flow-development-collection icon indicating copy to clipboard operation
flow-development-collection copied to clipboard
verified publisher icon neos

BUG: EntityPrivilege do not get evaluated for Tokens implementing SessionlessTokenInterface

Open fcool opened this issue 2 years ago • 3 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Current Behavior

If you have a Provider authenticating Tokens which implement SessionlessTokenInterface and access an action (which might or might not be protected), the PersistentObjectConverter runs before the action. In that scenario nobody triggered AuthenticationManager::authenticate so the entity privileges are evaluated without an account in the securityContext.

Expected Behavior

The securityContext should contain the acccount, if the session less token can be authenticated.

Steps To Reproduce

Authenticate using a Provider implementing SessionlessTokenInterface, send the credentials with your current request and submit an entity which is already persisted. You'll get an "TargetNotFoundError" - even if your credentials allow the retrieval.

Environment

- Flow: 7.3
- PHP: 8.1 (irrelevant)

Anything else?

No response

fcool avatar Apr 13 '23 10:04 fcool

This might be related to https://github.com/neos/flow-development-collection/issues/929

fcool avatar Apr 13 '23 10:04 fcool

(will provide a PR soon. Hopefully together with a test case. But "authenticated" tests have been next to impossible in the past...)

fcool avatar Apr 13 '23 11:04 fcool

The issue is that for session based tokens the status (authentication successful) is stored in the session, so after one is authenticated that way the status stays for every subsequent request without ever needing to (internally) trigger \Neos\Flow\Security\Authentication\AuthenticationProviderManager::authenticate() again. Which works fine.

BUT in a sessionless token we obviously need to authenticate every request with the token as there is no persistent state available. It works for Method Privileges due to \Neos\Flow\Security\Authorization\Interceptor\PolicyEnforcement::invoke() calling authenticate, thus implicitly authenticating any tokens given in the request. Unfortunately \Neos\Flow\Security\Authorization\Privilege\Entity\Doctrine\SqlFilter::addFilterConstraint() does not (and I am not even sure that is the best place for EntityContraints).

Either way having authenticated sessionless tokens (authentication) currently fully depends on the respective security measure aka authorisation which is pretty bad IMHO. The quick fix is to add this to the SqlFilter but I am sure this will come back to haunt us in other places, therefore I think the right solution is a middleware checking for tokens to be authenticated and triggering the authentication. There should be nothing speaking against doing that after the security context was initialized.

kitsunet avatar Feb 20 '24 12:02 kitsunet