[10.x] Remove session on authenticatable deletion v2 #47141
Conversation
nunomaduro
changed the title
| $guard->setCookieJar($cookies = m::mock(CookieJar::class)); | ||
| $cookies->shouldReceive('unqueue')->once(); |
There was a problem hiding this comment.
I'm seeing a problem here in my application since this change: if I hit a route which requires auth but the request is not auth'd (just anonymous), my app throws now
RuntimeException: Cookie jar has not been set. in /…/vendor/laravel/framework/src/Illuminate/Auth/SessionGuard.php:859
But how can there be a cookie jar for an unauthenticated request?
I feel like the addition of these two lines should not be here because they alter the test condition. If I remove them, then this test too fails with:
Failed asserting that exception of type "RuntimeException" matches expected exception "Illuminate\Auth\AuthenticationException". Message was: "Cookie jar has not been set." at…
@Boorinio WDYT about the scenario?
This reverts commit 8fe2f65.
|
Reverted. |
(same as #47139 but fixed the tests)
Hello!
So, if somehow in your application you delete the authenticatable (lets say from the users table) without clearing the session and the user still has the cookie, because of
if (! is_null($id) && $this->user = $this->provider->retrieveById($id)) { $this->fireAuthenticatedEvent($this->user); }Every @can directive every Auth check (anything that uses the Auth::user) will cause for a db query spamming the database since the user is never set. On top of that if you do any auth checks in your application with Auth::id() it doesn't return null because of
return $this->user() ? $this->user()->getAuthIdentifier() : $this->session->get($this->getName());Which is kind of a security issue. Not sure if it is only in my codebase but I thought it would be safer to open this PR to make you aware of the issue!
Thanks for your time