Bug #36997

Use ActionRequest to validate authentication tokens

Added by Bastian Waidelich over 9 years ago. Updated over 9 years ago.

Status:
Resolved
Priority:
Should have
Category:
Security
Start date:
2012-05-09
Due date:
% Done:

100%

Estimated time:
PHP Version:
Has patch:
No
Complexity:

Description

Currently the security context passes the HTTP Request to TokenInterface::updateCredentials() in updateTokens().

This has the disadvantage that authentication tokens can only access raw GET / POST parameters from the HTTP request. Arguments that are only available through routing are not accessible.

Take for example a token based authentication mechanism:

Routes.yaml:

-
  uriPattern: 'aproveToken/{__authentication.Some.Package.Authentication.AuthenticationKey.code}'
  defaults:
    '@package':    'Some.Package'
    '@controller': 'Some'
    '@action':     'aproveToken'

in the authentication token there is no way to access the "__authentication.Some.Package.Authentication.AuthenticationKey.code" argument.

#1

Updated by Gerrit Code Review over 9 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#2

Updated by Gerrit Code Review over 9 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#3

Updated by Gerrit Code Review over 9 years ago

Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/11100

#4

Updated by Bastian Waidelich over 9 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF