vendor/symfony/security-guard/Firewall/GuardAuthenticationListener.php line 32

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Guard\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\HttpKernel\Event\RequestEvent;
  18. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  19. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  20. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  21. use Symfony\Component\Security\Core\Exception\AccountStatusException;
  22. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  23. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  24. use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
  25. use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
  26. use Symfony\Component\Security\Guard\AuthenticatorInterface;
  27. use Symfony\Component\Security\Guard\GuardAuthenticatorHandler;
  28. use Symfony\Component\Security\Guard\Token\PreAuthenticationGuardToken;
  29. use Symfony\Component\Security\Http\Firewall\AbstractListener;
  30. use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
  32. trigger_deprecation('symfony/security-guard''5.3''The "%s" class is deprecated, use the new authenticator system instead.'GuardAuthenticationListener::class);
  34. /**
  35.  * Authentication listener for the "guard" system.
  36.  *
  37.  * @author Ryan Weaver <ryan@knpuniversity.com>
  38.  * @author Amaury Leroux de Lens <amaury@lerouxdelens.com>
  39.  *
  40.  * @final
  41.  *
  42.  * @deprecated since Symfony 5.3, use the new authenticator system instead
  43.  */
  44. class GuardAuthenticationListener extends AbstractListener
  45. {
  46.     private $guardHandler;
  47.     private $authenticationManager;
  48.     private $providerKey;
  49.     private $guardAuthenticators;
  50.     private $logger;
  51.     private $rememberMeServices;
  52.     private $hideUserNotFoundExceptions;
  53.     private $tokenStorage;
  55.     /**
  56.      * @param string                                      $providerKey         The provider (i.e. firewall) key
  57.      * @param iterable<array-key, AuthenticatorInterface> $guardAuthenticators The authenticators, with keys that match what's passed to GuardAuthenticationProvider
  58.      */
  59.     public function __construct(GuardAuthenticatorHandler $guardHandlerAuthenticationManagerInterface $authenticationManagerstring $providerKeyiterable $guardAuthenticatorsLoggerInterface $logger nullbool $hideUserNotFoundExceptions trueTokenStorageInterface $tokenStorage null)
  60.     {
  61.         if (empty($providerKey)) {
  62.             throw new \InvalidArgumentException('$providerKey must not be empty.');
  63.         }
  65.         $this->guardHandler $guardHandler;
  66.         $this->authenticationManager $authenticationManager;
  67.         $this->providerKey $providerKey;
  68.         $this->guardAuthenticators $guardAuthenticators;
  69.         $this->logger $logger;
  70.         $this->hideUserNotFoundExceptions $hideUserNotFoundExceptions;
  71.         $this->tokenStorage $tokenStorage;
  72.     }
  74.     /**
  75.      * {@inheritdoc}
  76.      */
  77.     public function supports(Request $request): ?bool
  78.     {
  79.         if (null !== $this->logger) {
  80.             $context = ['firewall_key' => $this->providerKey];
  82.             if ($this->guardAuthenticators instanceof \Countable || \is_array($this->guardAuthenticators)) {
  83.                 $context['authenticators'] = \count($this->guardAuthenticators);
  84.             }
  86.             $this->logger->debug('Checking for guard authentication credentials.'$context);
  87.         }
  89.         $guardAuthenticators = [];
  91.         foreach ($this->guardAuthenticators as $key => $guardAuthenticator) {
  92.             if (null !== $this->logger) {
  93.                 $this->logger->debug('Checking support on guard authenticator.', ['firewall_key' => $this->providerKey'authenticator' => \get_class($guardAuthenticator)]);
  94.             }
  96.             if ($guardAuthenticator->supports($request)) {
  97.                 $guardAuthenticators[$key] = $guardAuthenticator;
  98.             } elseif (null !== $this->logger) {
  99.                 $this->logger->debug('Guard authenticator does not support the request.', ['firewall_key' => $this->providerKey'authenticator' => \get_class($guardAuthenticator)]);
  100.             }
  101.         }
  103.         if (!$guardAuthenticators) {
  104.             return false;
  105.         }
  107.         $request->attributes->set('_guard_authenticators'$guardAuthenticators);
  109.         return true;
  110.     }
  112.     /**
  113.      * Iterates over each authenticator to see if each wants to authenticate the request.
