Merge branch '3.4' into 4.4

* 3.4: [Security][Guard] Prevent user enumeration via response content
symfony · May 12, 2021 · 8188709 · 8188709
2 parents b02e7d7 + 7e1a526
commit 8188709
Show file tree

Hide file tree

Showing 2 changed files with 5 additions and 4 deletions.
diff --git a/Authentication/Provider/UserAuthenticationProvider.php b/Authentication/Provider/UserAuthenticationProvider.php
@@ -14,6 +14,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\AccountStatusException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
@@ -80,7 +81,7 @@ public function authenticate(TokenInterface $token)
  $this->userChecker->checkPreAuth($user);
  $this->checkAuthentication($user, $token);
  $this->userChecker->checkPostAuth($user);
- } catch (BadCredentialsException $e) {
+ } catch (AccountStatusException $e) {
  if ($this->hideUserNotFoundExceptions) {
  throw new BadCredentialsException('Bad credentials.', 0, $e);
  }

diff --git a/Tests/Authentication/Provider/UserAuthenticationProviderTest.php b/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
@@ -83,7 +83,7 @@ public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
 
  public function testAuthenticateWhenPreChecksFails()
  {
- $this->expectException(CredentialsExpiredException::class);
+ $this->expectException(BadCredentialsException::class);
  $userChecker = $this->createMock(UserCheckerInterface::class);
  $userChecker->expects($this->once())
  ->method('checkPreAuth')
@@ -101,7 +101,7 @@ public function testAuthenticateWhenPreChecksFails()
 
  public function testAuthenticateWhenPostChecksFails()
  {
- $this->expectException(AccountExpiredException::class);
+ $this->expectException(BadCredentialsException::class);
  $userChecker = $this->createMock(UserCheckerInterface::class);
  $userChecker->expects($this->once())
  ->method('checkPostAuth')
@@ -128,7 +128,7 @@ public function testAuthenticateWhenPostCheckAuthenticationFails()
  ;
  $provider->expects($this->once())
  ->method('checkAuthentication')
- ->willThrowException(new BadCredentialsException())
+ ->willThrowException(new CredentialsExpiredException())
  ;
 
  $provider->authenticate($this->getSupportedToken());