From a175d6dab968d93e96a3e4f80c495435f71d5eb7 Mon Sep 17 00:00:00 2001 From: Robin Chalas Date: Sun, 4 Apr 2021 21:07:14 +0200 Subject: [PATCH] Prevent user enumeration --- Security/Guard/JWTTokenAuthenticator.php | 8 +------- Tests/Security/Guard/JWTTokenAuthenticatorTest.php | 4 ++-- 2 files changed, 3 insertions(+), 9 deletions(-) diff --git a/Security/Guard/JWTTokenAuthenticator.php b/Security/Guard/JWTTokenAuthenticator.php index 6191ec18..0d083d21 100644 --- a/Security/Guard/JWTTokenAuthenticator.php +++ b/Security/Guard/JWTTokenAuthenticator.php @@ -156,13 +156,7 @@ public function getUser($preAuthToken, UserProviderInterface $userProvider) throw new InvalidPayloadException($idClaim); } - $identity = $payload[$idClaim]; - - try { - $user = $this->loadUser($userProvider, $payload, $identity); - } catch (UsernameNotFoundException $e) { - throw new UserNotFoundException($idClaim, $identity); - } + $user = $this->loadUser($userProvider, $payload, $payload[$idClaim]); $this->preAuthenticationTokenStorage->setToken($preAuthToken); diff --git a/Tests/Security/Guard/JWTTokenAuthenticatorTest.php b/Tests/Security/Guard/JWTTokenAuthenticatorTest.php index afff8446..ff4a01b1 100644 --- a/Tests/Security/Guard/JWTTokenAuthenticatorTest.php +++ b/Tests/Security/Guard/JWTTokenAuthenticatorTest.php @@ -183,8 +183,8 @@ public function testGetUserWithInvalidUserThrowsException() ))->getUser($decodedToken, $userProvider); $this->fail(sprintf('Expected exception of type "%s" to be thrown.', UserNotFoundException::class)); - } catch (UserNotFoundException $e) { - $this->assertSame('Unable to load an user with property "username" = "lexik". If the user identity has changed, you must renew the token. Otherwise, verify that the "lexik_jwt_authentication.user_identity_field" config option is correctly set.', $e->getMessageKey()); + } catch (UsernameNotFoundException $e) { + $this->assertSame('lexik', $e->getUsername()); } }