[Security] Throw an explicit error when refreshing a token with a null user

alexandre-daubois · alexandre-daubois · commit f4157adc5eae · 2025-01-23T09:38:36.000+01:00
diff --git a/src/Symfony/Component/Security/Http/Firewall/ContextListener.php b/src/Symfony/Component/Security/Http/Firewall/ContextListener.php
@@ -192,6 +192,9 @@ public function onKernelResponse(ResponseEvent $event): void
     protected function refreshUser(TokenInterface $token): ?TokenInterface
     {
         $user = $token->getUser();
+        if (null === $user) {
+            throw new \UnexpectedValueException('Cannot refresh token because it contains a null user.');
+        }
 
         $userNotFoundByProvider = false;
         $userDeauthenticated = false;
diff --git a/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php b/src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php
@@ -36,6 +36,7 @@
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Firewall\ContextListener;
+use Symfony\Component\Security\Http\Tests\Fixtures\NullUserToken;
 use Symfony\Contracts\Service\ServiceLocatorTrait;
 
 class ContextListenerTest extends TestCase
@@ -58,6 +59,30 @@ public function testUserProvidersNeedToImplementAnInterface()
         $this->handleEventWithPreviousSession([new \stdClass()]);
     }
 
+    public function testTokenReturnsNullUser()
+    {
+        $tokenStorage = new TokenStorage();
+        $tokenStorage->setToken(new NullUserToken());
+
+        $session = new Session(new MockArraySessionStorage());
+        $session->set('_security_context_key', serialize($tokenStorage->getToken()));
+
+        $request = new Request();
+        $request->setSession($session);
+        $request->cookies->set('MOCKSESSID', true);
+
+        $listener = new ContextListener($tokenStorage, [], 'context_key');
+
+        $this->expectException(\UnexpectedValueException::class);
+        $this->expectExceptionMessage('Cannot refresh token because it contains a null user.');
+
+        $listener->authenticate(new RequestEvent(
+            $this->createMock(HttpKernelInterface::class),
+            $request,
+            HttpKernelInterface::MAIN_REQUEST,
+        ));
+    }
+
     public function testOnKernelResponseWillAddSession()
     {
         $session = $this->runSessionOnKernelResponse(
diff --git a/src/Symfony/Component/Security/Http/Tests/Fixtures/NullUserToken.php b/src/Symfony/Component/Security/Http/Tests/Fixtures/NullUserToken.php
@@ -0,0 +1,23 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Tests\Fixtures;
+
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+class NullUserToken extends AbstractToken
+{
+    public function getUser(): ?UserInterface
+    {
+        return null;
+    }
+}

Original file line number	Diff line number	Diff line change
`@@ -192,6 +192,9 @@ public function onKernelResponse(ResponseEvent $event): void`
`192`	`192`	`protected function refreshUser(TokenInterface $token): ?TokenInterface`
`193`	`193`	`{`
`194`	`194`	`$user = $token->getUser();`
	`195`	`+ if (null === $user) {`
	`196`	`+ throw new \UnexpectedValueException('Cannot refresh token because it contains a null user.');`
	`197`	`+ }`
`195`	`198`
`196`	`199`	`$userNotFoundByProvider = false;`
`197`	`200`	`$userDeauthenticated = false;`