Skip to content

Commit

Permalink
Merge branch '3.4' into 4.4
Browse files Browse the repository at this point in the history
* 3.4:
  [Security\Core] Fix user enumeration via response body on invalid credentials
  Update VERSION for 3.4.48
  Update CHANGELOG for 3.4.48
  • Loading branch information
nicolas-grekas committed May 19, 2021
2 parents 7cf854b + 6eea784 commit c8b37f1
Show file tree
Hide file tree
Showing 2 changed files with 19 additions and 1 deletion.
2 changes: 1 addition & 1 deletion Authentication/Provider/UserAuthenticationProvider.php
Original file line number Diff line number Diff line change
Expand Up @@ -81,7 +81,7 @@ public function authenticate(TokenInterface $token)
$this->userChecker->checkPreAuth($user);
$this->checkAuthentication($user, $token);
$this->userChecker->checkPostAuth($user);
} catch (AccountStatusException $e) {
} catch (AccountStatusException | BadCredentialsException $e) {
if ($this->hideUserNotFoundExceptions) {
throw new BadCredentialsException('Bad credentials.', 0, $e);
}
Expand Down
18 changes: 18 additions & 0 deletions Tests/Authentication/Provider/UserAuthenticationProviderTest.php
Original file line number Diff line number Diff line change
Expand Up @@ -69,6 +69,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()
$provider->authenticate($this->getSupportedToken());
}

public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
{
$provider = $this->getProvider();
$provider->expects($this->once())
->method('retrieveUser')
->willReturn($this->createMock(UserInterface::class))
;
$provider->expects($this->once())
->method('checkAuthentication')
->willThrowException(new BadCredentialsException())
;

$this->expectException(BadCredentialsException::class);
$this->expectExceptionMessage('Bad credentials.');

$provider->authenticate($this->getSupportedToken());
}

public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
{
$this->expectException(AuthenticationServiceException::class);
Expand Down

0 comments on commit c8b37f1

Please sign in to comment.