dongxiaolin2801
2016-06-27 18:01 阅读 83
已采纳

Symfony2自定义身份验证系统在不应该的情况下传递用户

I'm writing a bundle for Symfony2 and I need to write a custom authentication system with guards. The whole system is based on tokens. Let's assume I need to send a POST request. In headers I have to include 'TOKEN: testtoken'.

  1. I send a request without 'TOKEN: testtoken' in headers and I get

    { "message": "Authentication Required" }
    
  2. I send a request with 'TOKEN: badtoken' and I get

    { "message": "Username could not be found." }
    

    Don't look at 'username'. It's mistake.

  3. I send request with 'TOKEN: testtoken' and I get

    { "token": "testtoken" }
    

    It's just example page.

  4. Now I delete 'TOKEN: testtoken' from headers (I use Postman for testing REST APIs) and I get

    { "token": "testtoken" }
    

    I have no idea why. In my opinion in this case my system should return

    { "message": "Authentication Required" }
    

Here’s my TokenAuthenticator.php

<?php
namespace WLN\AuthTokenBundle\Security;

use Doctrine\ORM\EntityManager;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Guard\AbstractGuardAuthenticator;
use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;

class TokenAuthenticator extends AbstractGuardAuthenticator
{
    private $em;
    private $user_repository;

    public function __construct(EntityManager $em)
    {
        $this->em = $em;
    }

    public function setConfig($user_repo)
    {
        $this->user_repository = $user_repo;
    }

    public function getCredentials(Request $request)
    {
        if($token = $request->headers->get('WLN-AUTH-TOKEN'))
        {
            return [
                'token' => $token
            ];
        }

        return null;
    }

    public function getUser($credentials, UserProviderInterface $userProvider)
    {
        $token = $credentials['token'];

        return $this->em->getRepository($this->user_repository)
            ->findOneBy(array('token' => $token));
    }

    public function checkCredentials($credentials, UserInterface $user)
    {
        return true;
    }

    public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
    {
        return null;
    }

    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
    {
        $data = array(
            'message' => strtr($exception->getMessageKey(), $exception->getMessageData())
        );

        return new JsonResponse($data, 403);
    }

    public function start(Request $request, AuthenticationException $authException = null)
    {
        $data = array(
            'message' => 'Authentication Required'
        );

        return new JsonResponse($data, 401);
    }

    public function supportsRememberMe()
    {
        return false;
    }
}

P.S. My app is on shared-hosting. May caching cause it or something like that?

  • 点赞
  • 写回答
  • 关注问题
  • 收藏
  • 复制链接分享

1条回答 默认 最新

  • 已采纳
    dsa89029 dsa89029 2016-06-29 08:11

    I've figured out what was wrong. When I was requesting valid token in my sessions formed PHPSESSID. Because of that I was getting so freaky behavior of my API. In my case the solution is to set security.firewalls.main.stateless to true :).

    点赞 评论 复制链接分享

相关推荐