IBX-10654: Made authorization error messages less verbose

konradoboza · web-flow · commit b7c88ec4492b · 2025-10-16T15:32:58.000+02:00
For more details see https://issues.ibexa.co/browse/IBX-10654 Key changes: * Made authorization error messages less verbose
diff --git a/src/bundle/Security/Authentication/DefaultAuthenticationFailureHandler.php b/src/bundle/Security/Authentication/DefaultAuthenticationFailureHandler.php
@@ -12,6 +12,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler as HttpDefaultAuthenticationFailureHandler;
 
 final class DefaultAuthenticationFailureHandler extends HttpDefaultAuthenticationFailureHandler
@@ -26,6 +27,17 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
             ]);
         }
 
+        if ($exception instanceof BadCredentialsException) {
+            $previous = $exception->getPrevious();
+            $code = $previous ? $previous->getCode() : 0;
+
+            $exception = new BadCredentialsException(
+                'Bad credentials.',
+                $code,
+                $previous
+            );
+        }
+
         return parent::onAuthenticationFailure($request, $exception);
     }
 }
diff --git a/tests/lib/Security/Authentication/DefaultAuthenticationFailureHandlerTest.php b/tests/lib/Security/Authentication/DefaultAuthenticationFailureHandlerTest.php
@@ -0,0 +1,94 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\Tests\Bundle\User\Security\Authentication;
+
+use Ibexa\Bundle\User\Security\Authentication\DefaultAuthenticationFailureHandler;
+use Ibexa\Contracts\Core\Repository\Exceptions\PasswordInUnsupportedFormatException;
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Session\Session;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Http\HttpUtils;
+
+final class DefaultAuthenticationFailureHandlerTest extends TestCase
+{
+    private DefaultAuthenticationFailureHandler $handler;
+
+    private MockObject&HttpUtils $httpUtils;
+
+    protected function setUp(): void
+    {
+        $this->httpUtils = $this->createMock(HttpUtils::class);
+        $this->handler = new DefaultAuthenticationFailureHandler(
+            $this->createMock(HttpKernelInterface::class),
+            $this->httpUtils
+        );
+    }
+
+    public function testHandlePasswordInUnsupportedFormatException(): void
+    {
+        $request = $this->getRequest();
+        $exception = new PasswordInUnsupportedFormatException();
+        $expectedUrl = '/forgot-password';
+
+        $this->httpUtils
+            ->expects(self::once())
+            ->method('generateUri')
+            ->with($request, 'ibexa.user.forgot_password.migration')
+            ->willReturn($expectedUrl);
+
+        $this->handler->onAuthenticationFailure($request, $exception);
+    }
+
+    public function testOnAuthenticationFailureAltersBadCredentialsExceptionMessage(): void
+    {
+        $session = $this->getSession();
+        $session
+            ->expects(self::once())
+            ->method('set')
+            ->with(
+                '_security.last_error',
+                self::callback(static function (AuthenticationException $exception): bool {
+                    self::assertInstanceOf(BadCredentialsException::class, $exception);
+                    self::assertSame('Bad credentials.', $exception->getMessage());
+
+                    return true;
+                })
+            );
+
+        $request = $this->getRequest($session);
+        $originalException = new BadCredentialsException('Original message');
+
+        $this->httpUtils
+            ->expects(self::once())
+            ->method('createRedirectResponse')
+            ->with($request);
+
+        $this->handler->onAuthenticationFailure($request, $originalException);
+    }
+
+    private function getRequest(?Session $session = null): Request
+    {
+        $request = new Request();
+        $request->setSession($session ?? $this->getSession());
+
+        return $request;
+    }
+
+    public function getSession(): MockObject&Session
+    {
+        $session = $this->createMock(Session::class);
+        $session->expects(self::any())->method('isStarted')->willReturn(true);
+
+        return $session;
+    }
+}
