Skip to content

API token used as user identifier in custom authenticator example #15886

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ihmels opened this issue Oct 5, 2021 · 2 comments · Fixed by #18928
Closed

API token used as user identifier in custom authenticator example #15886

ihmels opened this issue Oct 5, 2021 · 2 comments · Fixed by #18928
Labels
hasPR A Pull Request has already been submitted for this issue. Security

Comments

@ihmels
Copy link
Contributor

ihmels commented Oct 5, 2021

In the example for a custom authenticator, the API key is passed to the UserBadge as the user identifier. However, it cannot be assumed that the API key is the same as the user identifier. Doesn't the user identifier have to be determined from the API token and then passed to the UserBadge?

symfony-docs/security/authenticator_manager.rst

Lines 318 to 328 in 15084a8

public function authenticate(Request $request): Passport
{
$apiToken = $request->headers->get('X-AUTH-TOKEN');
if (null === $apiToken) {
// The token header was empty, authentication fails with HTTP Status
// Code 401 "Unauthorized"
throw new CustomUserMessageAuthenticationException('No API token provided');
}
return new SelfValidatingPassport(new UserBadge($apiToken));
}

@xabbuh xabbuh added the Security label Oct 5, 2021
@javiereguiluz javiereguiluz mentioned this issue Oct 8, 2021
Closed
21 tasks
@javiereguiluz
Copy link
Member

Closing in favor of #15908, a meta-issue that groups all pending security-related issues so we can easily check them.

@alexandre-daubois alexandre-daubois mentioned this issue Sep 26, 2023
Merged
javiereguiluz added a commit that referenced this issue Sep 27, 2023
@javiereguiluz
minor #18928 [Security] [Authenticator] Improve the first example (al…
f436ae5 
…exandre-daubois)

This PR was merged into the 5.4 branch.

Discussion
----------

[Security] [Authenticator] Improve the first example

Fix #15886, part of #15908

Commits
-------

bd58134 [Authenticator] Improve the first example
@javiereguiluz
Copy link
Member

Fixed in #18928.

@xabbuh xabbuh added the hasPR A Pull Request has already been submitted for this issue. label Oct 23, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
hasPR A Pull Request has already been submitted for this issue. Security
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

[Security] [Authenticator] Improve the first example alexandre-daubois/symfony-docs
3 participants
@javiereguiluz @xabbuh @ihmels