8000 [Security] json login listener: ensure a json response is sent on bad request by ogizanagi · Pull Request #22585 · symfony/symfony · GitHub
[go: up one dir, main page]
Skip to content

[Security] json login listener: ensure a json response is sent on bad request #22585

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Apr 30, 2017
Merged

[Security] json login listener: ensure a json response is sent on bad request #22585

merged 1 commit into from
Apr 30, 2017

Conversation

ogizanagi
Copy link
Contributor
@ogizanagi ogizanagi commented Apr 29, 2017
edited
Loading
Q A
Branch? master (3.3)
Bug fix? yesish
New feature? no
BC breaks? no
Deprecations? no
Tests pass? yes
Fixed tickets N/A
License MIT
Doc PR N/A

I would have simply recommended to set the proper format when declaring the route:

# routing.yml
api_login:
    path: /login
    defaults: { _format: json }

but, since #22477 has been merged, and considering #22477 (comment):

my point above regarding checking the content type is so that one could use form_login and json_login in parallel on the same routes and within the same firewall

we may consider setting the request format to json when throwing the BadRequestHttpException, so used conjointly with the TwigBundle, the exception is rendered using the exception.json.twig template.

ping @lsmith77

(An alternative would be to check the Accept header to set the request format to json if it's the preferred one instead of doing it each time we throw the exception. But Symfony never used such content negotiation AFAIK, and I think it's safe enough to assume someone sending json is expecting json as ouput for exceptions.)

@nicolas-grekas nicolas-grekas added this to the 3.3 milestone Apr 29, 2017
stof
stof requested changes Apr 30, 2017
View reviewed changes
src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php Outdated
@@ -180,4 +180,11 @@ private function onFailure(Request $request, AuthenticationException $failed)

return $response;
}

private function throwBadRequestHttpException(Request $request, $message, \Exception $previous = null)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would not throw inside the method, as it means you have to inspect this method to know that the flow stops in the main method. Instead, create a method returning the exception, and keep throwing it in the main method

Copy link
Contributor Author
@ogizanagi ogizanagi Apr 30, 2017
edited
Loading

Choose a reason for hiding this comment

8000

The reason will be displayed to describe this comment to others. Learn more.

Indeed, makes sense. Thank you.

EDIT: Eventually it looks even better to simply catch, set format and re-throw from the main method.

nicolas-grekas
nicolas-grekas approved these changes Apr 30, 2017
View reviewed changes
Copy link
Member
@nicolas-grekas nicolas-grekas left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@stof
Copy link
Member
stof commented Apr 30, 2017

Thank you @ogizanagi.

@stof stof merged commit 4427cf9 into symfony:master Apr 30, 2017
stof added a commit that referenced this pull request Apr 30, 2017
@stof
bug #22585 [Security] json login listener: ensure a json response is …
82a6a35 
…sent on bad request (ogizanagi)

This PR was merged into the 3.3-dev branch.

Discussion
----------

[Security] json login listener: ensure a json response is sent on bad request

| Q             | A
| ------------- | ---
| Branch?       | master (3.3)
| Bug fix?      | yesish
| New feature?  | no
| BC breaks?    | no
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets | N/A
| License       | MIT
| Doc PR        | N/A

I would have simply recommended to set the proper format when declaring the route:

```yml
# routing.yml
api_login:
    path: /login
    defaults: { _format: json }
```

but, since #22477 has been merged, and considering #22477 (comment):

> my point above regarding checking the content type is so that one could use form_login and json_login in parallel on the same routes and within the same firewall

we may consider setting the request format to json when throwing the `BadRequestHttpException`, so used conjointly with the TwigBundle, the exception is rendered using the `exception.json.twig` template.

ping @lsmith77

(An alternative would be to check the Accept header to set the request format to json if it's the preferred one instead of doing it each time we throw the exception. But Symfony never used such content negotiation AFAIK, and I think it's safe enough to assume someone sending json is expecting json as ouput for exceptions.)

Commits
-------

4427cf9 [Security] json login listener: ensure a json response is sent on bad request
@ogizanagi ogizanagi deleted the fix/security/json_login_bad_request_json branch April 30, 2017 12:45
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@stof stof stof approved these changes

Assignees
No one assigned
Labels
Bug Security Status: Needs Review
Projects
None yet
Milestone
3.3
Development

Successfully merging this pull request may close these issues.
4 participants
@ogizanagi @stof @nicolas-grekas @carsonbot
0