Skip to content

Commit 03d9f94

Browse files
nicolas-grekasnicolas-grekas
committed
Merge branch '4.4' into 5.2
* 4.4: [Security\Core] Fix user enumeration via response body on invalid credentials Update VERSION for 3.4.48 Update CHANGELOG for 3.4.48
2 parents e29d645 + c8b37f1 commit 03d9f94

File tree

2 files changed

+21
-2
lines changed

2 files changed

+21
-2
lines changed

Authentication/Provider/UserAuthenticationProvider.php

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,7 @@
1818
use Symfony\Component\Security\Core\Exception\AuthenticationException;
1919
use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
2020
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
21+
use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
2122
use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
2223
use Symfony\Component\Security\Core\User\UserCheckerInterface;
2324
use Symfony\Component\Security\Core\User\UserInterface;
@@ -80,8 +81,8 @@ public function authenticate(TokenInterface $token)
8081
$this->userChecker->checkPreAuth($user);
8182
$this->checkAuthentication($user, $token);
8283
$this->userChecker->checkPostAuth($user);
83-
} catch (AccountStatusException $e) {
84-
if ($this->hideUserNotFoundExceptions) {
84+
} catch (AccountStatusException | BadCredentialsException $e) {
85+
if ($this->hideUserNotFoundExceptions && !$e instanceof CustomUserMessageAccountStatusException) {
8586
throw new BadCredentialsException('Bad credentials.', 0, $e);
8687
}
8788

Tests/Authentication/Provider/UserAuthenticationProviderTest.php

Lines changed: 18 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -68,6 +68,24 @@ public function testAuthenticateWhenUsernameIsNotFoundAndHideIsTrue()
6868
$provider->authenticate($this->getSupportedToken());
6969
}
7070

71+
public function testAuthenticateWhenCredentialsAreInvalidAndHideIsTrue()
72+
{
73+
$provider = $this->getProvider();
74+
$provider->expects($this->once())
75+
->method('retrieveUser')
76+
->willReturn($this->createMock(UserInterface::class))
77+
;
78+
$provider->expects($this->once())
79+
->method('checkAuthentication')
80+
->willThrowException(new BadCredentialsException())
81+
;
82+
83+
$this->expectException(BadCredentialsException::class);
84+
$this->expectExceptionMessage('Bad credentials.');
85+
86+
$provider->authenticate($this->getSupportedToken());
87+
}
88+
7189
public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
7290
{
7391
$this->expectException(AuthenticationServiceException::class);

0 commit comments

Comments
 (0)