vendor/symfony/security-http/Firewall/UsernamePasswordJsonAuthenticationListener.php line 47

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\EventDispatcher\LegacyEventDispatcherProxy;
  16. use Symfony\Component\HttpFoundation\JsonResponse;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpFoundation\Response;
  19. use Symfony\Component\HttpKernel\Event\RequestEvent;
  20. use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
  21. use Symfony\Component\PropertyAccess\Exception\AccessException;
  22. use Symfony\Component\PropertyAccess\PropertyAccess;
  23. use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
  24. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  25. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  26. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  27. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  28. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  29. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  30. use Symfony\Component\Security\Core\Security;
  31. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  32. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  33. use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
  34. use Symfony\Component\Security\Http\HttpUtils;
  35. use Symfony\Component\Security\Http\SecurityEvents;
  36. use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
  37. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  39. /**
  40.  * UsernamePasswordJsonAuthenticationListener is a stateless implementation of
  41.  * an authentication via a JSON document composed of a username and a password.
  42.  *
  43.  * @author Kévin Dunglas <dunglas@gmail.com>
  44.  *
  45.  * @final since Symfony 4.3
  46.  */
  47. class UsernamePasswordJsonAuthenticationListener implements ListenerInterface
  48. {
  49.     use LegacyListenerTrait;
  51.     private $tokenStorage;
  52.     private $authenticationManager;
  53.     private $httpUtils;
  54.     private $providerKey;
  55.     private $successHandler;
  56.     private $failureHandler;
  57.     private $options;
  58.     private $logger;
  59.     private $eventDispatcher;
  60.     private $propertyAccessor;
  61.     private $sessionStrategy;
  63.     public function __construct(TokenStorageInterface $tokenStorageAuthenticationManagerInterface $authenticationManagerHttpUtils $httpUtilsstring $providerKeyAuthenticationSuccessHandlerInterface $successHandler nullAuthenticationFailureHandlerInterface $failureHandler null, array $options = [], LoggerInterface $logger nullEventDispatcherInterface $eventDispatcher nullPropertyAccessorInterface $propertyAccessor null)
  64.     {
  65.         $this->tokenStorage $tokenStorage;
  66.         $this->authenticationManager $authenticationManager;
  67.         $this->httpUtils $httpUtils;
  68.         $this->providerKey $providerKey;
  69.         $this->successHandler $successHandler;
  70.         $this->failureHandler $failureHandler;
  71.         $this->logger $logger;
  72.         $this->eventDispatcher LegacyEventDispatcherProxy::decorate($eventDispatcher);
  73.         $this->options array_merge(['username_path' => 'username''password_path' => 'password'], $options);
  74.         $this->propertyAccessor $propertyAccessor ?: PropertyAccess::createPropertyAccessor();
  75.     }
  77.     /**
  78.      * {@inheritdoc}
  79.      */
  80.     public function __invoke(RequestEvent $event)
  81.     {
  82.         $request $event->getRequest();
  83.         if (false === strpos($request->getRequestFormat(), 'json')
  84.             && false === strpos($request->getContentType(), 'json')
  85.         ) {
  86.             return;
  87.         }
  89.         if (isset($this->options['check_path']) && !$this->httpUtils->checkRequestPath($request$this->options['check_path'])) {
  90.             return;
  91.         }
  93.         $data json_decode($request->getContent());
  95.         try {
  96.             if (!$data instanceof \stdClass) {
  97.                 throw new BadRequestHttpException('Invalid JSON.');
  98.             }
  100.             try {
  101.                 $username $this->propertyAccessor->getValue($data$this->options['username_path']);
  102.             } catch (AccessException $e) {
  103.                 throw new BadRequestHttpException(sprintf('The key "%s" must be provided.'$this->options['username_path']), $e);
  104.             }
  106.             try {
  107.                 $password $this->propertyAccessor->getValue($data$this->options['password_path']);
  108.             } catch (AccessException $e) {
  109.                 throw new BadRequestHttpException(sprintf('The key "%s" must be provided.'$this->options['password_path']), $e);
  110.             }
  112.             if (!\is_string($username)) {
  113.                 throw new BadRequestHttpException(sprintf('The key "%s" must be a string.'$this->options['username_path']));
  114.             }
  116.             if (\strlen($username) > Security::MAX_USERNAME_LENGTH) {
  117.                 throw new BadCredentialsException('Invalid username.');
  118.             }
  120.             if (!\is_string($password)) {
  121.                 throw new BadRequestHttpException(sprintf('The key "%s" must be a string.'$this->options['password_path']));
  122.             }
  124.             $token = new UsernamePasswordToken($username$password$this->providerKey);
  126.             $authenticatedToken $this->authenticationManager->authenticate($token);
  127.             $response $this->onSuccess($request$authenticatedToken);
  128.         } catch (AuthenticationException $e) {
  129.             $response $this->onFailure($request$e);
  130.         } catch (BadRequestHttpException $e) {
  131.             $request->setRequestFormat('json');
  133.             throw $e;
  134.         }
  136.         if (null === $response) {
  137.             return;
  138.         }
  140.         $event->setResponse($response);
  141.     }
  143.     private function onSuccess(Request $requestTokenInterface $token)
  144.     {
  145.         if (null !== $this->logger) {
  146.             $this->logger->info('User has been authenticated successfully.', ['username' => $token->getUsername()]);
  147.         }
  149.         $this->migrateSession($request$token);
  151.         $this->tokenStorage->setToken($token);
  153.         if (null !== $this->eventDispatcher) {
  154.             $loginEvent = new InteractiveLoginEvent($request$token);
  155.             $this->eventDispatcher->dispatch($loginEventSecurityEvents::INTERACTIVE_LOGIN);
  156.         }
  158.         if (!$this->successHandler) {
  159.             return; // let the original request succeeds
  160.         }
  162.         $response $this->successHandler->onAuthenticationSuccess($request$token);
  164.         if (!$response instanceof Response) {
  165.             throw new \RuntimeException('Authentication Success Handler did not return a Response.');
  166.         }
  168.         return $response;
  169.     }
  171.     private function onFailure(Request $requestAuthenticationException $failed)
  172.     {
  173.         if (null !== $this->logger) {
  174.             $this->logger->info('Authentication request failed.', ['exception' => $failed]);
  175.         }
  177.         $token $this->tokenStorage->getToken();
  178.         if ($token instanceof UsernamePasswordToken && $this->providerKey === $token->getProviderKey()) {
  179.             $this->tokenStorage->setToken(null);
  180.         }
  182.         if (!$this->failureHandler) {
  183.             return new JsonResponse(['error' => $failed->getMessageKey()], 401);
  184.         }
  186.         $response $this->failureHandler->onAuthenticationFailure($request$failed);
  188.         if (!$response instanceof Response) {
  189.             throw new \RuntimeException('Authentication Failure Handler did not return a Response.');
  190.         }
  192.         return $response;
  193.     }
  195.     /**
  196.      * Call this method if your authentication token is stored to a session.
  197.      *
  198.      * @final
  199.      */
  200.     public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyInterface $sessionStrategy)
  201.     {
  202.         $this->sessionStrategy $sessionStrategy;
  203.     }
  205.     private function migrateSession(Request $requestTokenInterface $token)
  206.     {
  207.         if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
  208.             return;
  209.         }
  211.         $this->sessionStrategy->onAuthentication($request$token);
  212.     }
  213. }