Add check_path option to json_login listener

symfony · Apr 13, 2017 · 2b2f9fe · 2b2f9fe
1 parent 4f0daa7
commit 2b2f9fe
Show file tree

Hide file tree

Showing 3 changed files with 30 additions and 4 deletions.
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_listeners.xml
@@ -147,6 +147,7 @@
             <tag name="monolog.logger" channel="security" />
             <argument type="service" id="security.token_storage" />
             <argument type="service" id="security.authentication.manager" />
+            <argument type="service" id="security.http_utils" />
             <argument /> <!-- Provider-shared Key -->
             <argument type="service" id="security.authentication.success_handler" />
             <argument type="service" id="security.authentication.failure_handler" />

diff --git a/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php b/src/Symfony/Component/Security/Http/Firewall/UsernamePasswordJsonAuthenticationListener.php
@@ -29,6 +29,7 @@
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
+use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\SecurityEvents;
 
 /**
@@ -41,6 +42,7 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
 {
     private $tokenStorage;
     private $authenticationManager;
+    private $httpUtils;
     private $providerKey;
     private $successHandler;
     private $failureHandler;
@@ -49,16 +51,17 @@ class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
     private $eventDispatcher;
     private $propertyAccessor;
 
-    public function __construct(TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, $providerKey, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options = array(), LoggerInterface $logger = null, EventDispatcherInterface $eventDispatcher = null, PropertyAccessorInterface $propertyAccessor = null)
+    public function __construct(TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, HttpUtils $httpUtils, $providerKey, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options = array(), LoggerInterface $logger = null, EventDispatcherInterface $eventDispatcher = null, PropertyAccessorInterface $propertyAccessor = null)
     {
         $this->tokenStorage = $tokenStorage;
         $this->authenticationManager = $authenticationManager;
+        $this->httpUtils = $httpUtils;
         $this->providerKey = $providerKey;
         $this->successHandler = $successHandler;
         $this->failureHandler = $failureHandler;
         $this->logger = $logger;
         $this->eventDispatcher = $eventDispatcher;
-        $this->options = array_merge(array('username_path' => 'username', 'password_path' => 'password'), $options);
+        $this->options = array_merge(array('check_path' => '/login_check', 'username_path' => 'username', 'password_path' => 'password'), $options);
         $this->propertyAccessor = $propertyAccessor ?: PropertyAccess::createPropertyAccessor();
     }
 
@@ -70,6 +73,10 @@ public function handle(GetResponseEvent $event)
         $request = $event->getRequest();
         $data = json_decode($request->getContent());
 
+        if (!$this->httpUtils->checkRequestPath($request, $this->options['check_path'])) {
+            return;
+        }
+
         try {
             if (!$data instanceof \stdClass) {
                 throw new BadCredentialsException('Invalid JSON.');

diff --git a/...Component/Security/Http/Tests/Firewall/UsernamePasswordJsonAuthenticationListenerTest.php b/...Component/Security/Http/Tests/Firewall/UsernamePasswordJsonAuthenticationListenerTest.php
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
 use Symfony\Component\Security\Http\Firewall\UsernamePasswordJsonAuthenticationListener;
+use Symfony\Component\Security\Http\HttpUtils;
 
 /**
  * @author Kévin Dunglas <dunglas@gmail.com>
@@ -35,9 +36,15 @@ class UsernamePasswordJsonAuthenticationListenerTest extends TestCase
      */
     private $listener;
 
-    private function createListener(array $options = array(), $success = true)
+    private function createListener(array $options = array(), $success = true, $matchCheckPath = true)
     {
         $tokenStorage = $this->getMockBuilder(TokenStorageInterface::class)->getMock();
+        $httpUtils = $this->getMockBuilder(HttpUtils::class)->getMock();
+        $httpUtils
+            ->expects($this->any())
+            ->method('checkRequestPath')
+            ->will($this->returnValue($matchCheckPath))
+        ;
         $authenticationManager = $this->getMockBuilder(AuthenticationManagerInterface::class)->getMock();
 
         $authenticatedToken = $this->getMockBuilder(TokenInterface::class)->getMock();
@@ -53,7 +60,7 @@ private function createListener(array $options = array(), $success = true)
         $authenticationFailureHandler = $this->getMockBuilder(AuthenticationFailureHandlerInterface::class)->getMock();
         $authenticationFailureHandler->method('onAuthenticationFailure')->willReturn(new Response('ko'));
 
-        $this->listener = new UsernamePasswordJsonAuthenticationListener($tokenStorage, $authenticationManager, 'providerKey', $authenticationSuccessHandler, $authenticationFailureHandler, $options);
+        $this->listener = new UsernamePasswordJsonAuthenticationListener($tokenStorage, $authenticationManager, $httpUtils, 'providerKey', $authenticationSuccessHandler, $authenticationFailureHandler, $options);
     }
 
     public function testHandleSuccess()
@@ -136,4 +143,15 @@ public function testAttemptAuthenticationUsernameTooLong()
         $this->listener->handle($event);
         $this->assertSame('ko', $event->getResponse()->getContent());
     }
+
+    public function testAttemptAuthenticationRequestPathDoesNotMatchCheckPath()
+    {
+        $this->createListener(array(), true, false);
+        $request = new Request();
+        $event = new GetResponseEvent($this->getMockBuilder(KernelInterface::class)->getMock(), $request, KernelInterface::MASTER_REQUEST);
+        $event->setResponse(new Response('original'));
+
+        $this->listener->handle($event);
+        $this->assertSame('original', $event->getResponse()->getContent());
+    }
 }