Prevent FormLoginAuthenticator from responding to requests that should be handled by JsonLoginAuthenticator

abunch · chalasr · commit 7b37c753856b · 2021-10-27T20:25:09.000+02:00
diff --git a/Authenticator/FormLoginAuthenticator.php b/Authenticator/FormLoginAuthenticator.php
@@ -60,6 +60,7 @@ public function __construct(HttpUtils $httpUtils, UserProviderInterface $userPro
             'password_parameter' => '_password',
             'check_path' => '/login_check',
             'post_only' => true,
+            'form_only' => false,
             'enable_csrf' => false,
             'csrf_parameter' => '_csrf_token',
             'csrf_token_id' => 'authenticate',
@@ -74,7 +75,8 @@ protected function getLoginUrl(Request $request): string
     public function supports(Request $request): bool
     {
         return ($this->options['post_only'] ? $request->isMethod('POST') : true)
-            && $this->httpUtils->checkRequestPath($request, $this->options['check_path']);
+            && $this->httpUtils->checkRequestPath($request, $this->options['check_path'])
+            && ($this->options['form_only'] ? 'form' === $request->getContentType() : true);
     }
 
     public function authenticate(Request $request): Passport
diff --git a/Tests/Authenticator/FormLoginAuthenticatorTest.php b/Tests/Authenticator/FormLoginAuthenticatorTest.php
@@ -156,6 +156,27 @@ public function testUpgradePassword()
         $this->assertEquals('s$cr$t', $badge->getAndErasePlaintextPassword());
     }
 
+    /**
+     * @dataProvider provideContentTypes()
+     */
+    public function testSupportsFormOnly(string $contentType, bool $shouldSupport)
+    {
+        $request = new Request();
+        $request->headers->set('CONTENT_TYPE', $contentType);
+        $request->server->set('REQUEST_URI', '/login_check');
+        $request->setMethod('POST');
+
+        $this->setUpAuthenticator(['form_only' => true]);
+
+        $this->assertSame($shouldSupport, $this->authenticator->supports($request));
+    }
+
+    public function provideContentTypes()
+    {
+        yield ['application/json', false];
+        yield ['application/x-www-form-urlencoded', true];
+    }
+
     private function setUpAuthenticator(array $options = [])
     {
         $this->authenticator = new FormLoginAuthenticator(new HttpUtils(), $this->userProvider, $this->successHandler, $this->failureHandler, $options);
