tweaks thanks to the guys

symfony · Nov 30, 2015 · 3d67202 · 3d67202
1 parent 1eb5f23
commit 3d67202
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 4 deletions.
diff --git a/cookbook/security/api_key_authentication.rst b/cookbook/security/api_key_authentication.rst
@@ -70,7 +70,8 @@ value and then a User object is created::
             $username = $userProvider->getUsernameForApiKey($apiKey);
 
             if (!$username) {
-                // this message will be returned to the client
+                // CAUTION: this message will be returned to the client
+                // (so don't put any un-trusted messages / error strings here)
                 throw new CustomUserMessageAuthenticationException(
                     sprintf('API Key "%s" does not exist.', $apiKey)
                 );

diff --git a/cookbook/security/custom_password_authenticator.rst b/cookbook/security/custom_password_authenticator.rst
@@ -47,7 +47,8 @@ the user::
             try {
                 $user = $userProvider->loadUserByUsername($token->getUsername());
             } catch (UsernameNotFoundException $e) {
-                // error will be shown to the client
+                // CAUTION: this message will be returned to the client
+                // (so don't put any un-trusted messages / error strings here)
                 throw new CustomUserMessageAuthenticationException('Invalid username or password');
             }
 
@@ -56,7 +57,8 @@ the user::
             if ($passwordValid) {
                 $currentHour = date('G');
                 if ($currentHour < 14 || $currentHour > 16) {
-                    // error will be shown to the client
+                    // CAUTION: this message will be returned to the client
+                    // (so don't put any un-trusted messages / error strings here)
                     throw new CustomUserMessageAuthenticationException(
                         'You can only log in between 2 and 4!',
                         100
@@ -71,7 +73,8 @@ the user::
                 );
             }
 
-            // error will be shown to the client
+            // CAUTION: this message will be returned to the client
+            // (so don't put any un-trusted messages / error strings here)
             throw new CustomUserMessageAuthenticationException('Invalid username or password');
         }