Merge branch '2.10.x' into 2.x

* 2.10.x: Update CHANGELOG for v2.10.7 Prevent user enumeration
lexik · May 12, 2021 · 96495d0 · 96495d0
2 parents d9a7ab1 + 79ba5af
commit 96495d0
Show file tree

Hide file tree

Showing 3 changed files with 7 additions and 9 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,10 @@ bb1e6c3 - bug #838 Fix wiring GenerateKeyPairCommand when key paths are null (ch
 * feature [\#817](https://github.com/lexik/LexikJWTAuthenticationBundle/pull/817) Feat: add keypair generation command ([bpolaszek](https://github.com/bpolaszek))
 * feature [\#816](https://github.com/lexik/LexikJWTAuthenticationBundle/pull/816) Remove support for lcobucci/jwt <3.4 & symfony/* <4.4 ([chalasr](https://github.com/chalasr))
 
+## [2.10.7](https://github.com/lexik/LexikJWTAuthenticationBundle/tree/v2.10.7) (2020-05-12)
+
+* bug [a175d6dab9](https://github.com/lexik/LexikJWTAuthenticationBundle/commit/a175d6dab968d93e96a3e4f80c495435f71d5eb7) Prevent user enumeration via response content ([chalasr](https://github.com/chalasr))
+
 ## [2.10.6](https://github.com/lexik/LexikJWTAuthenticationBundle/tree/v2.10.6) (2020-01-20)
 
 * bug [\#827](https://github.com/lexik/LexikJWTAuthenticationBundle/pull/827) Use named constructor for lcobucci/jwt Ecdsa signers ([chalasr](https://github.com/chalasr))

diff --git a/Security/Guard/JWTTokenAuthenticator.php b/Security/Guard/JWTTokenAuthenticator.php
@@ -145,13 +145,7 @@ public function getUser($preAuthToken, UserProviderInterface $userProvider)
             throw new InvalidPayloadException($idClaim);
         }
 
-        $identity = $payload[$idClaim];
-
-        try {
-            $user = $this->loadUser($userProvider, $payload, $identity);
-        } catch (UsernameNotFoundException $e) {
-            throw new UserNotFoundException($idClaim, $identity);
-        }
+        $user = $this->loadUser($userProvider, $payload, $payload[$idClaim]);
 
         $this->preAuthenticationTokenStorage->setToken($preAuthToken);
 

diff --git a/Tests/Security/Guard/JWTTokenAuthenticatorTest.php b/Tests/Security/Guard/JWTTokenAuthenticatorTest.php
@@ -181,8 +181,8 @@ public function testGetUserWithInvalidUserThrowsException()
             ))->getUser($decodedToken, $userProvider);
 
             $this->fail(sprintf('Expected exception of type "%s" to be thrown.', UserNotFoundException::class));
-        } catch (UserNotFoundException $e) {
-            $this->assertSame('Unable to load an user with property "username" = "lexik". If the user identity has changed, you must renew the token. Otherwise, verify that the "lexik_jwt_authentication.user_identity_field" config option is correctly set.', $e->getMessageKey());
+        } catch (UsernameNotFoundException $e) {
+            $this->assertSame('lexik', $e->getUsername());
         }
     }