Wrong example in authenticateToken for SimplePreAuthenticationListener #4148
Comments
|
@peterrehm what do you think here? |
|
@s7anley: It actually works in my case which I used when creating the docs. What do you mean with the Listener is skipped if you have an AnonymousToken? |
|
@s7anley I reconsidered and for now I cannot see any problem. If the token does not contain a valid user it is going through the normal authentication process. Is your authentication working on the first request when you provide credentials? |
|
@s7anley Can you provide further information? Or can we close this issue? |
|
Sorry for my late response. I guess my question is not really well asked and mixed couple issues together. I wrote it during my first deeper investigation of Security component. So my question is regrading part where instance of User is pulled from Token e.g. |
|
@s7anley This case occurs on the second request. If you get authenticated on the first request based on the provided credentials the user data will get stored in the token. On the next request the user is unserialized and you can get those data back from the token. (The user needs usually to be refreshed in this step). It should work properly without any issues. This way was needed since actually the previous example was wrong. The previous example tried to re-authenticate based on credentials, but the credentials are not stored in the token/session due to security concerns. |
|
@peterrehm And this 2nd request you mentioned is problem what I have described in first post. Once you are authenticated and token is restored from session in |
|
And I cannot confirm this one. Just repoduced this with the following steps: Firewall Configuration And the Authenticator similar to what is described in the Article. In the first request I provide the api key. And I will get authenticated and the user will be stored to the session. On the next request however the createToken() will not be called any more, Everything is working as expected and working fine. The Listener is not being skipped. Relates to #4076 |
|
@weaverryan If I am not proven to be wrong this can be closed. |
|
@peterrehm authenticateToken is not called in 2nd request for me. Not sure how is possible, when And also it's not necessary to inject |
|
Can you upload a branch of the SE so that I can reproduce the bug? In my App based on 2.5.3 it is working as expected. |
|
@s7anley Any news? |
|
Is this still an issue or is this also fixed with symfony/symfony#11414 being merged? |
|
hey @peterrehm in your attempt to reproduce this issue does it still work if you remove I'm actually getting an exception on 2nd request too and can somewhat relate to what @s7anley was saying. I'm on SE 2.6.3. Here's my security.yml: The exception: In my code, the only thing that differs from the example is, in Basically I want the user to be either authenticated by an API key in the url or a token in the session if it is found, and that for all requests. Am I missing something? |
|
You can omit the anonymous setting, I needed it since you can login either by a form or by the api key. The application supports both. But if I recall correctly you should not return null, just return an empty apiKey in the PreAuthenticated Token or public function createToken(Request $request, $providerKey)
{
// look for an apikey query parameter
$apiKey = $request->query->get('apikey');
// or if you want to use an "apikey" header, then do something like this:
// $apiKey = $request->headers->get('apikey');
if (!$apiKey) {
throw new BadCredentialsException('No Auth token found');
}
return new PreAuthenticatedToken(
'anon.',
$apiKey,
$providerKey
);
}I assume based on the provided error message you somehow have no apiKey and therefore no token is returned. |
|
Thanks for your quick response. Indeed, I only pass the API key as a parameter in first request. If, as you suggest, I return an empty apiKey in the PreAuthenticated token as follows: if (!$apiKey) {
return new PreAuthenticatedToken(
'anon.',
null,
$providerKey
);
}I get the As @s7anley was saying, Does that clarify the situation a bit? |
|
Actually not really. IIRC createToken must not be called it there is the user/token in the session. |
|
I think I went to the bottom of it. In my case the Replacing the default provider with: security:
providers:
simple_preauth_provider:
id: api_user_providerwith So I think we should simply update the docs with the snippet above... Am I missing something? |
|
I just had a look at it and must admit you are right. Registering the user provider has been abstracted in the article with just a short reference to the corresponding doc section about registering a custom user provider. If you have no registered user provider it breaks obviously. |
|
Just added a PR. |
This PR was submitted for the master branch but it was merged into the 2.5 branch instead (closes #4895). Discussion ---------- Added configuration of the user provider | Q | A | ------------- | --- | Doc fix? | yes | New docs? | no | Applies to | all | Fixed tickets | #4148 This should make it clearer that a user provider must be registered. Commits ------- 075b652 Removed unneeded spaces 56dd365 Updated as per discussion c4cbd84 Updated according to comment and changed to AppBundle a6fb18c Added configuration of the your_api_key_user_provider as user provider
|
Thanks for updating this @peterrehm |
|
Thanks for investigating it :) |
In 2nd code example in storing authentication in the session section, it's not possible to get current User with
$user = $token->getUser();. SimplePreAuthenticationListener is skipped when current user is not authenticate withAnonymousToken, which in this case is true.Or maybe I'm missing something?
Thanks.
The text was updated successfully, but these errors were encountered: