symfony · chalasr · Aug 25, 2023 · Aug 9, 2023
@@ -91,7 +91,9 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
 
         $this->logger?->debug('Authentication failure, redirect triggered.', ['failure_path' => $options['failure_path']]);
 
-        $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
+        if (!$request->attributes->getBoolean('_stateless')) {
+            $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
+        }
 
         return $this->httpUtils->createRedirectResponse($request, $options['failure_path']);
     }

@@ -103,7 +103,7 @@ protected function determineTargetUrl(Request $request): string
         }
 
         $firewallName = $this->getFirewallName();
-        if (null !== $firewallName && $targetUrl = $this->getTargetPath($request->getSession(), $firewallName)) {
+        if (null !== $firewallName && !$request->attributes->getBoolean('_stateless') && $targetUrl = $this->getTargetPath($request->getSession(), $firewallName)) {
             $this->removeTargetPath($request->getSession(), $firewallName);
 
             return $targetUrl;

@@ -46,6 +46,7 @@ protected function setUp(): void
 
         $this->session = $this->createMock(SessionInterface::class);
         $this->request = $this->createMock(Request::class);
+        $this->request->attributes = new ParameterBag(['_stateless' => false]);
         $this->request->expects($this->any())->method('getSession')->willReturn($this->session);
         $this->exception = $this->getMockBuilder(AuthenticationException::class)->onlyMethods(['getMessage'])->getMock();
     }
@@ -89,6 +90,17 @@ public function testExceptionIsPersistedInSession()
         $handler->onAuthenticationFailure($this->request, $this->exception);
     }
 
+    public function testExceptionIsNotPersistedInSessionOnStatelessRequest()
+    {
+        $this->request->attributes = new ParameterBag(['_stateless' => true]);
+
+        $this->session->expects($this->never())
+            ->method('set')->with(SecurityRequestAttributes::AUTHENTICATION_ERROR, $this->exception);
+
+        $handler = new DefaultAuthenticationFailureHandler($this->httpKernel, $this->httpUtils, [], $this->logger);
+        $handler->onAuthenticationFailure($this->request, $this->exception);
+    }
+
     public function testExceptionIsPassedInRequestOnForward()
     {
         $options = ['failure_forward' => true];

@@ -56,6 +56,25 @@ public function testRequestRedirectionsWithTargetPathInSessions()
         $this->assertSame('http://localhost/admin/dashboard', $handler->onAuthenticationSuccess($requestWithSession, $token)->getTargetUrl());
     }
 
+    public function testStatelessRequestRedirections()
+    {
+        $session = $this->createMock(SessionInterface::class);
+        $session->expects($this->never())->method('get')->with('_security.admin.target_path');
+        $session->expects($this->never())->method('remove')->with('_security.admin.target_path');
+        $statelessRequest = Request::create('/');
+        $statelessRequest->setSession($session);
+        $statelessRequest->attributes->set('_stateless', true);
+
+        $urlGenerator = $this->createMock(UrlGeneratorInterface::class);
+        $urlGenerator->expects($this->any())->method('generate')->willReturn('http://localhost/login');
+        $httpUtils = new HttpUtils($urlGenerator);
+        $token = $this->createMock(TokenInterface::class);
+        $handler = new DefaultAuthenticationSuccessHandler($httpUtils);
+        $handler->setFirewallName('admin');
+
+        $this->assertSame('http://localhost/', $handler->onAuthenticationSuccess($statelessRequest, $token)->getTargetUrl());
+    }
+
     public static function getRequestRedirections()
     {
         return [