Skip to content

API token used as user identifier in custom authenticator example #15886

New issue
New issue
Closed
#18928
Closed
API token used as user identifier in custom authenticator example#15886
#18928
Labels
SecurityhasPRA Pull Request has already been submitted for this issue.
@ihmels

Description

@ihmels
ihmels
opened on Oct 5, 2021

In the example for a custom authenticator, the API key is passed to the UserBadge as the user identifier. However, it cannot be assumed that the API key is the same as the user identifier. Doesn't the user identifier have to be determined from the API token and then passed to the UserBadge?

symfony-docs/security/authenticator_manager.rst

Lines 318 to 328 in 15084a8

public function authenticate(Request $request): Passport
{
$apiToken = $request->headers->get('X-AUTH-TOKEN');
if (null === $apiToken) {
// The token header was empty, authentication fails with HTTP Status
// Code 401 "Unauthorized"
throw new CustomUserMessageAuthenticationException('No API token provided');
}
return new SelfValidatingPassport(new UserBadge($apiToken));
}

Metadata

Metadata

Assignees

No one assigned

    Labels

    SecurityhasPRA Pull Request has already been submitted for this issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions