Adding a new RefreshableRolesTokenInterface to refresh security roles #24331
Conversation
This affect session-based authentication. If your token implements this interface, then if the roles change on your User (after refresh), then the token's roles are updated to match. The AbstractToken implements this interface, so in practice, most systems will automatically take advantage of this.
|
Hmm, there is a problem. It's possible that an authentication mechanism could choose to create a token by using the roles from the symfony/src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php Lines 142 to 143 in d40820b So this is tricky. We could make the feature more "opt-in"... but this is truly the correct behavior: token roles should refresh if they are changed on the User. It's surprising that they are not. I can only think of one solution: if the Token roles != the User roles when the original authentication occurs, then we add some flag (in the session) that indicates that the roles should not be refreshed. Basically, if you are adding any custom roles beyond |
|
Here's a summarized update:
tl;dr Most users will now have refreshed token roles when the refreshed User's roles change. A minority is security systems - where they purposely store extra roles in their token - will not benefit from this. I believe I've safely added this behavior everywhere that I can. |
it By default, AbstractToken (and its sub-classes), have a mechanism to check if any extra tokens were added, beyond the user tokens. If there are none, then the roles are refreshed. If there are some, then they are not.
weaverryan
force-pushed
the
refresh-roles-session
branch
from
2675664 to
87d2826
Compare
| if ($token !== $this->refreshedToken) { | ||
| $shouldUpdateRoles = $token instanceof RefreshableRolesTokenInterface && $token->shouldUpdateRoles(); | ||
| $session->set($this->refreshableRolesSessionKey, $shouldUpdateRoles); | ||
| } |
There was a problem hiding this comment.
This was a tricky part. The return value from shouldUpdateRoles() is not serialized to the session (i.e. it's not in AbstractToken::serialize(). This is done for BC: we can't change serialize() & unserialize() to include this.
So, we instead store this value in a different session key. This logic only sets it if the token has changed. Basically, we want to set this session key during the original request when authentication occurred (that's when we know that shouldUpdateRoles() is accurate). By checking to see if the token changed, we're effectively accomplishing that.
This was the weirdest / hackiest part of this PR. I'm open to suggestions.
There was a problem hiding this comment.
If your upgrading there is a big chance you already need to clear existing session data. So this change should be acceptable.
|
Dont we have a UserChecker for these kind of things? |
|
@weaverryan does this mean that when you are not using Doctrine to lazy/eagerly load roles via |
|
@ptrm04 Hmm, yes, that's correct. And an interesting edge-case that I hadn't thought of. If you're (for some reason) not serializing your User's roles to the session or not refreshing them, then your roles would be lost. That's a slight BC break I hadn't thought of :/ |
| @@ -44,6 +46,8 @@ public function __construct($user, $credentials, $providerKey, array $roles = ar | |||
| $this->providerKey = $providerKey; | |||
|
|
|||
| parent::setAuthenticated(count($roles) > 0); | |||
|
|
|||
| $this->setShouldUpdateRoles($user instanceof UserInterface && $user->getRoles() === $roles); | |||
There was a problem hiding this comment.
Is this is expected... this affects all tokens today no? Should we optin thru config instead?
There was a problem hiding this comment.
This was my way of trying to safely opt everyone in automatically... but I don't think that's possible anymore, thanks to #24331 (comment)
So yea, I think we'll need to have a way to opt into this somehow...
|
@weaverryan status? |
|
I won't have time to finish this thoughtfully for inclusion in 3.4. So, I'm changing the milestone to 4.1. |
|
@weaverryan a clean implementation of the impersonation should not be using roles to store the old token (which requires using a custom Role object and not a string). |
|
@stof I hope we will be able to make some big moves like the one you mentioned for 4.1 (and yea, BC is especially hard with security). For this issue, there are still enough edge-cases that I will need to make this new behavior opt-in. |
|
Is there any progress in this matter? |
|
I support the tentative. For one of my applications I'm not able to migrate to newer version of Symfony because of the Would be great to have a way to refresh the token easily without being logout. |
|
@weaverryan Isn't it fixed by #31177? |
|
It’s complicated - so I’ll check in greater detail in a few hours :) |
|
Starting in Symfony 4.4 (thanks to #31177), if the roles on a user are modified (added or removed), the user will be logged out. That's not exactly what I was envisioning here, but that's the "safest" way for this to work. Another way that the feature could work (and what I was attempting here) is that when the roles on a user are updated, on the next refresh, the roles in the token are updated. So, if If someone is interested in that other way of making the system work, please open a pull request. I imagine that the idea behind this PR - and really the main code behind this PR - would still work. But there would need to be some way to opt-into the "refresh the roles" system... and make sure that the different roles on the 2 Users don't cause the user to be logged out. I'm not sure how to do that - but if you want the feature, you can create a PR and see if it can be figured out. Cheers! |
|
In case someone need to do it with Symfony 5.2 / ApiPlatform. In my case my app have 3 subscription plans with different roles. When the user subscribe to one plan I need to alter the subscription and so change the user roles. So the fact that Symfony properly logout after user changes is not good for user experience ... because you need to log in again after change. Here is my workaround : class User implements UserInterface, EquatableInterface
{
...
public function isEqualTo(UserInterface $user)
{
if(!$user instanceof static){
return false;
}
if($user->id !== $this->id){
return false;
}
if($user->email != $this->email){
return false;
}
if($user->password !== $this->password){
return false;
}
if($user->getSalt() !== $this->getSalt()){
return false;
}
return true;
}
...
}@weaverryan Let me know if there is some security concerns about that. |
|
@NathanDePachtere and with that, does it reload the roles for you? I'm using Symfony 5.1 now, with custom isEqualTo, however it never reloads updated roles. |
|
@ptrm04 The isEqualTo() function should be triggered when calling setRoles(['YOUR_NEW_ROLE']) on your user. So user's roles should already be updated, don't need to reload something. It's because you change roles that Symfony trigger its logic and compare user from session with your current user. |
|
@NathanDePachtere the code you pasted won't reload roles automatically within symfony, it will only not log a user out when roles change. So you must be doing something else in your code if you are saying your roles get updated in the user object stored in the session. Afaik currently once the roles are set upon login they are "set in stone" until the user logs out and logs back in again. I've created a documentation issue to update the docs to capture the recommended approach to reloading roles post-login: symfony/symfony-docs#14665 |
|
@ptrm04 I'm saying that the PHP User object is up to date not the session. As you mention you need to log back in if you want your session to be recreated and update. The only other thing I do is on my front : Don't know maybe I'm missing something but for now this is working fine for my project. |
This could also be considered a bug fix.
tl;dr; If your roles change in the database, then on next refresh, your security token's roles will now also change. The current behavior is that the token's roles do not change until logout. This PR changes that behavior.