fix: stateless 2fa provider preparation listener

dt-thomas-durand · scheb · commit 0e0515aa3282 · 2026-02-25T19:14:10.000+01:00
diff --git a/src/bundle/Resources/config/security.php b/src/bundle/Resources/config/security.php
@@ -87,6 +87,7 @@
             ->tag('kernel.event_subscriber')
 
         ->set('scheb_two_factor.security.provider_preparation_listener', TwoFactorProviderPreparationListener::class)
+            ->tag('kernel.reset', ['method' => 'reset'])
             ->args([
                 service('scheb_two_factor.provider_registry'),
                 service('scheb_two_factor.provider_preparation_recorder'),
diff --git a/src/bundle/Security/TwoFactor/Provider/TwoFactorProviderPreparationListener.php b/src/bundle/Security/TwoFactor/Provider/TwoFactorProviderPreparationListener.php
@@ -16,14 +16,15 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\AuthenticationEvents;
 use Symfony\Component\Security\Core\Event\AuthenticationEvent;
+use Symfony\Contracts\Service\ResetInterface;
 use function assert;
 use function sprintf;
 use const PHP_INT_MAX;
 
 /**
  * @final
  */
-class TwoFactorProviderPreparationListener implements EventSubscriberInterface
+class TwoFactorProviderPreparationListener implements EventSubscriberInterface, ResetInterface
 {
     // This must trigger very first, followed by AuthenticationSuccessEventSuppressor
     public const int AUTHENTICATION_SUCCESS_LISTENER_PRIORITY = PHP_INT_MAX;
@@ -136,4 +137,9 @@ public static function getSubscribedEvents(): array
             KernelEvents::RESPONSE => ['onKernelResponse', self::RESPONSE_LISTENER_PRIORITY],
         ];
     }
+
+    public function reset(): void
+    {
+        $this->twoFactorToken = null;
+    }
 }
diff --git a/tests/Security/TwoFactor/Provider/TwoFactorProviderPreparationListenerTest.php b/tests/Security/TwoFactor/Provider/TwoFactorProviderPreparationListenerTest.php
@@ -230,4 +230,19 @@ public function onKernelResponse_recorderThrowsUnexpectedTokenException_doNothin
         $this->listener->onTwoFactorForm($event);
         $this->listener->onKernelResponse($this->createResponseEvent());
     }
+
+    #[Test]
+    public function reset_tokenPreviouslySetted_resetToken(): void
+    {
+        $this->initTwoFactorProviderPreparationListener(true, false);
+        $event = $this->createAuthenticationEvent();
+
+        $this->expectNotPrepareCurrentProvider();
+
+        $this->listener->onLogin($event);
+
+        $this->listener->reset();
+
+        $this->listener->onKernelResponse($this->createResponseEvent());
+    }
 }