  114.      */
  115.     public function authenticate(RequestEvent $event)
  116.     {
  117.         $request $event->getRequest();
  118.         $guardAuthenticators $request->attributes->get('_guard_authenticators');
  119.         $request->attributes->remove('_guard_authenticators');
  121.         foreach ($guardAuthenticators as $key => $guardAuthenticator) {
  122.             // get a key that's unique to *this* guard authenticator
  123.             // this MUST be the same as GuardAuthenticationProvider
  124.             $uniqueGuardKey $this->providerKey.'_'.$key;
  126.             $this->executeGuardAuthenticator($uniqueGuardKey$guardAuthenticator$event);
  128.             if ($event->hasResponse()) {
  129.                 if (null !== $this->logger) {
  130.                     $this->logger->debug('The "{authenticator}" authenticator set the response. Any later authenticator will not be called', ['authenticator' => \get_class($guardAuthenticator)]);
  131.                 }
  133.                 break;
  134.             }
  135.         }
  136.     }
  138.     private function executeGuardAuthenticator(string $uniqueGuardKeyAuthenticatorInterface $guardAuthenticatorRequestEvent $event)
  139.     {
  140.         $request $event->getRequest();
  141.         $previousToken $this->tokenStorage $this->tokenStorage->getToken() : null;
  142.         try {
  143.             if (null !== $this->logger) {
  144.                 $this->logger->debug('Calling getCredentials() on guard authenticator.', ['firewall_key' => $this->providerKey'authenticator' => \get_class($guardAuthenticator)]);
  145.             }
  147.             // allow the authenticator to fetch authentication info from the request
  148.             $credentials $guardAuthenticator->getCredentials($request);
  150.             if (null === $credentials) {
  151.                 throw new \UnexpectedValueException(sprintf('The return value of "%1$s::getCredentials()" must not be null. Return false from "%1$s::supports()" instead.'get_debug_type($guardAuthenticator)));
  152.             }
  154.             // create a token with the unique key, so that the provider knows which authenticator to use
  155.             $token = new PreAuthenticationGuardToken($credentials$uniqueGuardKey);
  157.             if (null !== $this->logger) {
  158.                 $this->logger->debug('Passing guard token information to the GuardAuthenticationProvider', ['firewall_key' => $this->providerKey'authenticator' => \get_class($guardAuthenticator)]);
  159.             }
  160.             // pass the token into the AuthenticationManager system
  161.             // this indirectly calls GuardAuthenticationProvider::authenticate()
  162.             $token $this->authenticationManager->authenticate($token);
  164.             if (null !== $this->logger) {
  165.                 $this->logger->info('Guard authentication successful!', ['token' => $token'authenticator' => \get_class($guardAuthenticator)]);
  166.             }
  168.             // sets the token on the token storage, etc
  169.             if ($this->tokenStorage) {
  170.                 $this->guardHandler->authenticateWithToken($token$request$this->providerKey$previousToken);
  171.             } else {
  172.                 $this->guardHandler->authenticateWithToken($token$request$this->providerKey);
  173.             }
  174.         } catch (AuthenticationException $e) {
  175.             // oh no! Authentication failed!
  177.             if (null !== $this->logger) {
  178.                 $this->logger->info('Guard authentication failed.', ['exception' => $e'authenticator' => \get_class($guardAuthenticator)]);
  179.             }
  181.             // Avoid leaking error details in case of invalid user (e.g. user not found or invalid account status)
  182.             // to prevent user enumeration via response content
  183.             if ($this->hideUserNotFoundExceptions && ($e instanceof UsernameNotFoundException || ($e instanceof AccountStatusException && !$e instanceof CustomUserMessageAccountStatusException))) {
  184.                 $e = new BadCredentialsException('Bad credentials.'0$e);
  185.             }
  187.             $response $this->guardHandler->handleAuthenticationFailure($e$request$guardAuthenticator$this->providerKey);
  189.             if ($response instanceof Response) {
  190.                 $event->setResponse($response);
  191.             }
  193.             return;
  194.         }
  196.         // success!
  197.         $response $this->guardHandler->handleAuthenticationSuccess($token$request$guardAuthenticator$this->providerKey);
  198.         if ($response instanceof Response) {
  199.             if (null !== $this->logger) {
  200.                 $this->logger->debug('Guard authenticator set success response.', ['response' => $response'authenticator' => \get_class($guardAuthenticator)]);
  201.             }
  203.             $event->setResponse($response);
  204.         } else {
  205.             if (null !== $this->logger) {
  206.                 $this->logger->debug('Guard authenticator set no success response: request continues.', ['authenticator' => \get_class($guardAuthenticator)]);
  207.             }
  208.         }
  210.         // attempt to trigger the remember me functionality
  211.         $this->triggerRememberMe($guardAuthenticator$request$token$response);
  212.     }
  214.     /**
  215.      * Should be called if this listener will support remember me.
  216.      */
  217.     public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
  218.     {
  219.         $this->rememberMeServices $rememberMeServices;
  220.     }
  222.     /**
  223.      * Checks to see if remember me is supported in the authenticator and
  224.      * on the firewall. If it is, the RememberMeServicesInterface is notified.
  225.      */
  226.     private function triggerRememberMe(AuthenticatorInterface $guardAuthenticatorRequest $requestTokenInterface $tokenResponse $response null)
  227.     {
  228.         if (null === $this->rememberMeServices) {
  229.             if (null !== $this->logger) {
  230.                 $this->logger->debug('Remember me skipped: it is not configured for the firewall.', ['authenticator' => \get_class($guardAuthenticator)]);
  231.             }
  233.             return;
  234.         }
  236.         if (!$guardAuthenticator->supportsRememberMe()) {
  237.             if (null !== $this->logger) {
  238.                 $this->logger->debug('Remember me skipped: your authenticator does not support it.', ['authenticator' => \get_class($guardAuthenticator)]);
  239.             }
  241.             return;
  242.         }
  244.         if (!$response instanceof Response) {
  245.             throw new \LogicException(sprintf('"%s::onAuthenticationSuccess()" *must* return a Response if you want to use the remember me functionality. Return a Response, or set remember_me to false under the guard configuration.'get_debug_type($guardAuthenticator)));
  246.         }
  248.         $this->rememberMeServices->loginSuccess($request$response$token);
  249.     }
  250. }