fix: preserve authentication failure cause in onAuthenticationFailure#52
Merged
turegjorup merged 1 commit intoJun 11, 2026
Merged
Conversation
onAuthenticationFailure() now chains the original exception via previous and includes its message, so logs and error reporters retain the actual cause (timeout vs. signature mismatch vs. wrong nonce). Symfony's security component still renders only the safe message key to the user. Ported from feature/exception-flow (222bf32); the rest of that branch was superseded by the 5.0 exception-contract work. Co-Authored-By: Claude Fable 5 <noreply@anthropic.com>
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## develop #52 +/- ##
===========================================
Coverage 100.00% 100.00%
Complexity 62 62
===========================================
Files 9 9
Lines 282 282
===========================================
Hits 282 282
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
OpenIdLoginAuthenticator::onAuthenticationFailure()previously threw a bareAuthenticationException('Error occurred validating openid login'), dropping the original failure entirely — logs and error reporters could not tell a timeout from a signature mismatch from a wrong nonce.It now chains the original exception via
previousand includes its message in the new exception's message. Symfony's security component still renders only the safe message key to the user, so nothing sensitive is exposed.This is the last unmerged piece of
feature/exception-flow(commit 222bf32), ported onto current develop; the rest of that branch was superseded by the 5.0 exception-contract work (#41 et al.), and the branch is deleted with this PR.Files Changed
src/Security/OpenIdLoginAuthenticator.php- chainpreviousand preserve the cause message inonAuthenticationFailure()tests/Security/OpenIdLoginAuthenticatorTest.php- assert the thrown exception chains the original aspreviousand preserves its messageCHANGELOG.md- entry under[Unreleased]/ ChangedTest Plan
task test:coverage— all tests pass, coverage stays at 100% (methods + lines)task analyze:php— PHPStan max level + custom exception-contract rules: no errors (the new throw satisfiesWrappedExceptionChainsPrevious)task lint— php-cs-fixer, composer normalize/audit, markdownlint, prettier: all clean🤖 Generated with Claude Code