Document security pitfall when using multiple user providers and user specific authenticators

[xabbuh]

When creating your own authenticator (probably by using Guard) and you have more than one user provider, one needs to take extra caution when it comes to different authentication based on the way users are loaded.

For example, if you combine https://symfony.com/doc/current/security/multiple_user_providers.html and http://symfony.com/doc/current/security/guard_authentication.html you will probably want to check that you only use the API token authenticator with appropriate users.

[javiereguiluz]

I don't know how to solve this. Are you suggesting to add a $userProvider instanceof ApiUserProvider::class check somewhere inside getUser()? Thanks.

[xabbuh]

Usually, each user provider would probably support a different implementation of the UserInterface. Then, one could just check if said implementation is supported the authenticator.

[javiereguiluz]

Thanks, but I still don't understand what to do. Maybe you can show me some code to add in some method of that example? Thanks!

[xabbuh]

Having a quick glance at the guard code I think we could add a caution block like this:

.. caution::

    If you are using multiple user providers, you will also need to check that the
    user being returned by the ``getUser()`` method of your provider is a allowed
    to authenticate using a token::

        // ...

        public function getUser($credentials, UserProviderInterface $userProvider)
        {
            $apiKey = $credentials['token'];

            if (null === $apiKey) {
                return;
            }

            $user = $userProvider->loadUserByUsername($apiKey);

            // you can, for example, test that the returned user is an object of a particular class
            // alternatively, you can also check for certain attributes of your user objects
            if (!$user instance ApiKeyUser) {
                return;
            }

            return $user;
        }

ping @chalasr @ogizanagi

[ogizanagi]

Talking a bit with @chalasr: Not sure we need an extra caution block here. If you use an api token authentication, you're not likely to use the same provider. Users are not identified the same way (but it can be the very same user class).
Using a chain provider here is probably wrong in most cases and we should warn the user to properly think what provider should be used for his auth instead. WDYT?

[javiereguiluz]

Fixed by #9726.