[Security] Custom Authenticator: What does "validate no parameter is empty" mean?

[ThomasLandauer]

@wouterj You were the last one who edited the code block at https://symfony.com/doc/current/security/custom_authenticator.html#passport-badges in this commit: 01cb2b0

What does "validate no parameter is empty" mean there?

1. Why should I do that? If there's no password given, it's treated as wrong password, so that looks OK for me.
2. How should I do that? If the password is indeed '', I still need to return a Passport. So (except from throwing an exception), there's nothing much I could do about it (especially can't generate a form error message), right?
3. Why is the comment shown in a code sample about CSRF?

   For instance, if you want to add CSRF to your custom authenticator, you would initialize the passport like this:

=> So I'd say either just delete it, or give a more complete idea of what to do:

if ('' === $password) {
    // ... ?
}

[wouterj]

Hi! I agree with (3), this seems an irrelevant to mention in this particular example. Let's remove the text and leave just // ....

As for your other 2 questions: I would say it's good to validate user input related to authentication explicitly if it confirms the rules of your application, rather than relying on "implementation details" of the Symfony framework.
This is also an approach we use in the build-in Symfony authenticators (we recently added it for form login: symfony/symfony#53851).

Throwing an authentication exception is the best solution, this will give the validation the same handling as other authentication error messages like "bad credentials" (i.e. call the onAuthenticationFailure() method of the current authenticator, which then has some way to return the error to the client).

[ThomasLandauer]

Sorry, I wasn't aware that an exception in this context isn't really thrown, but caught by the next method. So raising an exception is indeed the way to go!

So I think this code snippet should be expanded to something like:

if ('' === $username || '' === $password) {
    throw new WhateverException();
}

But where to put it?
This page is missing a full example of a form login. This is due to the fact that there cannot be a full example for every possible setup. But: When introducing the sub-headings (as I suggested in #19813 (comment) ), the new section under authenticate() would be the perfect place!

So in case you're already losing overview of what I have in mind ;-)
Should I create one big PR for everything on this page, or try to do it in smaller steps?

[carsonbot]

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

[carsonbot]

Hello? This issue is about to be closed if nobody replies.

[carsonbot]

Hey,

I didn't hear anything so I'm going to close it. Feel free to comment if this is still relevant, I can always reopen!