[Security][LoginLink] Throw InvalidLoginLinkException on missing parameter

Author: MatTheCat

LoginLink/LoginLinkHandler.php

@@ -97,8 +97,12 @@ public function consumeLoginLink(Request $request): UserInterface
             throw new InvalidLoginLinkException('User not found.', 0, $exception);
         }
 
-        $hash = $request->get('hash');
-        $expires = $request->get('expires');
+        if (!$hash = $request->get('hash')) {
+            throw new InvalidLoginLinkException('Missing "hash" parameter.');
+        }
+        if (!$expires = $request->get('expires')) {
+            throw new InvalidLoginLinkException('Missing "expires" parameter.');
+        }
 
         try {
             $this->signatureHasher->verifySignatureHash($user, $expires, $hash);

Tests/LoginLink/LoginLinkHandlerTest.php

@@ -182,6 +182,30 @@ public function testConsumeLoginLinkExceedsMaxUsage()
         $linker->consumeLoginLink($request);
     }
 
+    public function testConsumeLoginLinkWithMissingHash()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&expires=10000');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
+    public function testConsumeLoginLinkWithMissingExpiration()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&hash=thehash');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
     private function createSignatureHash(string $username, int $expires, array $extraFields): string
     {
         $fields = [base64_encode($username), $expires];