vendor/symfony/security-guard/Firewall/GuardAuthenticationListener.php line 32

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Guard\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\HttpKernel\Event\RequestEvent;
  18. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  19. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  20. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  21. use Symfony\Component\Security\Core\Exception\AccountStatusException;
  22. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  23. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  24. use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
  25. use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
  26. use Symfony\Component\Security\Guard\AuthenticatorInterface;
  27. use Symfony\Component\Security\Guard\GuardAuthenticatorHandler;
  28. use Symfony\Component\Security\Guard\Token\PreAuthenticationGuardToken;
  29. use Symfony\Component\Security\Http\Firewall\AbstractListener;
  30. use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
  32. trigger_deprecation('symfony/security-guard', '5.3', 'The "%s" class is deprecated, use the new authenticator system instead.', GuardAuthenticationListener::class);
  34. /**
  35. * Authentication listener for the "guard" system.
  36. *
  37. * @author Ryan Weaver <ryan@knpuniversity.com>
  38. * @author Amaury Leroux de Lens <amaury@lerouxdelens.com>
  39. *
  40. * @final
  41. *
  42. * @deprecated since Symfony 5.3, use the new authenticator system instead
  43. */
  44. class GuardAuthenticationListener extends AbstractListener
  45. {
  46. private $guardHandler;
  47. private $authenticationManager;
  48. private $providerKey;
  49. private $guardAuthenticators;
  50. private $logger;
  51. private $rememberMeServices;
  52. private $hideUserNotFoundExceptions;
  53. private $tokenStorage;
  55. /**
  56. * @param string $providerKey The provider (i.e. firewall) key
  57. * @param iterable<array-key, AuthenticatorInterface> $guardAuthenticators The authenticators, with keys that match what's passed to GuardAuthenticationProvider
  58. */
  59. public function __construct(GuardAuthenticatorHandler $guardHandler, AuthenticationManagerInterface $authenticationManager, string $providerKey, iterable $guardAuthenticators, ?LoggerInterface $logger = null, bool $hideUserNotFoundExceptions = true, ?TokenStorageInterface $tokenStorage = null)
  60. {
  61. if (empty($providerKey)) {
  62. throw new \InvalidArgumentException('$providerKey must not be empty.');
  63. }
  65. $this->guardHandler = $guardHandler;
  66. $this->authenticationManager = $authenticationManager;
  67. $this->providerKey = $providerKey;
  68. $this->guardAuthenticators = $guardAuthenticators;
  69. $this->logger = $logger;
  70. $this->hideUserNotFoundExceptions = $hideUserNotFoundExceptions;
  71. $this->tokenStorage = $tokenStorage;
  72. }
  74. /**
  75. * {@inheritdoc}
  76. */
  77. public function supports(Request $request): ?bool
  78. {
  79. if (null !== $this->logger) {
  80. $context = ['firewall_key' => $this->providerKey];
  82. if ($this->guardAuthenticators instanceof \Countable || \is_array($this->guardAuthenticators)) {
  83. $context['authenticators'] = \count($this->guardAuthenticators);
  84. }
  86. $this->logger->debug('Checking for guard authentication credentials.', $context);
  87. }
  89. $guardAuthenticators = [];
  91. foreach ($this->guardAuthenticators as $key => $guardAuthenticator) {
  92. if (null !== $this->logger) {
  93. $this->logger->debug('Checking support on guard authenticator.', ['firewall_key' => $this->providerKey, 'authenticator' => \get_class($guardAuthenticator)]);
  94. }
  96. if ($guardAuthenticator->supports($request)) {
  97. $guardAuthenticators[$key] = $guardAuthenticator;
  98. } elseif (null !== $this->logger) {
  99. $this->logger->debug('Guard authenticator does not support the request.', ['firewall_key' => $this->providerKey, 'authenticator' => \get_class($guardAuthenticator)]);
  100. }
  101. }
  103. if (!$guardAuthenticators) {
  104. return false;
  105. }
  107. $request->attributes->set('_guard_authenticators', $guardAuthenticators);
  109. return true;
  110. }
  112. /**
  113. * Iterates over each authenticator to see if each wants to authenticate the request.
  114. */
  115. public function authenticate(RequestEvent $event)
  116. {
  117. $request = $event->getRequest();
  118. $guardAuthenticators = $request->attributes->get('_guard_authenticators');
  119. $request->attributes->remove('_guard_authenticators');
  121. foreach ($guardAuthenticators as $key => $guardAuthenticator) {
  122. // get a key that's unique to *this* guard authenticator
  123. // this MUST be the same as GuardAuthenticationProvider
  124. $uniqueGuardKey = $this->providerKey.'_'.$key;
  126. $this->executeGuardAuthenticator($uniqueGuardKey, $guardAuthenticator, $event);
  128. if ($event->hasResponse()) {
  129. if (null !== $this->logger) {
  130. $this->logger->debug('The "{authenticator}" authenticator set the response. Any later authenticator will not be called', ['authenticator' => \get_class($guardAuthenticator)]);
  131. }
  133. break;
  134. }
  135. }
  136. }
  138. private function executeGuardAuthenticator(string $uniqueGuardKey, AuthenticatorInterface $guardAuthenticator, RequestEvent $event)
  139. {
  140. $request = $event->getRequest();
  141. $previousToken = $this->tokenStorage ? $this->tokenStorage->getToken() : null;
  142. try {
  143. if (null !== $this->logger) {
  144. $this->logger->debug('Calling getCredentials() on guard authenticator.', ['firewall_key' => $this->providerKey, 'authenticator' => \get_class($guardAuthenticator)]);
  145. }
  147. // allow the authenticator to fetch authentication info from the request
  148. $credentials = $guardAuthenticator->getCredentials($request);
  150. if (null === $credentials) {
  151. throw new \UnexpectedValueException(sprintf('The return value of "%1$s::getCredentials()" must not be null. Return false from "%1$s::supports()" instead.', get_debug_type($guardAuthenticator)));
  152. }
  154. // create a token with the unique key, so that the provider knows which authenticator to use
  155. $token = new PreAuthenticationGuardToken($credentials, $uniqueGuardKey);
  157. if (null !== $this->logger) {
  158. $this->logger->debug('Passing guard token information to the GuardAuthenticationProvider', ['firewall_key' => $this->providerKey, 'authenticator' => \get_class($guardAuthenticator)]);
  159. }
  160. // pass the token into the AuthenticationManager system
  161. // this indirectly calls GuardAuthenticationProvider::authenticate()
  162. $token = $this->authenticationManager->authenticate($token);
  164. if (null !== $this->logger) {
  165. $this->logger->info('Guard authentication successful!', ['token' => $token, 'authenticator' => \get_class($guardAuthenticator)]);
  166. }
  168. // sets the token on the token storage, etc
  169. if ($this->tokenStorage) {
  170. $this->guardHandler->authenticateWithToken($token, $request, $this->providerKey, $previousToken);
  171. } else {
  172. $this->guardHandler->authenticateWithToken($token, $request, $this->providerKey);
  173. }
  174. } catch (AuthenticationException $e) {
  175. // oh no! Authentication failed!
  177. if (null !== $this->logger) {
  178. $this->logger->info('Guard authentication failed.', ['exception' => $e, 'authenticator' => \get_class($guardAuthenticator)]);
  179. }
  181. // Avoid leaking error details in case of invalid user (e.g. user not found or invalid account status)
  182. // to prevent user enumeration via response content
  183. if ($this->hideUserNotFoundExceptions && ($e instanceof UsernameNotFoundException || ($e instanceof AccountStatusException && !$e instanceof CustomUserMessageAccountStatusException))) {
  184. $e = new BadCredentialsException('Bad credentials.', 0, $e);
  185. }
  187. $response = $this->guardHandler->handleAuthenticationFailure($e, $request, $guardAuthenticator, $this->providerKey);
  189. if ($response instanceof Response) {
  190. $event->setResponse($response);
  191. }
  193. return;
  194. }
  196. // success!
  197. $response = $this->guardHandler->handleAuthenticationSuccess($token, $request, $guardAuthenticator, $this->providerKey);
  198. if ($response instanceof Response) {
  199. if (null !== $this->logger) {
  200. $this->logger->debug('Guard authenticator set success response.', ['response' => $response, 'authenticator' => \get_class($guardAuthenticator)]);
  201. }
  203. $event->setResponse($response);
  204. } else {
  205. if (null !== $this->logger) {
  206. $this->logger->debug('Guard authenticator set no success response: request continues.', ['authenticator' => \get_class($guardAuthenticator)]);
  207. }
  208. }
  210. // attempt to trigger the remember me functionality
  211. $this->triggerRememberMe($guardAuthenticator, $request, $token, $response);
  212. }
  214. /**
  215. * Should be called if this listener will support remember me.
  216. */
  217. public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices)
  218. {
  219. $this->rememberMeServices = $rememberMeServices;
  220. }
  222. /**
  223. * Checks to see if remember me is supported in the authenticator and
  224. * on the firewall. If it is, the RememberMeServicesInterface is notified.
  225. */
  226. private function triggerRememberMe(AuthenticatorInterface $guardAuthenticator, Request $request, TokenInterface $token, ?Response $response = null)
  227. {
  228. if (null === $this->rememberMeServices) {
  229. if (null !== $this->logger) {
  230. $this->logger->debug('Remember me skipped: it is not configured for the firewall.', ['authenticator' => \get_class($guardAuthenticator)]);
  231. }
  233. return;
  234. }
  236. if (!$guardAuthenticator->supportsRememberMe()) {
  237. if (null !== $this->logger) {
  238. $this->logger->debug('Remember me skipped: your authenticator does not support it.', ['authenticator' => \get_class($guardAuthenticator)]);
  239. }
  241. return;
  242. }
  244. if (!$response instanceof Response) {
  245. throw new \LogicException(sprintf('"%s::onAuthenticationSuccess()" *must* return a Response if you want to use the remember me functionality. Return a Response, or set remember_me to false under the guard configuration.', get_debug_type($guardAuthenticator)));
  246. }
  248. $this->rememberMeServices->loginSuccess($request, $response, $token);
  249. }
  250. }