Symfony version(s) affected

6.1.2

Description

When login_check is requested and the request parameters are missing (user, hash, expires) it throws 500 exceptions as verifySignatureHash method needs 3 not null parameters .

How to reproduce

Implement LoginLink and then request login via link:
https://mydomain.eu/login_check?amp%3Bexpires=1669158801&amp%3Bhash=YTU2NzdiNjE3ZGZhZRTHJH5678c1ODcyOTAyNDc0MzhiFiZmRlOWRjMjE4NDhhOGE4ZDcxNjU5OTUzNw%3D%3D%7CYTg5Y2JlNjY4MmQxZWU0M...5lc3M&user=myemail%40example.com

You see that here all parameters are provided but actually they are not. Due to some weird solution in our client's corporation when they get an email with the link, their inner security solution encodes ampersand to amp%3B. This makes those parameters obsolete.

Possible Solution

We should check in vendor/symfony/security-http/LoginLink/LoginLinkHandler.php:92 if those parameters are not null and if yes, then throw an exception that can by handled.

Additional Context

Uncaught Error: Symfony\Component\Security\Core\Signature\SignatureHasher::verifySignatureHash(): Argument #2 ($expires) must be of type int, null given, called in /vendor/symfony/security-http/LoginLink/LoginLinkHandler.php on line 96