-
-
Notifications
You must be signed in to change notification settings - Fork 9.7k
Description
Symfony version(s) affected: 5.0.0
Description
The interface of TokenBasedRememberMeServices::generateCookieValue()
expects username and password to be string.
UserInterface and User from Security-Core have unmatching signatures.
In UserInterface there are no defined return types, only phpdocs for string|null
in case of getPassword()
and string
in case of getUserName()
These mismatch with what the TokenBasedRememberMeServices
expect.
How to reproduce
I experience this with code losely based on the example from KnpUniversity\Oauth2ClientBundle.
I'm using a User
class which returns null in getPassword()
.
Possible Solution
The signature and expectations should be aligned, either by enforcing string throughout the UserInterface
and User
class or by allowing null in TokenBasedRememberMeServices::generateCookieValue()
and a typecast inside generateCookieHash
.
I'm not sure, but I think it's a security issue to allow remember-me with users that do not have passwords (the hash will only be based on class, username and expires). If it is, this should be clarified in the docs and there must be a more meaningful exception when the password is null or an empty string.
Or, to degrade gracefully, the cookie should not be set, when the password is empty.
Additional context