Skip to content

Commit

Permalink
Prevent user enumeration
Browse files Browse the repository at this point in the history
  • Loading branch information
chalasr committed May 12, 2021
1 parent dc472dd commit a175d6d
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 9 deletions.
8 changes: 1 addition & 7 deletions Security/Guard/JWTTokenAuthenticator.php
Original file line number Diff line number Diff line change
Expand Up @@ -156,13 +156,7 @@ public function getUser($preAuthToken, UserProviderInterface $userProvider)
throw new InvalidPayloadException($idClaim);
}

$identity = $payload[$idClaim];

try {
$user = $this->loadUser($userProvider, $payload, $identity);
} catch (UsernameNotFoundException $e) {
throw new UserNotFoundException($idClaim, $identity);
}
$user = $this->loadUser($userProvider, $payload, $payload[$idClaim]);

$this->preAuthenticationTokenStorage->setToken($preAuthToken);

Expand Down
4 changes: 2 additions & 2 deletions Tests/Security/Guard/JWTTokenAuthenticatorTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -183,8 +183,8 @@ public function testGetUserWithInvalidUserThrowsException()
))->getUser($decodedToken, $userProvider);

$this->fail(sprintf('Expected exception of type "%s" to be thrown.', UserNotFoundException::class));
} catch (UserNotFoundException $e) {
$this->assertSame('Unable to load an user with property "username" = "lexik". If the user identity has changed, you must renew the token. Otherwise, verify that the "lexik_jwt_authentication.user_identity_field" config option is correctly set.', $e->getMessageKey());
} catch (UsernameNotFoundException $e) {
$this->assertSame('lexik', $e->getUsername());
}
}

Expand Down

0 comments on commit a175d6d

Please sign in to comment.