Merge branch '5.4' into 6.0

nicolas-grekas · nicolas-grekas · commit 9fe0cbea4c7c · 2023-01-24T13:56:03.000+01:00
* 5.4:
  [Security/Http] Check tokens before loading users from providers
diff --git a/LoginLink/LoginLinkHandler.php b/LoginLink/LoginLinkHandler.php
@@ -83,12 +83,6 @@ public function consumeLoginLink(Request $request): UserInterface
     {
         $userIdentifier = $request->get('user');
 
-        try {
-            $user = $this->userProvider->loadUserByIdentifier($userIdentifier);
-        } catch (UserNotFoundException $exception) {
-            throw new InvalidLoginLinkException('User not found.', 0, $exception);
-        }
-
         if (!$hash = $request->get('hash')) {
             throw new InvalidLoginLinkException('Missing "hash" parameter.');
         }
@@ -97,7 +91,13 @@ public function consumeLoginLink(Request $request): UserInterface
         }
 
         try {
+            $this->signatureHasher->acceptSignatureHash($userIdentifier, $expires, $hash);
+
+            $user = $this->userProvider->loadUserByIdentifier($userIdentifier);
+
             $this->signatureHasher->verifySignatureHash($user, $expires, $hash);
+        } catch (UserNotFoundException $e) {
+            throw new InvalidLoginLinkException('User not found.', 0, $e);
         } catch (ExpiredSignatureException $e) {
             throw new ExpiredLoginLinkException(ucfirst(str_ireplace('signature', 'login link', $e->getMessage())), 0, $e);
         } catch (InvalidSignatureException $e) {
diff --git a/RememberMe/PersistentRememberMeHandler.php b/RememberMe/PersistentRememberMeHandler.php
@@ -53,18 +53,16 @@ public function __construct(TokenProviderInterface $tokenProvider, string $secre
      */
     public function createRememberMeCookie(UserInterface $user): void
     {
-        $series = base64_encode(random_bytes(64));
-        $tokenValue = $this->generateHash(base64_encode(random_bytes(64)));
+        $series = random_bytes(66);
+        $tokenValue = strtr(base64_encode(substr($series, 33)), '+/=', '-_~');
+        $series = strtr(base64_encode(substr($series, 0, 33)), '+/=', '-_~');
         $token = new PersistentToken(\get_class($user), $user->getUserIdentifier(), $series, $tokenValue, new \DateTime());
 
         $this->tokenProvider->createNewToken($token);
         $this->createCookie(RememberMeDetails::fromPersistentToken($token, time() + $this->options['lifetime']));
     }
 
-    /**
-     * {@inheritdoc}
-     */
-    public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void
+    public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): UserInterface
     {
         if (!str_contains($rememberMeDetails->getValue(), ':')) {
             throw new AuthenticationException('The cookie is incorrectly formatted.');
@@ -86,18 +84,28 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
             throw new AuthenticationException('The cookie has expired.');
         }
 
+        return parent::consumeRememberMeCookie($rememberMeDetails->withValue($persistentToken->getLastUsed()->getTimestamp().':'.$rememberMeDetails->getValue().':'.$persistentToken->getClass()));
+    }
+
+    public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void
+    {
+        [$lastUsed, $series, $tokenValue, $class] = explode(':', $rememberMeDetails->getValue(), 4);
+        $persistentToken = new PersistentToken($class, $rememberMeDetails->getUserIdentifier(), $series, $tokenValue, new \DateTime('@'.$lastUsed));
+
         // if a token was regenerated less than a minute ago, there is no need to regenerate it
         // if multiple concurrent requests reauthenticate a user we do not want to update the token several times
-        if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
-            $tokenValue = $this->generateHash(base64_encode(random_bytes(64)));
-            $tokenLastUsed = new \DateTime();
-            if ($this->tokenVerifier) {
-                $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
-            }
-            $this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
-
-            $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
+        if ($persistentToken->getLastUsed()->getTimestamp() + 60 >= time()) {
+            return;
+        }
+
+        $tokenValue = strtr(base64_encode(random_bytes(33)), '+/=', '-_~');
+        $tokenLastUsed = new \DateTime();
+        if ($this->tokenVerifier) {
+            $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
         }
+        $this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
+
+        $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
     }
 
