Merge branch '6.3' into 6.4

* 6.3:
  Update Pbkdf2PasswordHasher.php
  Bump Symfony version to 6.3.5
  Update VERSION for 6.3.4
  Update CHANGELOG for 6.3.4
  Bump Symfony version to 5.4.29
  Update VERSION for 5.4.28
  Update CONTRIBUTORS for 5.4.28
  Update CHANGELOG for 5.4.28
  Fixed attachment base64 content string in MailerSendApiTransport
  [Security] Prevent creating session in stateless firewalls
  [Serializer] Fix union of enum denormalization
  [Serializer] Fix wrong InvalidArgumentException
  [VarDumper] Fix managing collapse state in CliDumper
  Fix breaking change in AccessTokenAuthenticator

Author: derrabus

AccessToken/Oidc/OidcTokenHandler.php

@@ -27,6 +27,7 @@
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\InvalidSignatureException;
 use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\MissingClaimException;
+use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 
 /**
@@ -91,7 +92,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             }
 
             // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
-            return new UserBadge($claims[$this->claim], fn () => $this->createUser($claims), $claims);
+            return new UserBadge($claims[$this->claim], new FallbackUserLoader(fn () => $this->createUser($claims)), $claims);
         } catch (\Exception $e) {
             $this->logger?->error('An error occurred while decoding and validating the token.', [
                 'error' => $e->getMessage(),

AccessToken/Oidc/OidcUserInfoTokenHandler.php

@@ -15,6 +15,7 @@
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
 use Symfony\Component\Security\Http\AccessToken\Oidc\Exception\MissingClaimException;
+use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
@@ -46,7 +47,7 @@ public function getUserBadgeFrom(string $accessToken): UserBadge
             }
 
             // UserLoader argument can be overridden by a UserProvider on AccessTokenAuthenticator::authenticate
-            return new UserBadge($claims[$this->claim], fn () => $this->createUser($claims), $claims);
+            return new UserBadge($claims[$this->claim], new FallbackUserLoader(fn () => $this->createUser($claims)), $claims);
         } catch (\Exception $e) {
             $this->logger?->error('An error occurred on OIDC server.', [
                 'error' => $e->getMessage(),

Authentication/DefaultAuthenticationFailureHandler.php

@@ -91,7 +91,9 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
 
         $this->logger?->debug('Authentication failure, redirect triggered.', ['failure_path' => $options['failure_path']]);
 
-        $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
+        if (!$request->attributes->getBoolean('_stateless')) {
+            $request->getSession()->set(SecurityRequestAttributes::AUTHENTICATION_ERROR, $exception);
+        }
 
         return $this->httpUtils->createRedirectResponse($request, $options['failure_path']);
     }

Authentication/DefaultAuthenticationSuccessHandler.php

@@ -103,7 +103,7 @@ protected function determineTargetUrl(Request $request): string
         }
 
         $firewallName = $this->getFirewallName();
-        if (null !== $firewallName && $targetUrl = $this->getTargetPath($request->getSession(), $firewallName)) {
+        if (null !== $firewallName && !$request->attributes->getBoolean('_stateless') && $targetUrl = $this->getTargetPath($request->getSession(), $firewallName)) {
             $this->removeTargetPath($request->getSession(), $firewallName);
 
             return $targetUrl;

Authenticator/AccessTokenAuthenticator.php

@@ -59,7 +59,7 @@ public function authenticate(Request $request): Passport
         }
 
         $userBadge = $this->accessTokenHandler->getUserBadgeFrom($accessToken);
-        if ($this->userProvider) {
+        if ($this->userProvider && (null === $userBadge->getUserLoader() || $userBadge->getUserLoader() instanceof FallbackUserLoader)) {
             $userBadge->setUserLoader($this->userProvider->loadUserByIdentifier(...));
         }
 

Authenticator/FallbackUserLoader.php

@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authenticator;
+
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * This wrapper serves as a marker interface to indicate badge user loaders that should not be overridden by the
+ * default user provider.
+ *
+ * @internal
+ */
+final class FallbackUserLoader
+{
+    public function __construct(private $inner)
+    {
+    }
+
+    public function __invoke(mixed ...$args): ?UserInterface
+    {
+        return ($this->inner)(...$args);
+    }
+}

Tests/AccessToken/Oidc/OidcTokenHandlerTest.php

@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\User\OidcUser;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcTokenHandler;
+use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 
 /**
@@ -61,7 +62,7 @@ public function testGetsUserIdentifierFromSignedToken(string $claim, string $exp
         ))->getUserBadgeFrom($token);
         $actualUser = $userBadge->getUserLoader()();
 
-        $this->assertEquals(new UserBadge($expected, fn () => $expectedUser, $claims), $userBadge);
+        $this->assertEquals(new UserBadge($expected, new FallbackUserLoader(fn () => $expectedUser), $claims), $userBadge);
         $this->assertInstanceOf(OidcUser::class, $actualUser);
         $this->assertEquals($expectedUser, $actualUser);
         $this->assertEquals($claims, $userBadge->getAttributes());

Tests/AccessToken/Oidc/OidcUserInfoTokenHandlerTest.php

@@ -16,6 +16,7 @@
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\User\OidcUser;
 use Symfony\Component\Security\Http\AccessToken\Oidc\OidcUserInfoTokenHandler;
+use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 use Symfony\Contracts\HttpClient\ResponseInterface;
@@ -47,7 +48,7 @@ public function testGetsUserIdentifierFromOidcServerResponse(string $claim, stri
         $userBadge = (new OidcUserInfoTokenHandler($clientMock, null, $claim))->getUserBadgeFrom($accessToken);
         $actualUser = $userBadge->getUserLoader()();
 
-        $this->assertEquals(new UserBadge($expected, fn () => $expectedUser, $claims), $userBadge);
+        $this->assertEquals(new UserBadge($expected, new FallbackUserLoader(fn () => $expectedUser), $claims), $userBadge);
         $this->assertInstanceOf(OidcUser::class, $actualUser);
         $this->assertEquals($expectedUser, $actualUser);
         $this->assertEquals($claims, $userBadge->getAttributes());

Tests/Authentication/DefaultAuthenticationFailureHandlerTest.php

@@ -47,6 +47,7 @@ protected function setUp(): void
 
         $this->session = $this->createMock(SessionInterface::class);
         $this->request = $this->createMock(Request::class);
+        $this->request->attributes = new ParameterBag(['_stateless' => false]);
         $this->request->expects($this->any())->method('getSession')->willReturn($this->session);
         $this->exception = $this->getMockBuilder(AuthenticationException::class)->onlyMethods(['getMessage'])->getMock();
     }
@@ -90,6 +91,17 @@ public function testExceptionIsPersistedInSession()
         $handler->onAuthenticationFailure($this->request, $this->exception);
     }
 
+    public function testExceptionIsNotPersistedInSessionOnStatelessRequest()
+    {
+        $this->request->attributes = new ParameterBag(['_stateless' => true]);
+
+        $this->session->expects($this->never())
+            ->method('set')->with(SecurityRequestAttributes::AUTHENTICATION_ERROR, $this->exception);
+
+        $handler = new DefaultAuthenticationFailureHandler($this->httpKernel, $this->httpUtils, [], $this->logger);
+        $handler->onAuthenticationFailure($this->request, $this->exception);
+    }
+
     public function testExceptionIsPassedInRequestOnForward()
     {
         $options = ['failure_forward' => true];

Tests/Authentication/DefaultAuthenticationSuccessHandlerTest.php

@@ -56,6 +56,25 @@ public function testRequestRedirectionsWithTargetPathInSessions()
         $this->assertSame('http://localhost/admin/dashboard', $handler->onAuthenticationSuccess($requestWithSession, $token)->getTargetUrl());
     }
 
+    public function testStatelessRequestRedirections()
+    {
+        $session = $this->createMock(SessionInterface::class);
+        $session->expects($this->never())->method('get')->with('_security.admin.target_path');
+        $session->expects($this->never())->method('remove')->with('_security.admin.target_path');
+        $statelessRequest = Request::create('/');
+        $statelessRequest->setSession($session);
+        $statelessRequest->attributes->set('_stateless', true);
+
+        $urlGenerator = $this->createMock(UrlGeneratorInterface::class);
+        $urlGenerator->expects($this->any())->method('generate')->willReturn('http://localhost/login');
+        $httpUtils = new HttpUtils($urlGenerator);
+        $token = $this->createMock(TokenInterface::class);
+        $handler = new DefaultAuthenticationSuccessHandler($httpUtils);
+        $handler->setFirewallName('admin');
+
+        $this->assertSame('http://localhost/', $handler->onAuthenticationSuccess($statelessRequest, $token)->getTargetUrl());
+    }
+
     public static function getRequestRedirections()
     {
         return [

