Document security pitfall when using multiple user providers and user specific authenticators #8611

xabbuh · 2017-11-10T07:04:05Z

When creating your own authenticator (probably by using Guard) and you have more than one user provider, one needs to take extra caution when it comes to different authentication based on the way users are loaded.

For example, if you combine https://symfony.com/doc/current/security/multiple_user_providers.html and http://symfony.com/doc/current/security/guard_authentication.html you will probably want to check that you only use the API token authenticator with appropriate users.

javiereguiluz · 2017-11-10T07:47:07Z

I don't know how to solve this. Are you suggesting to add a $userProvider instanceof ApiUserProvider::class check somewhere inside getUser()? Thanks.

xabbuh · 2017-11-10T07:52:41Z

Usually, each user provider would probably support a different implementation of the UserInterface. Then, one could just check if said implementation is supported the authenticator.

javiereguiluz · 2017-11-10T07:53:53Z

Thanks, but I still don't understand what to do. Maybe you can show me some code to add in some method of that example? Thanks!

xabbuh · 2017-11-10T08:16:29Z

Having a quick glance at the guard code I think we could add a caution block like this:

.. caution::

    If you are using multiple user providers, you will also need to check that the
    user being returned by the ``getUser()`` method of your provider is a allowed
    to authenticate using a token::

        // ...

        public function getUser($credentials, UserProviderInterface $userProvider)
        {
            $apiKey = $credentials['token'];

            if (null === $apiKey) {
                return;
            }

            $user = $userProvider->loadUserByUsername($apiKey);

            // you can, for example, test that the returned user is an object of a particular class
            // alternatively, you can also check for certain attributes of your user objects
            if (!$user instance ApiKeyUser) {
                return;
            }

            return $user;
        }

ping @chalasr @ogizanagi

ogizanagi · 2017-11-10T09:48:47Z

Talking a bit with @chalasr: Not sure we need an extra caution block here. If you use an api token authentication, you're not likely to use the same provider. Users are not identified the same way (but it can be the very same user class).
Using a chain provider here is probably wrong in most cases and we should warn the user to properly think what provider should be used for his auth instead. WDYT?

@xabbuh

This PR was squashed before being merged into the 2.7 branch (closes #9726). Discussion ---------- Improved the multiple user providers article This tries to solve both #8582 and #8611. Please @xabbuh, @chalasr and @ogizanagi tell me if I did what you expected according to your comments in the related issues. Thanks! Commits ------- e0f483b Improved the multiple user providers article

javiereguiluz · 2018-05-24T07:18:26Z

Fixed by #9726.

xabbuh added the Security label Nov 10, 2017

xabbuh mentioned this issue Nov 10, 2017

Improved the first example of the Guard authenticator #8519

Merged

javiereguiluz mentioned this issue May 3, 2018

Improved the multiple user providers article #9726

Closed

javiereguiluz added the hasPR A Pull Request has already been submitted for this issue. label May 3, 2018

javiereguiluz closed this as completed May 24, 2018

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Uh oh!

Document security pitfall when using multiple user providers and user specific authenticators #8611

Document security pitfall when using multiple user providers and user specific authenticators #8611

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Document security pitfall when using multiple user providers and user specific authenticators #8611

Document security pitfall when using multiple user providers and user specific authenticators #8611

Comments

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!