scheb / two-factor-bundle

[ABANDONED] Two-factor authentication for Symfony 2 & 3 applications 🔐. Please use the newer versions from https://github.com/scheb/2fa.
https://github.com/scheb/2fa
MIT License
385 stars 111 forks source link

Infinite login loop when updating user credentials #304

Closed cralph-bhn closed 3 years ago

cralph-bhn commented 3 years ago

Bundle version: 4.18.4 Symfony version: 3.4.33

Description Upon updating the password of the currently authenticated user, the user is placed into an infinite login loop (ie. user is redirected to /login which in turn redirects to back to itself). The expected result is for the user to be logged out (deauthenticated).

Upon inspecting the logs, I see this error repeated dozens of times (until the browser gives up with TOO_MANY_REDIRECTS):

[2020-11-26 12:52:38] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. {"exception":"[object] (Symfony\Component\Security\Core\Exception\ProviderNotFoundException(code: 0): No Authentication Provider found for token of class \"Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken\". at /home/jsmith/my.project/vendor/symfony/symfony/src/Symfony/Component/Security/Core/Authentication/AuthenticationProviderManager.php:103)"} []

To Reproduce

  1. Login as as any user
  2. Complete 2FA challenge screen
  3. Change current user's password in the database (in practice, this happens via an "Edit Profile" UI)
  4. Attempt to navigate to any path, you should now be stuck in an infinite login loop

Additional Context

scheb commented 3 years ago

Well, what I can see so far, it doesn't look like an issue related to 2fa to me, because I see no indication how 2fa would cause this. I think so because:

My guess is, if you'd completely remove/deactivate 2fa, you'd run into the exact same issue. Therefore I'd like to ask you:

1) Please deactivate the bundle in your application and try the same thing without 2fa. If you still have the same issue, it's not related to he bundle. 2) Can you please post your security.yaml? 3) Can you please post a stack trace for that exception?

stale[bot] commented 3 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.