. A little explanation about how fix that issue:

Before (fails with the described exception):

public function supportsClass($class)
{
    return $class === UserInterface::class;
}

After (works fine):

public function supportsClass($class)
{
    return $class === MyCustomModel::class;
}

I was checking the security component and I think that the issue is introduced in the next commit:
symfony/security@0cfaf60#diff-0cd860ec03e139a658ed3c258b615f21

Sincerely, I think that now it have the expected behaviour; but is breaking bad implemented custom providers. May be some one could correct my words.

Cheers!

thewalkingcoder · 2020-01-23T08:46:27Z

@terox you are right, even if the last implementation is the good way and have sense to fix on 5.x, on 4.4.3 you break semserv.

ping @nicolas-grekas, what do you think ?

nicolas-grekas · 2020-01-23T08:49:31Z

No opinion. Any bug fix is a potential BC break, it's never black and white. Given all reports mention bad implementations of supportsClass(), it looks like fixing them is a good thing.
/cc @linaori WDYT?

thewalkingcoder · 2020-01-23T08:51:06Z

you have right too

kissifrot · 2020-01-23T08:55:29Z

On our side we have the problem when a Doctrine proxy class is used by security component instead of the original one, such as Proxies\__CG__\App\Entity\OurUser instead of App\Entity\OurUser

So supportsClass will return false in that case thus preventing the user from logging in

terox · 2020-01-23T09:07:11Z

I agree with @nicolas-grekas.

Should the documentation mention or put some example that @kissifrot is commenting? I think that it could be a common issue.

kissifrot · 2020-01-23T09:44:35Z

As a follow-up to my previous comment, for most cases to support the proxies and fix the user provider error you would just have to edit your supportsClass like so:

public function supportsClass($class)
{
    return MyUserEntity::class === $class || is_subclass_of($class, MyUserEntity::class);
}

wouterj · 2020-01-23T10:10:15Z

To get things clear: What we're seeing here is that supportsClass() returns false for the currently authenticated user, as it's using some "bad" condition? So if we remove the supportsClass() 👇 call we end up with a working application?

symfony/src/Symfony/Component/Security/Http/Firewall/ContextListener.php

Lines 178 to 180 in d3942cb

    
           if (!$provider->supportsClass($userClass)) { 
        
               continue; 
        
           }

I think it's good to have this bug fix, but we can do better at reporting the bug. For instance, what about moving this if condition after 👇 in Symfony 5.x?

symfony/src/Symfony/Component/Security/Http/Firewall/ContextListener.php

Lines 182 to 185 in d3942cb

    
           try { 
        
               $refreshedUser = $provider->refreshUser($user); 
        
               $newToken = clone $token; 
        
               $newToken->setUser($refreshedUser);

We can then improve the exception by saying something like:

There is no user provider for user. User provider X was able to refresh the user, but its supportUser() method returned false for this class. This will break in Symfony 6.

And then move the if statement to it's current position in Symfony 6, probably speeding up applications with many users providers a bit.

linaori · 2020-01-23T11:08:00Z

@nicolas-grekas this is a use-case that I have discussed with @chalasr I believe, I can't find it right now so must've been on slack as I couldn't see it in the PR or Issue. We considered it to be a bug if your logic in supportsClass() was not correct and not a case we should take care of in this bug fix. If this is really causing a lot of issues for people, I suggest we take a look at @wouterj's idea about the exception message.

To get things clear: What we're seeing here is that supportsClass() returns false for the currently authenticated user, as it's using some "bad" condition? So if we remove the supportsClass() 👇 call we end up with a working application?

That depends, it's not clear -especially in older Symfony versions- that the refreshUser() should throw an exception for this, as supportsClass() has always been there. In most scenarios this worked because the of non-complex authentication processes. 1 user with 1 authenticator and 1 user provider, and you'll not encounter this bug, which makes you believe supportsClass() works fine.

I think it's good to have this bug fix, but we can do better at reporting the bug. For instance, what about moving this if condition after 👇 in Symfony 5.x?

This would have to be done in the same in the ChainUserProvider. I'm still of opinion that a better check would be something like supportsUser($user), as that's basically what you want to do do. Using the refreshUser for this kind of logic, is easy to miss, even without supports (lack of @throws in php like java has).

can then improve the exception by saying something like [...]

So this suggestion (by moving the logic) would be a DX solution to hint people what is wrong? I would advice to do this in 3.4+ already if it's merely DX as part of this bug fix.

MisatoTremor · 2020-01-24T10:31:02Z

I also ran into this, but think the change is a good one.

I suggest that the upgrade docs for the affected versions should mention this change and the is_subclass_of fix as this check seems to me to be the major cause for this issue.
Also the default implementation of the EntityUserProvider::supportsClass has got this right for years, but generated classes have not (see symfony/maker-bundle#532 and also mentioned in the docs) which might be why many of those affected have this issue.

chalasr · 2020-01-24T14:26:38Z

I'm against reverting. It revealed many broken implementations which are likely to open the door for true security holes, especially on 3.4 where changed users are not deauthenticated by default at refresh-time.
PRs welcome for maker-bundle, core documentation and/or DX. But reverting the patch in order to provide better messages (namely upgrade paths) is a no-go to me.

chalasr · 2020-01-24T14:30:53Z

Closing in favor of symfony/maker-bundle#532. Thanks for the report!

wouterj · 2020-01-24T16:22:54Z

@chalasr it's not so much about reverting, it's about improving the error message. Fixing the maker helps future applications, but doesn't help applications upgrading to Symfony 4.4. We should help the upgrading user to easier find this error (as "There is no user provider for this user" isn't a very good indicator to start debugging)

linaori · 2020-01-24T17:00:12Z

(as "There is no user provider for this user" isn't a very good indicator to start debugging)

What if we change this message to refer to the supportsUser() method?

chalasr · 2020-01-24T17:00:51Z

@wouterj right, thanks for clarifying. 👍 on my side

wouterj · 2020-01-25T12:55:08Z

I've implemented @linaori's suggestion in #35472 . I think that's the easiest to not make code much complexer and still give some valuable hints to the user.

… provider is found (wouterj) This PR was submitted for the 4.4 branch but it was merged into the 3.4 branch instead. Discussion ---------- [Security] Improved error message when no supported user provider is found | Q | A | ------------- | --- | Branch? | 4.4 | Bug fix? | no | New feature? | no | Deprecations? | no | Tickets | Fix #35435 | License | MIT | Doc PR | - Commits ------- 6b2db6d Improved error message when no supported user provider is found

thewalkingcoder closed this as completed Jan 22, 2020

xabbuh added the Security label Jan 22, 2020

thewalkingcoder reopened this Jan 23, 2020

chalasr closed this as completed Jan 24, 2020

chalasr reopened this Jan 24, 2020

chalasr added the Help wanted Issues and PRs which are looking for volunteers to complete them. label Jan 24, 2020

wouterj mentioned this issue Jan 25, 2020

[Security] Improved error message when no supported user provider is found #35472

Merged

chalasr removed the Help wanted Issues and PRs which are looking for volunteers to complete them. label Jan 26, 2020

nicolas-grekas closed this as completed Jan 27, 2020

sw-satoshi-nakano mentioned this issue Oct 7, 2020

Member Entity拡張後に特定の操作をすると管理画面にログインできなくなる EC-CUBE/ec-cube#4725

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

[security] There is no user provider for user #35435

[security] There is no user provider for user #35435

[security] There is no user provider for user #35435

[security] There is no user provider for user #35435

Comments