Prevent user enumeration

Security/Guard/JWTTokenAuthenticator.php

@@ -156,13 +156,7 @@ public function getUser($preAuthToken, UserProviderInterface $userProvider)
             throw new InvalidPayloadException($idClaim);
         }
 
-        $identity = $payload[$idClaim];
-
-        try {
-            $user = $this->loadUser($userProvider, $payload, $identity);
-        } catch (UsernameNotFoundException $e) {
-            throw new UserNotFoundException($idClaim, $identity);
-        }
+        $user = $this->loadUser($userProvider, $payload, $payload[$idClaim]);
 
         $this->preAuthenticationTokenStorage->setToken($preAuthToken);
 

Tests/Security/Guard/JWTTokenAuthenticatorTest.php

@@ -183,8 +183,8 @@ public function testGetUserWithInvalidUserThrowsException()
             ))->getUser($decodedToken, $userProvider);
 
             $this->fail(sprintf('Expected exception of type "%s" to be thrown.', UserNotFoundException::class));
-        } catch (UserNotFoundException $e) {
-            $this->assertSame('Unable to load an user with property "username" = "lexik". If the user identity has changed, you must renew the token. Otherwise, verify that the "lexik_jwt_authentication.user_identity_field" config option is correctly set.', $e->getMessageKey());
+        } catch (UsernameNotFoundException $e) {
+            $this->assertSame('lexik', $e->getUsername());
         }
     }