Fix ContextInvalidationLogoutHandler #394
Conversation
There was a problem hiding this comment.
thanks a lot! this looks sane to me, i think its a good approach.
i wonder whether we should integrate the invalidation handler into the decorator class directly, as the composition is not important and the context invalidation method is not very complicated.
either way, we should keep the context invalidation logout handler for BC (as doc said to configure it in your security config) and instead of doing the pointless invalidation request, it would just output a deprecation warning that the new way of doing things does not require this handler anymore.
i know this is just the POC, but just so we dont forget: documentation will have to be updated when we really change this.
| @@ -295,6 +296,13 @@ private function loadUserContext(ContainerBuilder $container, XmlFileLoader $loa | |||
| $container->getDefinition($this->getAlias().'.user_context.logout_handler') | |||
| ->replaceArgument(1, $config['user_identifier_headers']) | |||
| ->replaceArgument(2, $config['match']['accept']); | |||
|
|
|||
| $container->register($this->getAlias().'.user_context.logout.handler.session', ContextInvalidationLogoutHandler::class) | |||
There was a problem hiding this comment.
i'd prefer to declare this in the user context xml service definition file. https://symfony.com/doc/current/service_container/service_decoration.html also has an example for that.
| use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface; | ||
| use Symfony\Component\Security\Http\Logout\SessionLogoutHandler; | ||
|
|
||
| class ContextInvalidationSessionLogoutHandler implements LogoutHandlerInterface |
There was a problem hiding this comment.
should be final imho.
we should add a docblock with documentation to explain why we build this as decorator of the session logout handler rather than a stand-alone handler.
|
@wesnick do you have time to continue on this? otherwise i will try to follow up, its one of the 2 things i want to have for the 2.2 release. |
|
@dbu I don't have time to get to it this week, but probably next week. Feel free to move it forward. A task still to take care of is the configuration scenario where you don't want to invalidate sessions in your logout handler but do want to invalidate user context cache (not sure the use case, but I suppose it could happen) needs some additional thought as it would not be possible to do that with the current direction of this PR. |
|
@wesnick Will you have some time to look at this again? I'm looking for next version of this bundle. |
|
I am looking at this now and will push some changes shortly. |
|
@dbu This is how I think this issue should be solved. There is a simple context invalidation service that is shared between the old logout handler and the new logout handler. Old logout handler is deprecated for but remains for BC. New logout handler aliases |
There was a problem hiding this comment.
hey, i like this a lot and the code looks very clean! just one comment where i would opt to be a bit more paranoid.
i think the super custom complicated cases should just be mentioned in the doc that you will need to create your own handlers and stuff. people that do that hopefully understand enough about the firewalls to do it - and i think for 99% of the cases this is enough. having more makes it a lot more complicated only to cover weird edge cases.
does out session handler alias win over the default service, regardless of whether security bundle or our bundle is loaded first?
please also add a note to the CHANGELOG - most important is to remove the config to use the fos_http_cache logout handler. and then mention that the new way replaces the default logout handler.
| use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; | ||
| use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface; | ||
|
|
||
| final class ContextInvalidationSessionLogoutHandler implements LogoutHandlerInterface |
There was a problem hiding this comment.
can we add a phpdoc that this replaces the session logout handler? i wonder if we should extend Symfony\Component\Security\Http\Logout\SessionLogoutHandler and call parent::logout. this increases the coupling, but i prefer that over not noticing when symfony changes that handler somehow...
I don't know the answer to this. I don't know who I would ask either. I could move to a compiler pass to be sure? |
|
i just looked at the code of container.php and found this: so its clear that its intentional that the alias wins over a service, so it won't accidentally change i think. can you please rebase to solve the merge conflict and extend the base logout handler and call its method, to make it explicit what we still do the same as that listener does? |
|
I will update docs later this afternoon |
|
tests fail on 7.2 with a segmentation fault, not sure what I can do about it |
There was a problem hiding this comment.
thank you, looks good. the segfault is weird - master builds fine. but i don't see anything unusual in your code that would explain to me why it would segfault. lets see if it was a one-time oddity if you push again with the tweaks to the doc i ask for. if it keeps happening, we could create a branch where you partially revert the changes to isolate the exact line that causes the problem.
| @@ -139,26 +139,18 @@ or you will end up with mixed up caches. | |||
| ~~~~~~~~~~~~~~~~~~ | |||
|
|
|||
| The logout handler will invalidate any cached user hashes when the user logs | |||
| out. | |||
| out. This behavior applies to all stateful firewalls. | |||
There was a problem hiding this comment.
i would prefer a .. note:: block with this plus the extra text you add below. something like: "The logout handler is active on all firewalls. If your application has multiple firewalls with different user contexts, you need to create your own custom invalidation handler. Be aware that Symfony's LogoutSuccessHandler places the SessionLogoutHandler before any configured logout handlers."
CHANGELOG.md
Outdated
|
|
||
| * The ContextInvalidationLogoutHandler has been deprecated in favor of the | ||
| ContextInvalidationSessionLogoutHandler. The original handler was called | ||
| after the invalidation of the session so did not correctly invalidate the |
There was a problem hiding this comment.
... session so did not correctly invalidate the session ID in cache... => session, and thus did not invalidate the session it should have but a newly created one.
CHANGELOG.md
Outdated
| after the invalidation of the session so did not correctly invalidate the | ||
| session ID in cache. You should remove the deprecated service | ||
| `fos_http_cache.user_context.logout_handler` from the logout.handlers section | ||
| of your firewall. |
|
@dbu I think this is complete. |
CHANGELOG.md
Outdated
| @@ -27,10 +27,10 @@ Changelog | |||
|
|
|||
| * The ContextInvalidationLogoutHandler has been deprecated in favor of the | |||
| ContextInvalidationSessionLogoutHandler. The original handler was called | |||
| after the invalidation of the session so did not correctly invalidate the | |||
| session ID in cache. You should remove the deprecated service | |||
| after the invalidation of the session, and thus did not invalidate the seesion | |||
CHANGELOG.md
Outdated
|
|
||
| * The ContextInvalidationLogoutHandler has been deprecated in favor of the | ||
| ContextInvalidationSessionLogoutHandler. The original handler was called | ||
| after the invalidation of the session, and thus did not invalidate the seesion |
CHANGELOG.md
Outdated
| @@ -24,6 +24,13 @@ Changelog | |||
|
|
|||
| * User context is more reliable not cache when the hash mismatches. (E.g. after | |||
| login/logout.) | |||
|
|
|||
| * The ContextInvalidationLogoutHandler has been deprecated in favor of the | |||
| ContextInvalidationSessionLogoutHandler. The original handler was called | |||
There was a problem hiding this comment.
please use backticks around class names (this is markdown, single backtick is good).
double whitespace after the . on this line.
| .. note:: | ||
| The logout handler is active on all firewalls. If your application has multiple firewalls | ||
| with different user context, you need to create your own custom invalidation handler. Be | ||
| aware that Symfony's ``LogoutSuccessHandler`` placea the ``SessionLogoutHandler`` before |
| /** | ||
| * @deprecated use ContextInvalidationSessionLogoutHandler in this same namespace as a replacement | ||
| * | ||
| * This handler is deprecated since in most cases the session has already been invalidated by the SessionLogoutHandler |
There was a problem hiding this comment.
lets be more affirmative: "This handler is deprecated because it never did what it was supposed to do. The session is already invalidated by the SessionLogoutHandler which is always the first logout handler executed."
|
@dbu I was out for a bit, now back and I updated PR per comments |
|
thanks a lot for fixing this problem, @wesnick ! |
This fixes #392