[Security] Cannot authenticate when upgrading from 5.3 to 5.4 #44806
Description
Symfony version(s) affected
5.4.0, 5.4.1
Description
When upgrading my 5.3 application to 5.4.(0|1), I'm having troubles authenticating.
In my tests on 5.3, when I do:
$client = self::createClient($kernelOptions, $defaultOptions);
$client->request('POST', '/v1/login', [
'json' => [
'username' => $identifier,
'password' => $password,
],
]);I get:
{"code":200,"message":"null"}But on 5.4.(0|1) I get:
{"code":401,"message":"Invalid or expired login link."}How to reproduce
Repository: https://github.com/darthf1/symfony-authentication
SF 5.4
- git clone https://github.com/darthf1/symfony-authentication.git
- cd symfony-authentication
- git checkout master
- docker build . -t bug-5.4
- docker run bug-5.4 bin/phpunit
There was 1 failure:
1) App\Tests\LoginTest::testLogin
Failed asserting that the Response is successful.
HTTP/1.1 401 Unauthorized
Cache-Control: no-cache, private
Content-Type: application/json
Date: Tue, 28 Dec 2021 16:34:43 GMT
Link: <http://example.com/api/docs.jsonld>; rel="http://www.w3.org/ns/hydra/core#apiDocumentation"
Www-Authenticate: Bearer
X-Robots-Tag: noindex
{"code":401,"message":"Invalid or expired login link."}
/home/www/app/vendor/api-platform/core/src/Bridge/Symfony/Bundle/Test/BrowserKitAssertionsTrait.php:33
/home/www/app/tests/LoginTest.php:21
SF 5.3
- git clone https://github.com/darthf1/symfony-authentication.git
- cd symfony-authentication
- git checkout reproducer/5.3
- docker build . -t bug-5.3
- docker run bug-5.3 bin/phpunit
OK (1 test, 1 assertion)
The diff between these two branches:
https://github.com/darthf1/symfony-authentication/pull/1/files
Possible Solution
No response
Additional Context
- The
security.firewalls.main.json_loginis fromLexikJWTAuthenticationBundle - When I remove the
security.firewalls.main.login_linkentry, it works. - When I split the firewall entries into
loginandmain, it works as well. Reading all the docs again this looks like the preferred practice.
security:
firewalls:
main:
pattern: ^/
provider: users_in_memory
stateless: true
json_login:
check_path: /v1/login
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
login_link:
check_route: api_login_check
lifetime: 2630000
signature_properties: ['id']
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
jwt: ~to something like:
security:
firewalls:
login:
pattern: ^/v1/login$
stateless: true
json_login:
check_path: /v1/login
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
main:
pattern: ^/
stateless: true
login_link:
check_route: login_link <-- change this one as well, to not be the same as the json_login path.
lifetime: 2630000
signature_properties: ['id']
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
jwt: ~