[Security] Allow passing remember-me parameters via RememberMeBadge

Author: nicolas-grekas

Authenticator/JsonLoginAuthenticator.php

@@ -81,15 +81,20 @@ public function supports(Request $request): ?bool
     public function authenticate(Request $request): Passport
     {
         try {
-            $credentials = $this->getCredentials($request);
+            $data = json_decode($request->getContent());
+            if (!$data instanceof \stdClass) {
+                throw new BadRequestHttpException('Invalid JSON.');
+            }
+
+            $credentials = $this->getCredentials($data);
         } catch (BadRequestHttpException $e) {
             $request->setRequestFormat('json');
 
             throw $e;
         }
 
         $userBadge = new UserBadge($credentials['username'], $this->userProvider->loadUserByIdentifier(...));
-        $passport = new Passport($userBadge, new PasswordCredentials($credentials['password']), [new RememberMeBadge()]);
+        $passport = new Passport($userBadge, new PasswordCredentials($credentials['password']), [new RememberMeBadge((array) $data)]);
 
         if ($this->userProvider instanceof PasswordUpgraderInterface) {
             $passport->addBadge(new PasswordUpgradeBadge($credentials['password'], $this->userProvider));
@@ -137,13 +142,8 @@ public function setTranslator(TranslatorInterface $translator)
         $this->translator = $translator;
     }
 
-    private function getCredentials(Request $request): array
+    private function getCredentials(\stdClass $data): array
     {
-        $data = json_decode($request->getContent());
-        if (!$data instanceof \stdClass) {
-            throw new BadRequestHttpException('Invalid JSON.');
-        }
-
         $credentials = [];
         try {
             $credentials['username'] = $this->propertyAccessor->getValue($data, $this->options['username_path']);
@@ -157,6 +157,7 @@ private function getCredentials(Request $request): array
 
         try {
             $credentials['password'] = $this->propertyAccessor->getValue($data, $this->options['password_path']);
+            $this->propertyAccessor->setValue($data, $this->options['password_path'], null);
 
             if (!\is_string($credentials['password'])) {
                 throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['password_path']));

Authenticator/Passport/Badge/RememberMeBadge.php

@@ -28,6 +28,11 @@ class RememberMeBadge implements BadgeInterface
 {
     private bool $enabled = false;
 
+    public function __construct(
+        public readonly array $parameters = [],
+    ) {
+    }
+
     /**
      * Enables remember-me cookie creation.
      *

EventListener/CheckRememberMeConditionsListener.php

@@ -13,7 +13,6 @@
 
 use Psr\Log\LoggerInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
-use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\ParameterBagUtils;
@@ -55,8 +54,8 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void
         /** @var RememberMeBadge $badge */
         $badge = $passport->getBadge(RememberMeBadge::class);
         if (!$this->options['always_remember_me']) {
-            $parameter = $this->getParameter($event->getRequest(), $this->options['remember_me_parameter']);
-            if (!('true' === $parameter || 'on' === $parameter || '1' === $parameter || 'yes' === $parameter || true === $parameter)) {
+            $parameter = ParameterBagUtils::getRequestParameterValue($event->getRequest(), $this->options['remember_me_parameter'], $badge->parameters);
+            if (!filter_var($parameter, \FILTER_VALIDATE_BOOL)) {
                 $this->logger?->debug('Remember me disabled; request does not contain remember me parameter ("{parameter}").', ['parameter' => $this->options['remember_me_parameter']]);
 
                 return;
@@ -70,23 +69,4 @@ public static function getSubscribedEvents(): array
     {
         return [LoginSuccessEvent::class => ['onSuccessfulLogin', -32]];
     }
-
-    private function getParameter(Request $request, string $parameterName): mixed
-    {
-        $parameter = ParameterBagUtils::getRequestParameterValue($request, $parameterName);
-        if (null !== $parameter) {
-            return $parameter;
-        }
-
-        if ('application/json' === $request->headers->get('Content-Type')) {
-            $data = json_decode($request->getContent());
-            if (!$data instanceof \stdClass) {
-                return null;
-            }
-
-            return $data->{$parameterName} ?? null;
-        }
-
-        return null;
-    }
 }

ParameterBagUtils.php

@@ -60,22 +60,28 @@ public static function getParameterBagValue(ParameterBag $parameters, string $pa
      *
      * @throws InvalidArgumentException when the given path is malformed
      */
-    public static function getRequestParameterValue(Request $request, string $path): mixed
+    public static function getRequestParameterValue(Request $request, string $path, array $parameters = []): mixed
     {
         if (false === $pos = strpos($path, '[')) {
-            return $request->get($path);
+            return $parameters[$path] ?? $request->get($path);
         }
 
         $root = substr($path, 0, $pos);
 
-        if (null === $value = $request->get($root)) {
+        if (null === $value = $parameters[$root] ?? $request->get($root)) {
             return null;
         }
 
         self::$propertyAccessor ??= PropertyAccess::createPropertyAccessor();
 
         try {
-            return self::$propertyAccessor->getValue($value, substr($path, $pos));
+            $value = self::$propertyAccessor->getValue($value, substr($path, $pos));
+
+            if (null === $value && isset($parameters[$root]) && null !== $value = $request->get($root)) {
+                $value = self::$propertyAccessor->getValue($value, substr($path, $pos));
+            }
+
+            return $value;
         } catch (AccessException) {
             return null;
         }

Tests/EventListener/CheckRememberMeConditionsListenerTest.php

@@ -59,7 +59,7 @@ public function testSuccessfulJsonLoginWithoutSupportingAuthenticator()
     public function testSuccessfulLoginWithoutRequestParameter()
     {
         $this->request = Request::create('/login');
-        $passport = $this->createPassport();
+        $passport = $this->createPassport([new RememberMeBadge()]);
 
         $this->listener->onSuccessfulLogin($this->createLoginSuccessfulEvent($passport));
 
@@ -110,7 +110,7 @@ public function testSuccessfulJsonLoginWithOptInRequestParameter($optInValue)
     {
         $this->createJsonRequest(['_remember_me' => $optInValue]);
 
-        $passport = $this->createPassport();
+        $passport = $this->createPassport([new RememberMeBadge(['_remember_me' => $optInValue])]);
 
         $this->listener->onSuccessfulLogin($this->createLoginSuccessfulEvent($passport));
 
@@ -133,7 +133,7 @@ private function createHttpRequest(): void
         $this->response = new Response();
     }
 
-    private function createJsonRequest(mixed $content = ['_remember_me' => true]): void
+    private function createJsonRequest(array $content = ['_remember_me' => true]): void
     {
         $this->request = Request::create('/login', 'POST', [], [], [], [], json_encode($content));
         $this->request->headers->add(['Content-Type' => 'application/json']);
@@ -147,6 +147,6 @@ private function createLoginSuccessfulEvent(Passport $passport)
 
     private function createPassport(array $badges = null)
     {
-        return new SelfValidatingPassport(new UserBadge('test', fn ($username) => new InMemoryUser($username, null)), $badges ?? [new RememberMeBadge()]);
+        return new SelfValidatingPassport(new UserBadge('test', fn ($username) => new InMemoryUser($username, null)), $badges ?? [new RememberMeBadge(['_remember_me' => true])]);
     }
 }