[Security] Added check_post_only to the login link authenticator

wouterj · fabpot · commit b12c62179405 · 2020-10-13T19:07:29.000+02:00
diff --git a/Authenticator/LoginLinkAuthenticator.php b/Authenticator/LoginLinkAuthenticator.php
@@ -43,18 +43,18 @@ public function __construct(LoginLinkHandlerInterface $loginLinkHandler, HttpUti
         $this->httpUtils = $httpUtils;
         $this->successHandler = $successHandler;
         $this->failureHandler = $failureHandler;
-        $this->options = $options;
+        $this->options = $options + ['check_post_only' => false];
     }
 
     public function supports(Request $request): ?bool
     {
-        return $this->httpUtils->checkRequestPath($request, $this->options['check_route']);
+        return ($this->options['check_post_only'] ? $request->isMethod('POST') : true)
+            && $this->httpUtils->checkRequestPath($request, $this->options['check_route']);
     }
 
     public function authenticate(Request $request): PassportInterface
     {
         $username = $request->get('user');
-
         if (!$username) {
             throw new InvalidLoginLinkAuthenticationException('Missing user from link.');
         }
diff --git a/Tests/Authenticator/LoginLinkAuthenticatorTest.php b/Tests/Authenticator/LoginLinkAuthenticatorTest.php
@@ -39,6 +39,24 @@ protected function setUp(): void
         $this->failureHandler = $this->createMock(AuthenticationFailureHandlerInterface::class);
     }
 
+    /**
+     * @dataProvider provideSupportData
+     */
+    public function testSupport(array $options, $request, bool $supported)
+    {
+        $this->setUpAuthenticator($options);
+
+        $this->assertEquals($supported, $this->authenticator->supports($request));
+    }
+
+    public function provideSupportData()
+    {
+        yield [['check_route' => '/validate_link'], Request::create('/validate_link?hash=abc123'), true];
+        yield [['check_route' => '/validate_link'], Request::create('/login?hash=abc123'), false];
+        yield [['check_route' => '/validate_link', 'check_post_only' => true], Request::create('/validate_link?hash=abc123'), false];
+        yield [['check_route' => '/validate_link', 'check_post_only' => true], Request::create('/validate_link?hash=abc123', 'POST'), true];
+    }
+
     public function testSuccessfulAuthenticate()
     {
         $this->setUpAuthenticator();

Original file line number	Diff line number	Diff line change
`@@ -43,18 +43,18 @@ public function __construct(LoginLinkHandlerInterface $loginLinkHandler, HttpUti`
`43`	`43`	`$this->httpUtils = $httpUtils;`
`44`	`44`	`$this->successHandler = $successHandler;`
`45`	`45`	`$this->failureHandler = $failureHandler;`
`46`		`- $this->options = $options;`
	`46`	`+ $this->options = $options + ['check_post_only' => false];`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`public function supports(Request $request): ?bool`
`50`	`50`	`{`
`51`		`- return $this->httpUtils->checkRequestPath($request, $this->options['check_route']);`
	`51`	`+ return ($this->options['check_post_only'] ? $request->isMethod('POST') : true)`
	`52`	`+ && $this->httpUtils->checkRequestPath($request, $this->options['check_route']);`
`52`	`53`	`}`
`53`	`54`
`54`	`55`	`public function authenticate(Request $request): PassportInterface`
`55`	`56`	`{`
`56`	`57`	`$username = $request->get('user');`
`57`		`-`
`58`	`58`	`if (!$username) {`
`59`	`59`	`throw new InvalidLoginLinkAuthenticationException('Missing user from link.');`
`60`	`60`	`}`