-
-
Notifications
You must be signed in to change notification settings - Fork 9.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[SecurityBundle] Set translator in AccessTokenAuthenticator in Security bundle config #54734
base: 6.4
Are you sure you want to change the base?
[SecurityBundle] Set translator in AccessTokenAuthenticator in Security bundle config #54734
Conversation
It has been removed as a fix: #50819 |
in translated string
I have amended this branch to an alternative solution; we try to translate, but revert the translation if the result contains any non-ASCII characters. I don't think the linked fix is the right one, really - it's just making it impossible to do any translation here at all, even if the result would be valid and RFC compliant. |
src/Symfony/Component/Security/Http/Tests/Authenticator/AccessTokenAuthenticatorTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Http/Tests/Authenticator/AccessTokenAuthenticatorTest.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php
Outdated
Show resolved
Hide resolved
What is the use-case for translating this message if - according to the RFC 6750 - it must not be displayed to the end user? Also, this means we'll have deprecated translation strings in the repository (like Spanish as mentioned in #50811). I'm not sure how we are supposed to fix this, given you probably have to use non-ANCII characters in those languages. I'm still leaning towards not using the translator here for these arguments. |
"Not displayed to users" isn't quite the same thing as "never seen by a human"; easy to imagine the reasons for authentication failures supplied in headers may end up in logs and as such the information may aid with various inquiry and analysis. It's also not necessarily the case that every system respects the RFC, as not every access token system is OAuth2 compliant, so we don't know this message won't be displayed.
I would argue that allowing some translation, even if limited to ASCII characters, is useful. The case for translation may not necessarily be to another language, but e.g. alternative or simplified English for example. |
The
AccessTokenAuthenticator
doesn't get configured with thetranslator
service. This appears to be a bug, as this class'ssetTranslator
is unused and the translator can't be injected anywhere else.