Merge branch '6.0' into 6.1

* 6.0: [Notifier] Fix markdown [Security] Fix outdated docblock Update PR template Bump Symfony version to 6.0.17 Update VERSION for 6.0.16 Update CHANGELOG for 6.0.16 Bump Symfony version to 5.4.17 Update VERSION for 5.4.16 Update CHANGELOG for 5.4.16 Update VERSION for 4.4.49 Update CONTRIBUTORS for 4.4.49 Update CHANGELOG for 4.4.49 [Security][LoginLink] Throw InvalidLoginLinkException on missing parameter
symfony · Nov 30, 2022 · b52cbd0 · b52cbd0
2 parents 931b037 + feeeebb
commit b52cbd0
Show file tree

Hide file tree

Showing 3 changed files with 31 additions and 5 deletions.
diff --git a/Authentication/AuthenticationSuccessHandlerInterface.php b/Authentication/AuthenticationSuccessHandlerInterface.php
@@ -27,9 +27,7 @@
 interface AuthenticationSuccessHandlerInterface
 {
     /**
-     * This is called when an interactive authentication attempt succeeds. This
-     * is called by authentication listeners inheriting from
-     * AbstractAuthenticationListener.
+     * Usually called by AuthenticatorInterface::onAuthenticationSuccess() implementations.
      */
     public function onAuthenticationSuccess(Request $request, TokenInterface $token): Response;
 }
diff --git a/LoginLink/LoginLinkHandler.php b/LoginLink/LoginLinkHandler.php
@@ -89,8 +89,12 @@ public function consumeLoginLink(Request $request): UserInterface
             throw new InvalidLoginLinkException('User not found.', 0, $exception);
         }
 
-        $hash = $request->get('hash');
-        $expires = $request->get('expires');
+        if (!$hash = $request->get('hash')) {
+            throw new InvalidLoginLinkException('Missing "hash" parameter.');
+        }
+        if (!$expires = $request->get('expires')) {
+            throw new InvalidLoginLinkException('Missing "expires" parameter.');
+        }
 
         try {
             $this->signatureHasher->verifySignatureHash($user, $expires, $hash);

diff --git a/Tests/LoginLink/LoginLinkHandlerTest.php b/Tests/LoginLink/LoginLinkHandlerTest.php
@@ -182,6 +182,30 @@ public function testConsumeLoginLinkExceedsMaxUsage()
         $linker->consumeLoginLink($request);
     }
 
+    public function testConsumeLoginLinkWithMissingHash()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&expires=10000');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
+    public function testConsumeLoginLinkWithMissingExpiration()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', 'ryan@symfonycasts.com', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&hash=thehash');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
     private function createSignatureHash(string $username, int $expires, array $extraFields): string
     {
         $fields = [base64_encode($username), $expires];