From 0e0731e0fd75614b42fbd097686899bf17c13778 Mon Sep 17 00:00:00 2001
From: Maciej Kobus <webhdx@users.noreply.github.com>
Date: Wed, 9 Dec 2020 10:37:09 +0100
Subject: [PATCH] EZP-32215: Made `ezpublish_rest.session_authenticator`
 dependency (#60)

---
 src/bundle/Resources/config/services.yml      |  2 +-
 .../Server/Controller/SessionController.php   | 30 ++++++++++++++-----
 2 files changed, 23 insertions(+), 9 deletions(-)

diff --git a/src/bundle/Resources/config/services.yml b/src/bundle/Resources/config/services.yml
index 45a5d0df..39317295 100644
--- a/src/bundle/Resources/config/services.yml
+++ b/src/bundle/Resources/config/services.yml
@@ -243,10 +243,10 @@ services:
         class: EzSystems\EzPlatformRest\Server\Controller\SessionController
         parent: ezpublish_rest.controller.base
         arguments:
-            - "@ezpublish_rest.session_authenticator"
             - "%ezpublish_rest.csrf_token_intention%"
             - '@eZ\Publish\API\Repository\PermissionResolver'
             - '@ezpublish.api.service.user'
+            - "@?ezpublish_rest.session_authenticator"
             - "@?ezpublish_rest.security.csrf.token_manager"
         tags: [controller.service_arguments]
 
diff --git a/src/lib/Server/Controller/SessionController.php b/src/lib/Server/Controller/SessionController.php
index 426c0e24..fadedfae 100644
--- a/src/lib/Server/Controller/SessionController.php
+++ b/src/lib/Server/Controller/SessionController.php
@@ -24,7 +24,7 @@
 
 class SessionController extends Controller
 {
-    /** @var \eZ\Publish\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface */
+    /** @var \eZ\Publish\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface|null */
     private $authenticator;
 
     /** @var \EzSystems\EzPlatformRest\Server\Security\CsrfTokenManager */
@@ -43,10 +43,10 @@ class SessionController extends Controller
     private $csrfTokenStorage;
 
     public function __construct(
-        AuthenticatorInterface $authenticator,
         $tokenIntention,
         PermissionResolver $permissionResolver,
         UserService $userService,
+        ?AuthenticatorInterface $authenticator = null,
         CsrfTokenManager $csrfTokenManager = null,
         TokenStorageInterface $csrfTokenStorage = null
     ) {
@@ -83,7 +83,7 @@ public function createSessionAction(Request $request)
                 $this->checkCsrfToken($request);
             }
 
-            $token = $this->authenticator->authenticate($request);
+            $token = $this->getAuthenticator()->authenticate($request);
             $csrfToken = $this->getCsrfToken();
 
             return new Values\UserSession(
@@ -97,10 +97,10 @@ public function createSessionAction(Request $request)
             // Already logged in with another user, this will be converted to HTTP status 409
             return new Values\Conflict();
         } catch (AuthenticationException $e) {
-            $this->authenticator->logout($request);
+            $this->getAuthenticator()->logout($request);
             throw new UnauthorizedException('Invalid login or password', $request->getPathInfo());
         } catch (AccessDeniedException $e) {
-            $this->authenticator->logout($request);
+            $this->getAuthenticator()->logout($request);
             throw new UnauthorizedException($e->getMessage(), $request->getPathInfo());
         }
     }
@@ -119,7 +119,7 @@ public function refreshSessionAction($sessionId, Request $request)
         $session = $request->getSession();
 
         if ($session === null || !$session->isStarted() || $session->getId() != $sessionId || !$this->hasStoredCsrfToken()) {
-            $response = $this->authenticator->logout($request);
+            $response = $this->getAuthenticator()->logout($request);
             $response->setStatusCode(404);
 
             return $response;
@@ -153,7 +153,7 @@ public function deleteSessionAction($sessionId, Request $request)
         /** @var $session \Symfony\Component\HttpFoundation\Session\Session */
         $session = $request->getSession();
         if (!$session->isStarted() || $session->getId() != $sessionId || !$this->hasStoredCsrfToken()) {
-            $response = $this->authenticator->logout($request);
+            $response = $this->getAuthenticator()->logout($request);
             $response->setStatusCode(404);
 
             return $response;
@@ -161,7 +161,7 @@ public function deleteSessionAction($sessionId, Request $request)
 
         $this->checkCsrfToken($request);
 
-        return new Values\DeletedUserSession($this->authenticator->logout($request));
+        return new Values\DeletedUserSession($this->getAuthenticator()->logout($request));
     }
 
     /**
@@ -223,4 +223,18 @@ private function getCsrfToken()
 
         return $this->csrfTokenManager->getToken($this->csrfTokenIntention)->getValue();
     }
+
+    private function getAuthenticator(): ?AuthenticatorInterface
+    {
+        if (null === $this->authenticator) {
+            throw new \RuntimeException(
+                sprintf(
+                    "No %s instance injected. Ensure 'ezpublish_rest_session' is configured under your firewall",
+                    AuthenticatorInterface::class
+                )
+            );
+        }
+
+        return $this->authenticator;
+    }
 }