search

Rebolon / php-sf-flex-webpack-encore-vuejs

A simple app skeleton to try to make every components work together : symfony 5.* (latest stable at the date, but work with sf 4 and 3.3+ if you pull the right tag), symfony/flex, webpack-encore, vuejs 2.5.x, boostrap 4 sass
https://www.richard.icu/
MIT License
114 stars 31 forks source link

Symfony Security return a 500 AccessDenied instead of a 403 with HttpException #31

Open Rebolon opened 6 years ago

Rebolon commented 6 years ago

a comment is added on this old long issue https://github.com/symfony/symfony/issues/8467

Rebolon commented 6 years ago

when i look at the Security component documentation https://symfony.com/doc/master/bundles/SensioFrameworkExtraBundle/annotations/security.html

I can see that we have to specify the status_code if we want an HTTP Exception instead of an AccessDeniedException

But it's impossible to setup this status_code param with Api-platform. So i opened a new issue ta ask some helps about it : https://github.com/api-platform/api-platform/issues/519

Rebolon commented 6 years ago

The only solution i see for instance is to add a listener for Api: 

<?php
namespace App\EventSubscriber;

use ApiPlatform\Core\EventListener\EventPriorities;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\GetResponseForExceptionEvent;
use Symfony\Component\HttpKernel\Exception\HttpException;
use Symfony\Component\HttpKernel\KernelEvents;
use Symfony\Component\Security\Core\Exception\AccessDeniedException;
use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;

final class ApiAuthSubscriber implements EventSubscriberInterface
{
    public static function getSubscribedEvents()
    {
        return [
            KernelEvents::EXCEPTION => ['from500to405', EventPriorities::PRE_RESPOND],
        ];
    }

    public function from500to405(GetResponseForExceptionEvent $event): void
    {
        $exception = $event->getException();

        if ($exception instanceof AccessDeniedException
        || $exception instanceof InsufficientAuthenticationException) {
            $httpException = new HttpException(403, $exception->getMessage(), $exception->getPrevious());
            $event->setException($httpException);
        }
    }
}

So maybe i have to do the same thing for the whole Sf4 project but it sounds crazy, the framework should do this or allow us to configure this...

Rebolon commented 6 years ago

I also opened an issue to symfoney : Security + JSON_LOGIN return an HTTP 500 instead of an HTTP 403 #25806 The problem seems related to the json_login security system

Rebolon commented 6 years ago

I expect this to be a 'normal behavior' of json_login but not documented finely on Symfony docs. I don't see anything wrong in security.yaml that would explain this. I think that json_login, alone, will lead to this 500. To prevent this behavior, you seems to have to implement guard authentification https://symfony.com/doc/current/security/guard_authentication.html or with an Api Key authenticator like it's described here https://symfony.com/doc/current/security/api_key_authentication.html

I'm waiting for confirmation from here https://github.com/symfony/symfony/issues/25806