From 2ab91bb5162d45fa6b579e02c7148639e1c1776e Mon Sep 17 00:00:00 2001 From: llupa Date: Wed, 12 Jun 2024 12:32:51 +0200 Subject: [PATCH] [Security] Change to `BadCredentialsException` when empty username / password --- .../Security/Http/Authenticator/FormLoginAuthenticator.php | 5 +++-- .../Http/Tests/Authenticator/FormLoginAuthenticatorTest.php | 4 ++-- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php index 4cb990934a549..7109ff244a79f 100644 --- a/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php +++ b/src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php @@ -18,6 +18,7 @@ use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken; use Symfony\Component\Security\Core\Exception\AuthenticationException; +use Symfony\Component\Security\Core\Exception\BadCredentialsException; use Symfony\Component\Security\Core\User\PasswordUpgraderInterface; use Symfony\Component\Security\Core\User\UserProviderInterface; use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface; @@ -130,7 +131,7 @@ private function getCredentials(Request $request): array $credentials['username'] = trim($credentials['username']); if ('' === $credentials['username']) { - throw new BadRequestHttpException(sprintf('The key "%s" must be a non-empty string.', $this->options['username_parameter'])); + throw new BadCredentialsException(sprintf('The key "%s" must be a non-empty string.', $this->options['username_parameter'])); } $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']); @@ -140,7 +141,7 @@ private function getCredentials(Request $request): array } if ('' === (string) $credentials['password']) { - throw new BadRequestHttpException(sprintf('The key "%s" must be a non-empty string.', $this->options['password_parameter'])); + throw new BadCredentialsException(sprintf('The key "%s" must be a non-empty string.', $this->options['password_parameter'])); } if (!\is_string($credentials['csrf_token'] ?? '') && (!\is_object($credentials['csrf_token']) || !method_exists($credentials['csrf_token'], '__toString'))) { diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php index e58f5020e3a7a..9469eab7c2a94 100644 --- a/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php +++ b/src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php @@ -44,7 +44,7 @@ protected function setUp(): void public function testHandleWhenUsernameEmpty() { - $this->expectException(BadRequestHttpException::class); + $this->expectException(BadCredentialsException::class); $this->expectExceptionMessage('The key "_username" must be a non-empty string.'); $request = Request::create('/login_check', 'POST', ['_username' => '', '_password' => 's$cr$t']); @@ -56,7 +56,7 @@ public function testHandleWhenUsernameEmpty() public function testHandleWhenPasswordEmpty() { - $this->expectException(BadRequestHttpException::class); + $this->expectException(BadCredentialsException::class); $this->expectExceptionMessage('The key "_password" must be a non-empty string.'); $request = Request::create('/login_check', 'POST', ['_username' => 'foo', '_password' => '']);