Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Doc doesn't match authenticate() implementations #24585

Closed
wants to merge 1 commit into from
Closed

Doc doesn't match authenticate() implementations #24585

wants to merge 1 commit into from

Conversation

glye
Copy link
Contributor

@glye glye commented Oct 17, 2017
edited

Q A
Branch? 2.7 and up
Bug fix? no (doc fix)
New feature? no
BC breaks? no
Deprecations? no
Tests pass? no (I ran no tests, doc change only)
Fixed tickets
License MIT
Doc PR

The AuthenticationManagerInterface::authenticate() docblock was changed way back when to say it will never return null. But existing implementations then and now do return null. So it seems the doc is wrong, not the implementations.

Closed, see alternative approach: #24644

@glye glye mentioned this pull request Oct 17, 2017
Merged
4 tasks
@stof
Copy link
Member

stof commented Oct 17, 2017

Changing the AuthenticationManagerInterface::authenticate() method is a bad idea, as all code depending on the AuthenticationManagerInterface actually relies on the fact that the return type is not nullable.

The mistake is actually the fact that AuthenticationProviderInterface extends this interface IMO, while it is used to implement the inner of the AuthenticationProviderManager IMO.
But we could also respect the interface by making implementations throw when being called with unsupported tokens. The security component will actually never reach this code path, as the AuthenticationProviderManager first checks with support

@sroze
Copy link
Contributor

sroze commented Oct 17, 2017

I'd agree with @stof: what is in the interface PhpDoc is the real contract, not what is in the implementations. Maybe we need a PR on the implementations you've linked to throw an exception instead of return;ing.

@glye
Copy link
Contributor Author

glye commented Oct 17, 2017

@stof Aha! We are considering throwing in my own auth provider, this means we can safely do so.

If so that makes it a bigger PR than I expected and will take a bit of time due to other tasks, but unless others step in before that I can give it a try.

@glye
Copy link
Contributor Author

glye commented Oct 17, 2017

as all code depending on the AuthenticationManagerInterface actually relies on the fact that the return type is not nullable.

Should rely on. Even the AuthenticationProviderManager implementation checks if authenticate() returned null, even though this is redundant then since it checks supports() first.

@nicolas-grekas nicolas-grekas added this to the 2.7 milestone Oct 18, 2017
@glye glye mentioned this pull request Oct 20, 2017
Merged
@glye
Copy link
Contributor Author

glye commented Oct 20, 2017

@stof @sroze I made a new PR for the suggested approach: #24644
I'll close this one.

@glye glye closed this Oct 20, 2017
@glye glye deleted the patch-1 branch October 20, 2017 14:28
fabpot added a commit that referenced this pull request Oct 20, 2017
@fabpot
bug #24644 [Security] Fixed auth provider authenticate() cannot retur…
2661da4 
…n void (glye)

This PR was merged into the 2.7 branch.

Discussion
----------

[Security] Fixed auth provider authenticate() cannot return void

| Q             | A
| ------------- | ---
| Branch?       | 2.7 and up
| Bug fix?      | yes
| New feature?  | no
| BC breaks?    | no (arguably)
| Deprecations? | no
| Tests pass?   | yes
| Fixed tickets |
| License       | MIT
| Doc PR        |

The `AuthenticationManagerInterface` [requires](https://github.com/symfony/symfony/blob/2.7/src/Symfony/Component/Security/Core/Authentication/AuthenticationManagerInterface.php#L30) that `authenticate()` must return a TokenInterface, never null. Several authentication providers are violating this. Changed to throw exception instead.

See discussion in earlier PR #24585 which was changing the docblock rather than the implementations.

Commits
-------

6e18b56 [Security] Fixed auth provider authenticate() cannot return void
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Status: Needs Review
Projects
None yet
Milestone
2.7
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@glye @stof @sroze @nicolas-grekas @carsonbot