fix: make TrustedDeviceTokenStorage conform to ResetInterface (#266)

* Make TrustedDeviceTokenStorage conform to ResetInterface

In certain scenarios, TrustedDeviceTokenStorage might not be re-instanciated between requests.
That's the case when multiple requests are handled by a single worker, like when serving the application with RoadRunner or with FrankenPHP.
In that case, the trusted_device cookie leak from a request to another, and break the feature entirely.
By implementing ResetInterface, the storage is now properly reseted between requests

Author: dt-thomas-durand

composer.json

@@ -25,6 +25,7 @@
         "symfony/http-kernel": "^6.4 || ^7.0",
         "symfony/property-access": "^6.4 || ^7.0",
         "symfony/security-bundle": "^6.4 || ^7.0",
+        "symfony/service-contracts": "^2.5|^3",
         "symfony/twig-bundle": "^6.4 || ^7.0"
     },
     "require-dev": {

src/bundle/composer.json

@@ -22,6 +22,7 @@
         "symfony/http-kernel": "^6.4 || ^7.0",
         "symfony/property-access": "^6.4 || ^7.0",
         "symfony/security-bundle": "^6.4 || ^7.0",
+        "symfony/service-contracts": "^2.5|^3",
         "symfony/twig-bundle": "^6.4 || ^7.0"
     },
     "autoload": {

src/trusted-device/Security/TwoFactor/Trusted/TrustedDeviceTokenStorage.php

@@ -7,14 +7,15 @@
 use RuntimeException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Contracts\Service\ResetInterface;
 use function array_map;
 use function explode;
 use function implode;
 
 /**
  * @final
  */
-class TrustedDeviceTokenStorage
+class TrustedDeviceTokenStorage implements ResetInterface
 {
     private const TOKEN_DELIMITER = ';';
 
@@ -100,6 +101,12 @@ public function clearTrustedToken(string $username, string $firewall): void
         $this->updateCookie = true;
     }
 
+    public function reset(): void
+    {
+        $this->updateCookie = false;
+        $this->trustedTokenList = null;
+    }
+
     /**
      * @return TrustedDeviceToken[]
      */

tests/Security/TwoFactor/Trusted/TrustedDeviceTokenStorageTest.php

@@ -337,4 +337,32 @@ public function getCookieValue_hasTokenCalledWithInvalidToken_returnSerializedWi
         $returnValue = $this->tokenStorage->getCookieValue();
         $this->assertEquals('validToken', $returnValue);
     }
+
+    /**
+     * @test
+     */
+    public function reset_cookiePreviouslyUpdated_resetUpdatedCookie(): void
+    {
+        $this->tokenStorage->addTrustedToken('username', 'firewallName', 1);
+        $this->assertTrue($this->tokenStorage->hasUpdatedCookie());
+
+        $this->tokenStorage->reset();
+        $this->assertFalse($this->tokenStorage->hasUpdatedCookie());
+    }
+
+    /**
+     * @test
+     */
+    public function reset_cookiePreviouslyUpdated_resetCookieList(): void
+    {
+        $this->stubCookieHasToken('serializedToken');
+        $this->stubDecodeToken(
+            $this->createTokenWithProperties('serializedToken', true, true, false),
+        );
+        $this->assertEquals('serializedToken', $this->tokenStorage->getCookieValue());
+
+        $this->request->cookies->remove('cookieName');
+        $this->tokenStorage->reset();
+        $this->assertEmpty($this->tokenStorage->getCookieValue());
+    }
 }