From 7e1a5269333d0d5a4844f03e11e4c41299e71f26 Mon Sep 17 00:00:00 2001
From: Robin Chalas <robin.chalas@gmail.com>
Date: Sat, 2 Jan 2021 17:06:12 +0100
Subject: [PATCH] [Security][Guard] Prevent user enumeration via response
 content

---
 Authentication/Provider/UserAuthenticationProvider.php    | 3 ++-
 .../Provider/UserAuthenticationProviderTest.php           | 8 ++++----
 2 files changed, 6 insertions(+), 5 deletions(-)

diff --git a/Authentication/Provider/UserAuthenticationProvider.php b/Authentication/Provider/UserAuthenticationProvider.php
index 172556ac..9557fa00 100644
--- a/Authentication/Provider/UserAuthenticationProvider.php
+++ b/Authentication/Provider/UserAuthenticationProvider.php
@@ -13,6 +13,7 @@
 
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Exception\AccountStatusException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
@@ -83,7 +84,7 @@ public function authenticate(TokenInterface $token)
             $this->userChecker->checkPreAuth($user);
             $this->checkAuthentication($user, $token);
             $this->userChecker->checkPostAuth($user);
-        } catch (BadCredentialsException $e) {
+        } catch (AccountStatusException $e) {
             if ($this->hideUserNotFoundExceptions) {
                 throw new BadCredentialsException('Bad credentials.', 0, $e);
             }
diff --git a/Tests/Authentication/Provider/UserAuthenticationProviderTest.php b/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
index 7b984e30..c20b6ca2 100644
--- a/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
+++ b/Tests/Authentication/Provider/UserAuthenticationProviderTest.php
@@ -79,7 +79,7 @@ public function testAuthenticateWhenProviderDoesNotReturnAnUserInterface()
 
     public function testAuthenticateWhenPreChecksFails()
     {
-        $this->expectException('Symfony\Component\Security\Core\Exception\CredentialsExpiredException');
+        $this->expectException(BadCredentialsException::class);
         $userChecker = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserCheckerInterface')->getMock();
         $userChecker->expects($this->once())
                     ->method('checkPreAuth')
@@ -97,7 +97,7 @@ public function testAuthenticateWhenPreChecksFails()
 
     public function testAuthenticateWhenPostChecksFails()
     {
-        $this->expectException('Symfony\Component\Security\Core\Exception\AccountExpiredException');
+        $this->expectException(BadCredentialsException::class);
         $userChecker = $this->getMockBuilder('Symfony\Component\Security\Core\User\UserCheckerInterface')->getMock();
         $userChecker->expects($this->once())
                     ->method('checkPostAuth')
@@ -116,7 +116,7 @@ public function testAuthenticateWhenPostChecksFails()
     public function testAuthenticateWhenPostCheckAuthenticationFails()
     {
         $this->expectException('Symfony\Component\Security\Core\Exception\BadCredentialsException');
-        $this->expectExceptionMessage('Bad credentials');
+        $this->expectExceptionMessage('Bad credentials.');
         $provider = $this->getProvider();
         $provider->expects($this->once())
                  ->method('retrieveUser')
@@ -124,7 +124,7 @@ public function testAuthenticateWhenPostCheckAuthenticationFails()
         ;
         $provider->expects($this->once())
                  ->method('checkAuthentication')
-                 ->willThrowException(new BadCredentialsException())
+                 ->willThrowException(new CredentialsExpiredException())
         ;
 
         $provider->authenticate($this->getSupportedToken());