     /**
@@ -113,7 +121,7 @@ public function clearRememberMeCookie(): void
         }
 
         $rememberMeDetails = RememberMeDetails::fromRawCookie($cookie);
-        [$series, ] = explode(':', $rememberMeDetails->getValue());
+        [$series] = explode(':', $rememberMeDetails->getValue());
         $this->tokenProvider->deleteTokenBySeries($series);
     }
 
@@ -124,9 +132,4 @@ public function getTokenProvider(): TokenProviderInterface
     {
         return $this->tokenProvider;
     }
-
-    private function generateHash(string $tokenValue): string
-    {
-        return hash_hmac('sha256', $tokenValue, $this->secret);
-    }
 }
diff --git a/RememberMe/RememberMeDetails.php b/RememberMe/RememberMeDetails.php
@@ -36,13 +36,14 @@ public function __construct(string $userFqcn, string $userIdentifier, int $expir
 
     public static function fromRawCookie(string $rawCookie): self
     {
-        $cookieParts = explode(self::COOKIE_DELIMITER, base64_decode($rawCookie), 4);
+        $cookieParts = explode(self::COOKIE_DELIMITER, $rawCookie, 4);
         if (4 !== \count($cookieParts)) {
             throw new AuthenticationException('The cookie contains invalid data.');
         }
-        if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {
+        if (false === $cookieParts[1] = base64_decode(strtr($cookieParts[1], '-_~', '+/='), true)) {
             throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
         }
+        $cookieParts[0] = strtr($cookieParts[0], '.', '\\');
 
         return new static(...$cookieParts);
     }
@@ -83,6 +84,6 @@ public function getValue(): string
     public function toString(): string
     {
         // $userIdentifier is encoded because it might contain COOKIE_DELIMITER, we assume other values don't
-        return base64_encode(implode(self::COOKIE_DELIMITER, [$this->userFqcn, base64_encode($this->userIdentifier), $this->expires, $this->value]));
+        return implode(self::COOKIE_DELIMITER, [strtr($this->userFqcn, '\\', '.'), strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
     }
 }
diff --git a/RememberMe/SignatureRememberMeHandler.php b/RememberMe/SignatureRememberMeHandler.php
@@ -53,9 +53,19 @@ public function createRememberMeCookie(UserInterface $user): void
         $this->createCookie($details);
     }
 
-    /**
-     * {@inheritdoc}
-     */
+    public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): UserInterface
+    {
+        try {
+            $this->signatureHasher->acceptSignatureHash($rememberMeDetails->getUserIdentifier(), $rememberMeDetails->getExpires(), $rememberMeDetails->getValue());
+        } catch (InvalidSignatureException $e) {
+            throw new AuthenticationException('The cookie\'s hash is invalid.', 0, $e);
+        } catch (ExpiredSignatureException $e) {
+            throw new AuthenticationException('The cookie has expired.', 0, $e);
+        }
+
+        return parent::consumeRememberMeCookie($rememberMeDetails);
+    }
+
     public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void
     {
         try {
diff --git a/Tests/LoginLink/LoginLinkHandlerTest.php b/Tests/LoginLink/LoginLinkHandlerTest.php
@@ -53,6 +53,7 @@ protected function setUp(): void
 
     /**
      * @group time-sensitive
+     *
      * @dataProvider provideCreateLoginLinkData
      */
     public function testCreateLoginLink($user, array $extraProperties, Request $request = null)
@@ -68,7 +69,7 @@ public function testCreateLoginLink($user, array $extraProperties, Request $requ
                          // allow a small expiration offset to avoid time-sensitivity
                         && abs(time() + 600 - $parameters['expires']) <= 1
                         // make sure hash is what we expect
-                        && $parameters['hash'] === $this->createSignatureHash('weaverryan', $parameters['expires'], array_values($extraProperties));
+                        && $parameters['hash'] === $this->createSignatureHash('weaverryan', $parameters['expires'], $extraProperties);
                 }),
                 UrlGeneratorInterface::ABSOLUTE_URL
             )
@@ -115,7 +116,7 @@ public function provideCreateLoginLinkData()
     public function testConsumeLoginLink()
     {
         $expires = time() + 500;
-        $signature = $this->createSignatureHash('weaverryan', $expires, ['ryan@symfonycasts.com', 'pwhash']);
+        $signature = $this->createSignatureHash('weaverryan', $expires);
         $request = Request::create(sprintf('/login/verify?user=weaverryan&hash=%s&expires=%d', $signature, $expires));
 
