Skip to content

[Security][Login Link] Allow null and DateTime objects to be used as signatureProperties #38505

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Oct 11, 2020
Merged

[Security][Login Link] Allow null and DateTime objects to be used as signatureProperties #38505

merged 1 commit into from
Oct 11, 2020

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Oct 10, 2020
edited
Loading

Q A
Branch? 5.x
Bug fix? no
New feature? yes
Deprecations? no
Tickets -
License MIT
Doc PR -

Returning DateTime objects seems like a common use-case to automatically expire all login links when one is used or to only allow the login link to be used once.

Before

class User
{
    private ?\DateTime $lastAuthenticatedAt = null;
    // ...

    public function getLastAuthenticatedAtString(): string
    {
        return null === $this->lastAuthenticatedAt ? '' : $this->lastAuthenticatedAt->format('c');
    }
}
security:
  firewalls:
    main:
      login_link:
        # ...
        signature_properties: ['lastAuthenticatedAtString']

After

class User
{
    private ?\DateTime $lastAuthenticatedAt = null;
    // ...

    public function getLastAuthenticatedAt(): ?\DateTime
    {
        return $this->lastAuthenticatedAt;
    }
}
security:
  firewalls:
    main:
      login_link:
        # ...
        signature_properties: ['lastAuthenticatedAt']

The disadvantage of this patch is that there needs to be some boundary as to which objects we want to support casting to a scalar, but I'm convinced that DateTime objects will commonly be used as signature properties.

cc @weaverryan

@wouterj
Allow null and DateTime objects to be used as signatureProperties
0f947b2 
Returning DateTime objects seems like a common use-case to automatically expire
all login links when one is used or to only allow the login link to be used
once.
@wouterj wouterj force-pushed the magiclink/widen-scalar-requirement branch from b95a36d to 0f947b2 Compare October 10, 2020 13:09
@fabpot
Copy link
Member

fabpot commented Oct 11, 2020

Thank you @wouterj.

@fabpot fabpot mentioned this pull request Oct 11, 2020
Closed
@fabpot fabpot merged commit b9d4a2b into symfony:5.x Oct 11, 2020
@wouterj wouterj deleted the magiclink/widen-scalar-requirement branch October 11, 2020 08:00
@javiereguiluz javiereguiluz mentioned this pull request Oct 11, 2020
Closed
@fabpot fabpot mentioned this pull request Oct 14, 2020
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@wouterj @fabpot @carsonbot