8000 [Security] Handle bad request format in json auth listener by ogizanagi · Pull Request #22569 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] Handle bad request format in json auth listener#22569

Merged
fabpot merged 1 commit intosymfony:masterfrom
ogizanagi:feat 8000 ure/3.3/security/json_login_bad_format_ex
Apr 29, 2017
Merged

[Security] Handle bad request format in json auth listener#22569
fabpot merged 1 commit intosymfony:masterfrom
ogizanagi:feature/3.3/security/json_login_bad_format_ex

Conversation

@ogizanagi
Copy link
Contributor
@ogizanagi ogizanagi commented Apr 28, 2017
edited
Loading
Q A
Branch? master (3.3)
Bug fix? yesish
New feature? yes
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets N/A
License MIT
Doc PR N/A

In #22034, I wondered myself if we shouldn't throw a dedicated exception to handle bad formatted requests and give more inputs to the client by returning a 400 response with an explicit message.

Here is a suggestion, introducing a new BadRequestFormatException and using it in UsernamePasswordJsonAuthenticationListener whenever there is no custom failure handler set (but someone using its own handler should be able to treat the failure properly too).

As discussed with @chalasr , it seems better to directly throw a BadRequestHttpException as it's actually out of the whole security process. PR updated.

chalasr
chalasr approved these changes Apr 28, 2017
View reviewed changes
Copy link
Member
@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍 These exceptions are not about a failed authentication but a wrongly formatted request (and don't provide any sensitive info) thus should not trigger the authentication failure handler nor any authentication exception to be thrown.

@dunglas
Copy link
Member
dunglas commented Apr 28, 2017

Fair enough 👍

@nicolas-grekas nicolas-grekas added this to the 3.3 milestone Apr 28, 2017
nicolas-grekas
nicolas-grekas approved these changes Apr 28, 2017
View reviewed changes
Copy link
Member
@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@fabpot
Copy link
Member
fabpot commented Apr 29, 2017

Thank you @ogizanagi.

@fabpot fabpot merged commit 93a8cb9 into symfony:master Apr 29, 2017
fabpot added a commit that referenced this pull request Apr 29, 2017
@fabpot
bug #22569 [Security] Handle bad request format in json auth listener…
460fcbf 
… (ogizanagi)

This PR was merged into the 3.3-dev branch.

Discussion
----------

[Security] Handle bad request format in json auth listener

| Q             | A
| ------------- | ---
| Branch?       | master (3.3)
| Bug fix?      | yesish
| New feature?  | yes
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | N/A
| License       | MIT
| Doc PR        | N/A

In #22034, I wondered myself if we shouldn't throw a dedicated exception to handle bad formatted requests and give more inputs to the client by returning a 400 response with an explicit message.

~~Here is a suggestion, introducing a new `BadRequestFormatException` and using it in `UsernamePasswordJsonAuthenticationListener` whenever there is no custom failure handler set (but someone using its own handler should be able to treat the failure properly too).~~

As discussed with @chalasr , it seems better to directly throw a `BadRequestHttpException` as it's actually out of the whole security process. PR updated.

Commits
-------

93a8cb9 [Security] Handle bad request format in json auth listener
@ogizanagi ogizanagi deleted the feature/3.3/security/json_login_bad_format_ex branch April 29, 2017 16:01
@nicolas-grekas
Copy link
Member
nicolas-grekas commented Apr 29, 2017

@ogizanagi master is red after this PR has been merged, would you mind looking at it please (or anyone else really?)

@chalasr chalasr mentioned this pull request Apr 29, 2017
Merged
@ogizanagi
Copy link
Contributor Author
ogizanagi commented Apr 29, 2017
edited
Loading

Sure. I'm on it. Too late, @chalasr did.

@chalasr
Copy link
Member
chalasr commented Apr 29, 2017

See #22582

nicolas-grekas added a commit that referenced this pull request Apr 29, 2017
@nicolas-grekas
minor #22582 Fix tests (chalasr)
b9e19f6 
This PR was merged into the 3.3-dev branch.

Discussion
----------

Fix tests

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | no
| BC breaks?    | no
| Deprecations? |  no
| Tests pass?   | yes
| Fixed tickets | #22569 (comment)
| License       | MIT
| Doc PR        | n/a

Commits
-------

b6948dd Fix tests
@chalasr chalasr mentioned this pull request Jan 2, 2018
Merged
fabpot added a commit that referenced this pull request Jan 16, 2018
@fabpot
bug #25657 [Security] Fix fatal error on non string username (chalasr)
6c16252 
This PR was merged into the 2.7 branch.

Discussion
----------

[Security] Fix fatal error on non string username

| Q             | A
| ------------- | ---
| Branch?       | 2.7
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | #25612
| License       | MIT
| Doc PR        | n/a

That's consistent with what #22569 did for the `json_login` listener.

Commits
-------

8f09568 [Security] Fix fatal error on non string username
@chalasr chalasr mentioned this pull request Jun 1, 2022
Merged
8 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr chalasr approved these changes

Assignees

No one assigned

Labels

Bug Feature Security Status: Needs Review

Projects

None yet

Milestone

3.3

Development

Successfully merging this pull request may close these issues.

6 participants

@ogizanagi @dunglas @fabpot @nicolas-grekas @chalasr @carsonbot
0