         $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
@@ -131,44 +132,37 @@ public function testConsumeLoginLink()
 
     public function testConsumeLoginLinkWithExpired()
     {
-        $this->expectException(ExpiredLoginLinkException::class);
         $expires = time() - 500;
-        $signature = $this->createSignatureHash('weaverryan', $expires, ['ryan@symfonycasts.com', 'pwhash']);
+        $signature = $this->createSignatureHash('weaverryan', $expires);
         $request = Request::create(sprintf('/login/verify?user=weaverryan&hash=%s&expires=%d', $signature, $expires));
 
-        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
-        $this->userProvider->createUser($user);
-
         $linker = $this->createLinker(['max_uses' => 3]);
+        $this->expectException(ExpiredLoginLinkException::class);
         $linker->consumeLoginLink($request);
     }
 
     public function testConsumeLoginLinkWithUserNotFound()
     {
-        $this->expectException(InvalidLoginLinkException::class);
-        $request = Request::create('/login/verify?user=weaverryan&hash=thehash&expires=10000');
+        $request = Request::create('/login/verify?user=weaverryan&hash=thehash&expires='.(time() + 500));
 
         $linker = $this->createLinker();
+        $this->expectException(InvalidLoginLinkException::class);
         $linker->consumeLoginLink($request);
     }
 
     public function testConsumeLoginLinkWithDifferentSignature()
     {
-        $this->expectException(InvalidLoginLinkException::class);
         $request = Request::create(sprintf('/login/verify?user=weaverryan&hash=fake_hash&expires=%d', time() + 500));
 
-        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
-        $this->userProvider->createUser($user);
-
         $linker = $this->createLinker();
+        $this->expectException(InvalidLoginLinkException::class);
         $linker->consumeLoginLink($request);
     }
 
     public function testConsumeLoginLinkExceedsMaxUsage()
     {
-        $this->expectException(ExpiredLoginLinkException::class);
         $expires = time() + 500;
-        $signature = $this->createSignatureHash('weaverryan', $expires, ['ryan@symfonycasts.com', 'pwhash']);
+        $signature = $this->createSignatureHash('weaverryan', $expires);
         $request = Request::create(sprintf('/login/verify?user=weaverryan&hash=%s&expires=%d', $signature, $expires));
 
         $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
@@ -179,6 +173,7 @@ public function testConsumeLoginLinkExceedsMaxUsage()
         $this->expiredLinkCache->save($item);
 
         $linker = $this->createLinker(['max_uses' => 3]);
+        $this->expectException(ExpiredLoginLinkException::class);
         $linker->consumeLoginLink($request);
     }
 
@@ -206,15 +201,12 @@ public function testConsumeLoginLinkWithMissingExpiration()
         $linker->consumeLoginLink($request);
     }
 
-    private function createSignatureHash(string $username, int $expires, array $extraFields): string
+    private function createSignatureHash(string $username, int $expires, array $extraFields = ['emailProperty' => 'ryan@symfonycasts.com', 'passwordProperty' => 'pwhash']): string
     {
-        $fields = [base64_encode($username), $expires];
-        foreach ($extraFields as $extraField) {
-            $fields[] = base64_encode($extraField);
-        }
+        $hasher = new SignatureHasher($this->propertyAccessor, array_keys($extraFields), 's3cret');
+        $user = new TestLoginLinkHandlerUser($username, $extraFields['emailProperty'] ?? '', $extraFields['passwordProperty'] ?? '', $extraFields['lastAuthenticatedAt'] ?? null);
 
-        // matches hash logic in the class
-        return base64_encode(hash_hmac('sha256', implode(':', $fields), 's3cret'));
+        return $hasher->computeSignatureHash($user, $expires);
     }
 
     private function createLinker(array $options = [], array $extraProperties = ['emailProperty', 'passwordProperty']): LoginLinkHandler
@@ -298,7 +290,7 @@ public function loadUserByIdentifier(string $userIdentifier): TestLoginLinkHandl
 
     public function refreshUser(UserInterface $user): TestLoginLinkHandlerUser
     {
-        return $this->users[$username];
+        return $this->users[$user->getUserIdentifier()];
     }
 
     public function supportsClass(string $class): bool
diff --git a/Tests/RememberMe/PersistentRememberMeHandlerTest.php b/Tests/RememberMe/PersistentRememberMeHandlerTest.php
@@ -93,8 +93,8 @@ public function testConsumeRememberMeCookieValid()
 
         /** @var Cookie $cookie */
         $cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
-        $rememberParts = explode(':', base64_decode($rememberMeDetails->toString()), 4);
-        $cookieParts = explode(':', base64_decode($cookie->getValue()), 4);
+        $rememberParts = explode(':', $rememberMeDetails->toString(), 4);
+        $cookieParts = explode(':', $cookie->getValue(), 4);
 
         $this->assertSame($rememberParts[0], $cookieParts[0]); // class
         $this->assertSame($rememberParts[1], $cookieParts[1]); // identifier
diff --git a/Tests/RememberMe/SignatureRememberMeHandlerTest.php b/Tests/RememberMe/SignatureRememberMeHandlerTest.php
@@ -12,13 +12,11 @@
 namespace Symfony\Component\Security\Http\Tests\RememberMe;
 
 use PHPUnit\Framework\TestCase;
-use Symfony\Bridge\PhpUnit\ClockMock;
 use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\PropertyAccess\PropertyAccess;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Signature\Exception\ExpiredSignatureException;
-use Symfony\Component\Security\Core\Signature\Exception\InvalidSignatureException;
 use Symfony\Component\Security\Core\Signature\SignatureHasher;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\InMemoryUserProvider;
@@ -36,10 +34,8 @@ class SignatureRememberMeHandlerTest extends TestCase
 
     protected function setUp(): void
     {
-        $this->signatureHasher = $this->createMock(SignatureHasher::class);
+        $this->signatureHasher = new SignatureHasher(PropertyAccess::createPropertyAccessor(), [], 's3cret');
         $this->userProvider = new InMemoryUserProvider();
-        $user = new InMemoryUser('wouter', null);
-        $this->userProvider->createUser($user);
         $this->requestStack = new RequestStack();
         $this->request = Request::create('/login');
         $this->requestStack->push($this->request);
@@ -51,18 +47,17 @@ protected function setUp(): void
      */
     public function testCreateRememberMeCookie()
     {
-        ClockMock::register(SignatureRememberMeHandler::class);
-
         $user = new InMemoryUser('wouter', null);
-        $this->signatureHasher->expects($this->once())->method('computeSignatureHash')->with($user, $expire = time() + 31536000)->willReturn('abc');
+        $signature = $this->signatureHasher->computeSignatureHash($user, $expire = time() + 31536000);
+        $this->userProvider->createUser(new InMemoryUser('wouter', null));
 
         $this->handler->createRememberMeCookie($user);
 
         $this->assertTrue($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
 
         /** @var Cookie $cookie */
         $cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
-        $this->assertEquals(base64_encode(InMemoryUser::class.':d291dGVy:'.$expire.':abc'), $cookie->getValue());
+        $this->assertEquals(strtr(InMemoryUser::class, '\\', '.').':d291dGVy:'.$expire.':'.$signature, $cookie->getValue());
     }
 
     public function testClearRememberMeCookie()
@@ -76,50 +71,36 @@ public function testClearRememberMeCookie()
         $this->assertNull($cookie->getValue());
     }
 
-    /**
-     * @group time-sensitive
-     */
     public function testConsumeRememberMeCookieValid()
     {
-        $this->signatureHasher->expects($this->once())->method('verifySignatureHash')->with($user = new InMemoryUser('wouter', null), 360, 'signature');
-        $this->signatureHasher->expects($this->any())
-            ->method('computeSignatureHash')
-            ->with($user, $expire = time() + 31536000)
-            ->willReturn('newsignature');
+        $user = new InMemoryUser('wouter', null);
+        $signature = $this->signatureHasher->computeSignatureHash($user, $expire = time() + 3600);
+        $this->userProvider->createUser(new InMemoryUser('wouter', null));
 
