Session id changes after 2fa succeed. And UsernamePasswordToken cannot be loaded from Redis.

[oismailov]

Bundle version: 5.11.0
Symfony version: 5.3.4
PHP version: 7.4.5

This is API project.

Description
Sequence of API calls:

• Login with username and password
• Scheb\\TwoFactorBundle\\Security\\Authentication\\Token\\TwoFactorToken is saved in redis
• Show QR code (use Symfony\Component\Security\Core\Security to get User)
• Validate google code (by calling check_path route)
• Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken is saved in redis
• Call any API that expects authenticated user to be stored in Symfony\Component\Security\Core\Security.
• method Security->getUser() returns null
• Token cannot be read from session.

In \Symfony\Component\Security\Http\Firewall\ContextListener line 104
$token = $session->get($this->sessionKey);
$token is null

I think the issue is in changing session key. And as a result, - token cannot be read from Redis.

As you can see, user ends up unauthenticated once 2fa is completed successfully.
Additional Context

• the bundle configuration

scheb_two_factor:
    security_tokens:
        - Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken
    google:
        enabled: true

• security.yaml

    enable_authenticator_manager: true
    password_hashers:
        App\Entity\User:
            algorithm: auto
    providers:
        user_provider:
            entity:
                class: App\Entity\User
                property: email
        project_provider:
            entity:
                class: App\Entity\Project
                property: accessKey
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            lazy: true
            json_login:
                provider: user_provider
                check_path: app_login
                success_handler: App\Security\AuthenticationSuccessHandler
            login_link:
                provider: user_provider
                check_route: app_login_check
                signature_properties: [ id, email ]
                lifetime: 300
            two_factor:
                auth_form_path: app_2fa_get_qr_content
                provider: user_provider
                check_path: 2fa_check_code
                prepare_on_login: true
                prepare_on_access_denied: true
                authentication_required_handler: App\Security\TwoFactorAuthenticationRequiredHandler
                success_handler: App\Security\TwoFactorAuthenticationSuccessHandler
                failure_handler: App\Security\TwoFactorAuthenticationFailureHandler
                auth_code_parameter_name: authCode
            logout:
                path: app_logout

    access_control:
        - { path: ^/v1/logout, roles: IS_AUTHENTICATED_ANONYMOUSLY }

[scheb]

If you reach the point where UsernamePasswordToken is stored, the two-factor-bundle is no longer involved. Then this is more of a symfony security core issue.

I'd suggest you investigate the reason why the session key changes.

[oismailov]

Thanks for quick reply! I will check Symfony security bundle then!