Check user on onAuthenticationSuccessResponse

[Matx99]

Hey guys, I have an onAuthenticationSuccessResponse event where I check my user's status. I know token has already been created but I return a 403 response if user isn't verified, and it doesn't return my token then. Would like to know if it's fine do it this way

/**
 * @param AuthenticationSuccessEvent $event
 */
public function onAuthenticationSuccessResponse(AuthenticationSuccessEvent $event)
{
    $data = $event->getData();
    $user = $event->getUser();

    if (!$user instanceof UserInterface) {
        throw new Exception("Erreur survenue");
    }

    if ($user instanceof User) {
        if (!$user->getIsVerified()){
            throw new AccessDeniedException("Erreur survenue.");
        }
    }
    $event->setData($data);
}

[fd6130]

You can try user checker https://symfony.com/doc/current/security/user_checkers.html

[Matx99]

However, throw new CustomUserMessageAccountStatusException isn't managed in production mode. It returns 500 error. So I'll just use throw new AccessDeniedException("Erreur survenue."); inside checkPreAuth function, is it alright?

[chalasr]

I fear it is not as the UserCheckerInterface's contract tells about AccountStatusException only. The fact it leads to a 500 sounds weird.

[Matx99]

@chalasr Everything leads me to 500 with check user. Can I keep my first solution which allows me to return a 403 on login if user isn't verified? This one:

/**
 * @param AuthenticationSuccessEvent $event
 */
public function onAuthenticationSuccessResponse(AuthenticationSuccessEvent $event)
{
    $data = $event->getData();
    $user = $event->getUser();

    if (!$user instanceof UserInterface) {
        throw new Exception("Erreur survenue");
    }

    if ($user instanceof User) {
        if (!$user->getIsVerified()){
            throw new AccessDeniedException("Erreur survenue.");
        }
    }
    $event->setData($data);
}

[Matx99]

Is it a security issue or just not the normal way to do it? All I know is, it works for me like this, but I was wondering if it creates security problem or not

[fd6130]

If you apply it in dev mode, what is the exception show in profiler?

Another solution is write your own exception class and subscriber so you can return a json response instead of symfony error page in prod. I always do that when I need my front end to receive a json response and not html error page.