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'signature');
+        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', $expire, $signature);
         $this->handler->consumeRememberMeCookie($rememberMeDetails);
 
         $this->assertTrue($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
 
         /** @var Cookie $cookie */
         $cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
-        $this->assertEquals((new RememberMeDetails(InMemoryUser::class, 'wouter', $expire, 'newsignature'))->toString(), $cookie->getValue());
+        $this->assertNotEquals((new RememberMeDetails(InMemoryUser::class, 'wouter', $expire, $signature))->toString(), $cookie->getValue());
     }
 
     public function testConsumeRememberMeCookieInvalidHash()
     {
         $this->expectException(AuthenticationException::class);
         $this->expectExceptionMessage('The cookie\'s hash is invalid.');
-
-        $this->signatureHasher->expects($this->any())
-            ->method('verifySignatureHash')
-            ->with(new InMemoryUser('wouter', null), 360, 'badsignature')
-            ->will($this->throwException(new InvalidSignatureException()));
-
-        $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'badsignature'));
+        $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', time() + 600, 'badsignature'));
     }
 
     public function testConsumeRememberMeCookieExpired()
     {
+        $user = new InMemoryUser('wouter', null);
+        $signature = $this->signatureHasher->computeSignatureHash($user, 360);
+
         $this->expectException(AuthenticationException::class);
         $this->expectExceptionMessage('The cookie has expired.');
-
-        $this->signatureHasher->expects($this->any())
-            ->method('verifySignatureHash')
-            ->with(new InMemoryUser('wouter', null), 360, 'signature')
-            ->will($this->throwException(new ExpiredSignatureException()));
-
-        $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'signature'));
+        $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', 360, $signature));
     }
 }
diff --git a/composer.json b/composer.json
@@ -17,7 +17,7 @@
     ],
     "require": {
         "php": ">=8.0.2",
-        "symfony/security-core": "^5.4|^6.0",
+        "symfony/security-core": "^5.4.19|~6.0.19|~6.1.11|^6.2.5",
         "symfony/http-foundation": "^5.4|^6.0",
         "symfony/http-kernel": "^5.4|^6.0",
         "symfony/polyfill-mbstring": "~1.0",

Original file line number	Diff line number	Diff line change
`@@ -36,13 +36,14 @@ public function __construct(string $userFqcn, string $userIdentifier, int $expir`
`36`	`36`
`37`	`37`	`public static function fromRawCookie(string $rawCookie): self`
`38`	`38`	`{`
`39`		`- $cookieParts = explode(self::COOKIE_DELIMITER, base64_decode($rawCookie), 4);`
	`39`	`+ $cookieParts = explode(self::COOKIE_DELIMITER, $rawCookie, 4);`
`40`	`40`	`if (4 !== \count($cookieParts)) {`
`41`	`41`	`throw new AuthenticationException('The cookie contains invalid data.');`
`42`	`42`	`}`
`43`		`- if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {`
	`43`	`+ if (false === $cookieParts[1] = base64_decode(strtr($cookieParts[1], '-_~', '+/='), true)) {`
`44`	`44`	`throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');`
`45`	`45`	`}`
	`46`	`+ $cookieParts[0] = strtr($cookieParts[0], '.', '\\');`
`46`	`47`
`47`	`48`	`return new static(...$cookieParts);`
`48`	`49`	`}`
`@@ -83,6 +84,6 @@ public function getValue(): string`
`83`	`84`	`public function toString(): string`
`84`	`85`	`{`
`85`	`86`	`// $userIdentifier is encoded because it might contain COOKIE_DELIMITER, we assume other values don't`
`86`		`- return base64_encode(implode(self::COOKIE_DELIMITER, [$this->userFqcn, base64_encode($this->userIdentifier), $this->expires, $this->value]));`
	`87`	`+ return implode(self::COOKIE_DELIMITER, [strtr($this->userFqcn, '\\', '.'), strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);`
`87`	`88`	`}`
`88`	`89`	`}`