[Security] [LoginLink] Set custom lifetime for login link

Author: mbrodala

CHANGELOG.md

@@ -7,6 +7,8 @@ CHANGELOG
  * Add maximum username length enforcement of 4096 characters in `UserBadge`
  * Add `#[IsGranted()]`
  * Deprecate empty username or password when using when using `JsonLoginAuthenticator`
+ * Set custom lifetime for login link
+ * Add `$lifetime` parameter to `LoginLinkHandlerInterface::createLoginLink()`
 
 6.0
 ---

LoginLink/LoginLinkHandler.php

@@ -44,9 +44,9 @@ public function __construct(UrlGeneratorInterface $urlGenerator, UserProviderInt
         ], $options);
     }
 
-    public function createLoginLink(UserInterface $user, Request $request = null): LoginLinkDetails
+    public function createLoginLink(UserInterface $user, Request $request = null, int $lifetime = null): LoginLinkDetails
     {
-        $expires = time() + $this->options['lifetime'];
+        $expires = time() + ($lifetime ?: $this->options['lifetime']);
         $expiresAt = new \DateTimeImmutable('@'.$expires);
 
         $parameters = [

LoginLink/LoginLinkHandlerInterface.php

@@ -23,8 +23,10 @@ interface LoginLinkHandlerInterface
 {
     /**
      * Generate a link that can be used to authenticate as the given user.
+     *
+     * @param int $lifetime
      */
-    public function createLoginLink(UserInterface $user, Request $request = null): LoginLinkDetails;
+    public function createLoginLink(UserInterface $user, Request $request = null /*, int $lifetime = null */): LoginLinkDetails;
 
     /**
      * Validates if this request contains a login link and returns the associated User.

Tests/LoginLink/LoginLinkHandlerTest.php

@@ -112,6 +112,38 @@ public function provideCreateLoginLinkData()
         ];
     }
 
+    public function testCreateLoginLinkWithLifetime()
+    {
+        $extraProperties = ['emailProperty' => '[email protected]', 'passwordProperty' => 'pwhash'];
+
+        $this->router->expects($this->once())
+            ->method('generate')
+            ->with(
+                'app_check_login_link_route',
+                $this->callback(function ($parameters) use ($extraProperties) {
+                    return 'weaverryan' == $parameters['user']
+                        && isset($parameters['expires'])
+                         // allow a small expiration offset to avoid time-sensitivity
+                        && abs(time() + 1000 - $parameters['expires']) <= 1
+                        && isset($parameters['hash'])
+                        // make sure hash is what we expect
+                        && $parameters['hash'] === $this->createSignatureHash('weaverryan', $parameters['expires'], array_values($extraProperties));
+                }),
+                UrlGeneratorInterface::ABSOLUTE_URL
+            )
+            ->willReturn('https://example.com/login/verify?user=weaverryan&hash=abchash&expires=1654244256');
+
+        $user = new TestLoginLinkHandlerUser('weaverryan', '[email protected]', 'pwhash');
+        $lifetime = 1000;
+
+        $loginLink = $this->createLinker([], array_keys($extraProperties))->createLoginLink(
+            user: $user,
+            lifetime: $lifetime,
+        );
+
+        $this->assertSame('https://example.com/login/verify?user=weaverryan&hash=abchash&expires=1654244256', $loginLink->getUrl());
+    }
+
     public function testConsumeLoginLink()
     {
         $expires = time() + 500;