Tests/Authenticator/AccessTokenAuthenticatorTest.php

@@ -0,0 +1,162 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Authenticator;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Core\User\InMemoryUserProvider;
+use Symfony\Component\Security\Http\AccessToken\AccessTokenExtractorInterface;
+use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\AccessTokenAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\FallbackUserLoader;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+
+class AccessTokenAuthenticatorTest extends TestCase
+{
+    private AccessTokenHandlerInterface $accessTokenHandler;
+    private AccessTokenExtractorInterface $accessTokenExtractor;
+    private InMemoryUserProvider $userProvider;
+
+    protected function setUp(): void
+    {
+        $this->accessTokenHandler = $this->createMock(AccessTokenHandlerInterface::class);
+        $this->accessTokenExtractor = $this->createMock(AccessTokenExtractorInterface::class);
+        $this->userProvider = new InMemoryUserProvider(['test' => ['password' => 's$cr$t']]);
+    }
+
+    public function testAuthenticateWithoutAccessToken()
+    {
+        $this->expectException(BadCredentialsException::class);
+        $this->expectExceptionMessage('Invalid credentials.');
+
+        $request = Request::create('/test');
+
+        $this->accessTokenExtractor
+            ->expects($this->once())
+            ->method('extractAccessToken')
+            ->with($request)
+            ->willReturn(null);
+
+        $authenticator = new AccessTokenAuthenticator(
+            $this->accessTokenHandler,
+            $this->accessTokenExtractor,
+        );
+
+        $authenticator->authenticate($request);
+    }
+
+    public function testAuthenticateWithoutProvider()
+    {
+        $request = Request::create('/test');
+
+        $this->accessTokenExtractor
+            ->expects($this->once())
+            ->method('extractAccessToken')
+            ->with($request)
+            ->willReturn('test');
+        $this->accessTokenHandler
+            ->expects($this->once())
+            ->method('getUserBadgeFrom')
+            ->with('test')
+            ->willReturn(new UserBadge('john', fn () => new InMemoryUser('john', null)));
+
+        $authenticator = new AccessTokenAuthenticator(
+            $this->accessTokenHandler,
+            $this->accessTokenExtractor,
+            $this->userProvider,
+        );
+
+        $passport = $authenticator->authenticate($request);
+
+        $this->assertEquals('john', $passport->getUser()->getUserIdentifier());
+    }
+
+    public function testAuthenticateWithoutUserLoader()
+    {
+        $request = Request::create('/test');
+
+        $this->accessTokenExtractor
+            ->expects($this->once())
+            ->method('extractAccessToken')
+            ->with($request)
+            ->willReturn('test');
+        $this->accessTokenHandler
+            ->expects($this->once())
+            ->method('getUserBadgeFrom')
+            ->with('test')
+            ->willReturn(new UserBadge('test'));
+
+        $authenticator = new AccessTokenAuthenticator(
+            $this->accessTokenHandler,
+            $this->accessTokenExtractor,
+            $this->userProvider,
+        );
+
+        $passport = $authenticator->authenticate($request);
+
+        $this->assertEquals('test', $passport->getUser()->getUserIdentifier());
+    }
+
+    public function testAuthenticateWithUserLoader()
+    {
+        $request = Request::create('/test');
+
+        $this->accessTokenExtractor
+            ->expects($this->once())
+            ->method('extractAccessToken')
+            ->with($request)
+            ->willReturn('test');
+        $this->accessTokenHandler
+            ->expects($this->once())
+            ->method('getUserBadgeFrom')
+            ->with('test')
+            ->willReturn(new UserBadge('john', fn () => new InMemoryUser('john', null)));
+
+        $authenticator = new AccessTokenAuthenticator(
+            $this->accessTokenHandler,
+            $this->accessTokenExtractor,
+            $this->userProvider,
+        );
+
+        $passport = $authenticator->authenticate($request);
+
+        $this->assertEquals('john', $passport->getUser()->getUserIdentifier());
+    }
+
+    public function testAuthenticateWithFallbackUserLoader()
+    {
+        $request = Request::create('/test');
+
+        $this->accessTokenExtractor
+            ->expects($this->once())
+            ->method('extractAccessToken')
+            ->with($request)
+            ->willReturn('test');
+        $this->accessTokenHandler
+            ->expects($this->once())
+            ->method('getUserBadgeFrom')
+            ->with('test')
+            ->willReturn(new UserBadge('test', new FallbackUserLoader(fn () => new InMemoryUser('john', null))));
+
+        $authenticator = new AccessTokenAuthenticator(
+            $this->accessTokenHandler,
+            $this->accessTokenExtractor,
+            $this->userProvider,
+        );
+
+        $passport = $authenticator->authenticate($request);
+
+        $this->assertEquals('test', $passport->getUser()->getUserIdentifier());
+    }
+}