Skip to content

Commit

Permalink
Merge branch '4.4' into 5.2
Browse files Browse the repository at this point in the history
* 4.4:
  [Security\Core] Fix user enumeration via response body on invalid credentials
  Update VERSION for 3.4.48
  Update CHANGELOG for 3.4.48
  • Loading branch information
nicolas-grekas committed May 19, 2021
2 parents e29d645 + c8b37f1 commit 03d9f94
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 2 deletions.
5 changes: 3 additions & 2 deletions Authentication/Provider/UserAuthenticationProvider.php
Original file line number Diff line number Diff line change
Expand Up @@ -18,6 +18,7 @@
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
use Symfony\Component\Security\Core\User\UserCheckerInterface;
use Symfony\Component\Security\Core\User\UserInterface;
Expand Down Expand Up @@ -80,8 +81,8 @@ public function authenticate(TokenInterface $token)
$this->userChecker->checkPreAuth($user);
$this->checkAuthentication($user, $token);
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
if ($this->hideUserNotFoundExceptions) {
} catch (AccountStatusException | BadCredentialsException $e) {
if ($this->hideUserNotFoundExceptions && !$e instanceof CustomUserMessageAccountStatusException) {
throw new BadCredentialsException('Bad credentials.', 0, $e);
}

Expand Down
18 changes: 18 additions & 0 deletions Tests/Authentication/Provider/UserAuthenticationProviderTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()
$provider->authenticate($this->getSupportedToken());
}

public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
{
$provider = $this->getProvider();
$provider->expects($this->once())
->method('retrieveUser')
->willReturn($this->createMock(UserInterface::class))
;
$provider->expects($this->once())
->method('checkAuthentication')
->willThrowException(new BadCredentialsException())
;

$this->expectException(BadCredentialsException::class);
$this->expectExceptionMessage('Bad credentials.');

$provider->authenticate($this->getSupportedToken());
}

public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
{
$this->expectException(AuthenticationServiceException::class);
Expand Down

0 comments on commit 03d9f94

Please sign in to comment.