Throw access denied when 2fa check path is called outside of a 2fa pr…

…ocess, fix #52
scheb · Jan 29, 2021 · b4a2511 · b4a2511
1 parent f064193
commit b4a2511
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 6 deletions.
diff --git a/src/bundle/Security/Http/Authenticator/TwoFactorAuthenticator.php b/src/bundle/Security/Http/Authenticator/TwoFactorAuthenticator.php
@@ -19,8 +19,8 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
@@ -100,8 +100,9 @@ public function authenticate(Request $request): PassportInterface
         // within the "authenticate" stage.
         $currentToken = $this->tokenStorage->getToken();
         if (!($currentToken instanceof TwoFactorTokenInterface)) {
-            // This should only happen when the check path is called outside of a 2fa process and not protected via access_control
-            throw new AuthenticationServiceException('Tried to perform two-factor authentication, but two-factor authentication is not in progress.');
+            // This should only happen when the check path is called outside of a 2fa process
+            // access_control can't handle this, as it's called after the authenticator
+            throw new AccessDeniedException('User is not in a two-factor authentication process.');
         }
 
         $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::ATTEMPT, $request, $currentToken);

diff --git a/tests/Security/Http/Authenticator/TwoFactorAuthenticatorTest.php b/tests/Security/Http/Authenticator/TwoFactorAuthenticatorTest.php
@@ -21,8 +21,8 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
@@ -235,10 +235,10 @@ public function supports_isCheckPath_returnTrue(): void
     /**
      * @test
      */
-    public function authenticate_notTwoFactorToken_throwAuthenticationServiceException(): void
+    public function authenticate_notTwoFactorToken_throwAccessDeniedException(): void
     {
         $this->stubTokenStorageHasToken($this->createMock(TokenInterface::class));
-        $this->expectException(AuthenticationServiceException::class);
+        $this->expectException(AccessDeniedException::class);
         $this->authenticator->authenticate($this->request);
     }