[5.4] Handle 401 Unauthorized error instead of throwing CRITICAL uncaught 500 server (#46305)

MarcelSchuermann · web-flow · commit 9aaa2749a2a6 · 2025-10-23T16:45:39.000+02:00
diff --git a/plugins/api-authentication/token/src/Extension/Token.php b/plugins/api-authentication/token/src/Extension/Token.php
@@ -168,6 +168,11 @@ public function onUserAuthenticate(AuthenticationEvent $event): void
          */
         $allowedAlgo = \in_array($algo, $this->allowedAlgos);
 
+        // If the algorithm is not allowed, fail authentication gracefully.
+        if (!$allowedAlgo) {
+            return;
+        }
+
         /**
          * Make sure the user ID is an integer
          */
@@ -190,6 +195,12 @@ public function onUserAuthenticate(AuthenticationEvent $event): void
         $referenceTokenData = $this->getTokenSeedForUser($userId);
         $referenceTokenData = empty($referenceTokenData) ? '' : $referenceTokenData;
         $referenceTokenData = base64_decode($referenceTokenData);
+
+        // If the reference token data is empty, user has no token configured.
+        if (empty($referenceTokenData)) {
+            return;
+        }
+
         $referenceHMAC      = hash_hmac($algo, $referenceTokenData, $siteSecret);
 
         // Is the token enabled?
