Merge branch '6.0' into 6.1

* 6.0:
  [Notifier] Fix markdown
  [Security] Fix outdated docblock
  Update PR template
  Bump Symfony version to 6.0.17
  Update VERSION for 6.0.16
  Update CHANGELOG for 6.0.16
  Bump Symfony version to 5.4.17
  Update VERSION for 5.4.16
  Update CHANGELOG for 5.4.16
  Update VERSION for 4.4.49
  Update CONTRIBUTORS for 4.4.49
  Update CHANGELOG for 4.4.49
  [Security][LoginLink] Throw InvalidLoginLinkException on missing parameter

Author: nicolas-grekas

Authentication/AuthenticationSuccessHandlerInterface.php

@@ -27,9 +27,7 @@
 interface AuthenticationSuccessHandlerInterface
 {
     /**
-     * This is called when an interactive authentication attempt succeeds. This
-     * is called by authentication listeners inheriting from
-     * AbstractAuthenticationListener.
+     * Usually called by AuthenticatorInterface::onAuthenticationSuccess() implementations.
      */
     public function onAuthenticationSuccess(Request $request, TokenInterface $token): Response;
 }

LoginLink/LoginLinkHandler.php

@@ -89,8 +89,12 @@ public function consumeLoginLink(Request $request): UserInterface
             throw new InvalidLoginLinkException('User not found.', 0, $exception);
         }
 
-        $hash = $request->get('hash');
-        $expires = $request->get('expires');
+        if (!$hash = $request->get('hash')) {
+            throw new InvalidLoginLinkException('Missing "hash" parameter.');
+        }
+        if (!$expires = $request->get('expires')) {
+            throw new InvalidLoginLinkException('Missing "expires" parameter.');
+        }
 
         try {
             $this->signatureHasher->verifySignatureHash($user, $expires, $hash);

Tests/LoginLink/LoginLinkHandlerTest.php

@@ -182,6 +182,30 @@ public function testConsumeLoginLinkExceedsMaxUsage()
         $linker->consumeLoginLink($request);
     }
 
+    public function testConsumeLoginLinkWithMissingHash()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', '[email protected]', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&expires=10000');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
+    public function testConsumeLoginLinkWithMissingExpiration()
+    {
+        $user = new TestLoginLinkHandlerUser('weaverryan', '[email protected]', 'pwhash');
+        $this->userProvider->createUser($user);
+
+        $this->expectException(InvalidLoginLinkException::class);
+        $request = Request::create('/login/verify?user=weaverryan&hash=thehash');
+
+        $linker = $this->createLinker();
+        $linker->consumeLoginLink($request);
+    }
+
     private function createSignatureHash(string $username, int $expires, array $extraFields): string
     {
         $fields = [base64_encode($username), $expires];