Skip to content

[Security] UserBadge->userLoader always overwritten by AccessTokenAuthenticator->userProvider when later is set regardless of former #51446

New issue
New issue
Closed
Closed
[Security] UserBadge->userLoader always overwritten by AccessTokenAuthenticator->userProvider when later is set regardless of former#51446
Labels
BugSecurityStatus: Needs Review
@kaznovac

Description

@kaznovac
kaznovac
opened on Aug 21, 2023

Symfony version(s) affected

6.3.3

Description

This is not conforming behavior to the documentation on the UserBadge.

How to reproduce

Implement AccessTokenHandler returning the UserBadge with custom userLoader

<?php

namespace App\Security;

use App\Services\UserService;
use SensitiveParameter;
use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;

final class AccessTokenHandler implements AccessTokenHandlerInterface
{
    public function __construct(
        private UserService $userService,
    ) {
    }

    public function getUserBadgeFrom(
        #[SensitiveParameter]
        string $accessToken,
    ): UserBadge {
        $user = $this->userService->getUserByAccessToken($accessToken);

        return new UserBadge(
            userIdentifier: $user->getUserIdentifier(),
            userLoader: fn() => $user,
        );
    }
}

Possible Solution

No response

Additional Context

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    BugSecurityStatus: Needs Review

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions