With autologin, if the current logged in user has a different access …

…token the the passed in the autologin param, the user is logged in with the new access token

Security/Firewall/AutologinListener.php

@@ -66,12 +66,30 @@ private function setRedirectResponse(GetResponseEvent $event)
      */
     private function authenticateIfUserIsNotLoggedIn($token)
     {
-        if($this->securityContext->getToken() !== null && $this->securityContext->isGranted('IS_AUTHENTICATED_FULLY')){
+        if($this->tokenIsAllreadyLoggedIn($token)){
             return;
         }
 
         $authToken = $this->authenticationManager->authenticate($token);
 
         $this->securityContext->setToken($authToken);
     }
+
+    /**
+     * Verifies if the logged in user has the same token
+     * @return boolean
+     */
+    private function tokenIsAllreadyLoggedIn($token)
+    {
+        return $this->securityContext->getToken() !== null &&
+            $this->securityContext->isGranted('IS_AUTHENTICATED_FULLY') &&
+            $this->veryfyAccessTokenIsEqualToLoggedInUsersAccessToken($token);
+    }
+
+    private function veryfyAccessTokenIsEqualToLoggedInUsersAccessToken($token)
+    {
+        $user = $this->securityContext->getToken()->getUser();
+
+        return $user->getAccessToken() == $token->getAccessToken();
+    }
 }

Tests/Security/Firewall/AutologinListenerTest.php

@@ -89,9 +89,9 @@ public function testHandleWithAutologinAndAllreadyLogedin()
     {
         $validAccessToken ='validAccessToken';
         $request = new Request(array('autologin' => $validAccessToken));
-        $authToken = $this->getAuthToken();
+        $authToken = $this->getAuthToken($validAccessToken);
 
-        $this->mockCall($this->securityContext, 'getToken', $authToken, $this->once());
+        $this->mockCall($this->securityContext, 'getToken', $authToken, $this->any());
         $this->mockCall($this->securityContext, 'setToken', null, $this->never());
         $this->mockCall($this->securityContext, 'isGranted', true);
         $this->mockCall($this->authenticationManager, 'authenticate', null, $this->never());
@@ -103,6 +103,24 @@ public function testHandleWithAutologinAndAllreadyLogedin()
         $this->assertFalse($request->query->has('autologin'));
     }
 
+    public function testHandleWithAutologinAndAllreadyLogedinButDifferentToken()
+    {
+        $validAccessToken = 'validAccessToken';
+        $request = new Request(array('autologin' => $validAccessToken));
+        $authToken = $this->getAuthToken('oldValidAccessToken');
+
+        $this->mockCall($this->securityContext, 'getToken', $authToken, $this->any());
+        $this->mockCall($this->securityContext, 'setToken', null, $this->once());
+        $this->mockCall($this->securityContext, 'isGranted', true);
+        $this->mockCall($this->authenticationManager, 'authenticate', $authToken, $this->once(), $this->getAccessTokenAsserter($validAccessToken));
+        $this->mockCall($this->event, 'getRequest', $request);
+        $this->mockCall($this->event, 'setResponse', null, $this->once());
+
+        $this->autologinListener->handle($this->event);
+
+        $this->assertFalse($request->query->has('autologin'));
+    }
+
     private function mockCall($object, $method, $return = null, $when = null, $with = null)
     {
         if($when === null){
@@ -126,9 +144,9 @@ private function mockCall($object, $method, $return = null, $when = null, $with
         }
     }
 
-    private function getAuthToken()
+    private function getAuthToken($accessToken = '321IUKKL')
     {
-        $user = new User(2, 'username', '321IUKKL', '12HHIIK', true, 'password', 3600, array('role_1'));
+        $user = new User(2, 'username', $accessToken, '12HHIIK', true, 'password', 3600, array('role_1'));
         $token = $this->getMock('Symfony\Component\Security\Core\Authentication\Token\TokenInterface');
 
         $token->expects($this->any())