Clear token on user mistmatch

stethome · Nov 6, 2023 · 1f92525 · 1f92525
1 parent d608327
commit 1f92525
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 4 deletions.
diff --git a/Makefile b/Makefile
@@ -1,3 +1,3 @@
 
 cs:
-	docker run --rm -it -w=/app -v ${CURDIR}:/app oskarstark/php-cs-fixer-ga:latest
+	docker run --rm -w=/app -v $(CURDIR):/app oskarstark/php-cs-fixer-ga:latest
diff --git a/src/DependencyInjection/OryKratosAuthenticatorFactory.php b/src/DependencyInjection/OryKratosAuthenticatorFactory.php
@@ -80,7 +80,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             ->setDefinition($authenticatorId, new ChildDefinition($config['authenticator']))
             ->replaceArgument(0, new Reference($clientId))
             ->replaceArgument(1, new Reference($userProviderId))
-            ->replaceArgument(3, $config['session_check'])
+            ->replaceArgument(4, $config['session_check'])
         ;
 
         return $authenticatorId;

diff --git a/src/Resources/config/authenticator.xml b/src/Resources/config/authenticator.xml
@@ -9,6 +9,7 @@
             <argument /> <!-- Ory Kratos Client -->
             <argument /> <!-- User Provider -->
             <argument type="service" id="security.helper" on-invalid="exception" />
+            <argument type="service" id="security.token_storage" on-invalid="exception" />
             <argument /> <!-- Check session -->
             <argument type="service" id="debug.stopwatch" on-invalid="null" />
         </service>

diff --git a/src/Security/Authenticator/OryKratosAuthenticator.php b/src/Security/Authenticator/OryKratosAuthenticator.php
@@ -10,11 +10,13 @@
 use StethoMe\OryAuthBundle\Services\OryKratosClient;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\ChainUserProvider;
+use Symfony\Component\Security\Core\User\EquatableInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
@@ -30,6 +32,7 @@ public function __construct(
         private readonly OryKratosClient $kratos,
         private readonly UserProviderInterface $userProvider,
         private readonly Security $security,
+        private readonly TokenStorageInterface $tokenStorage,
         private readonly bool $checkSession = true,
         private readonly ?Stopwatch $stopwatch = null,
     ) {
@@ -66,8 +69,10 @@ public function authenticate(Request $request): Passport
         // keep current user if we're only checking if the Ory Kratos session has not expired
         if ($this->checkSession && $user = $this->security->getUser()) {
             // handle user switching accounts outside our application
-            if ($this->loadUser($session->getIdentity()->getId(), $session)->getUserIdentifier() !== $user->getUserIdentifier()) {
-                throw new AuthenticationException('Session user not equal application user!');
+            $newUser = $this->loadUser($session->getIdentity()->getId(), $session);
+            if ($newUser instanceof EquatableInterface && !$newUser->isEqualTo($user)) {
+                $this->tokenStorage->setToken(null);
+                throw new UserNotFoundException('Session user not equal application user!');
             }
 
             return new SelfValidatingPassport(