vendor/symfony/security-http/Firewall/UsernamePasswordFormAuthenticationListener.php line 32

Open in your IDE?
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Component\Security\Http\Firewall;
  11. use Psr\Log\LoggerInterface;
  12. use Symfony\Component\HttpFoundation\Request;
  13. use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
  14. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  15. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  16. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  17. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  18. use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
  19. use Symfony\Component\Security\Core\Security;
  20. use Symfony\Component\Security\Csrf\CsrfToken;
  21. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  22. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  23. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  24. use Symfony\Component\Security\Http\HttpUtils;
  25. use Symfony\Component\Security\Http\ParameterBagUtils;
  26. use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
  27. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  28. trigger_deprecation('symfony/security-http', '5.3', 'The "%s" class is deprecated, use the new authenticator system instead.', UsernamePasswordFormAuthenticationListener::class);
  29. /**
  30. * UsernamePasswordFormAuthenticationListener is the default implementation of
  31. * an authentication via a simple form composed of a username and a password.
  32. *
  33. * @author Fabien Potencier <fabien@symfony.com>
  34. *
  35. * @deprecated since Symfony 5.3, use the new authenticator system instead
  36. */
  37. class UsernamePasswordFormAuthenticationListener extends AbstractAuthenticationListener
  38. {
  39. private $csrfTokenManager;
  40. public function __construct(TokenStorageInterface $tokenStorage, AuthenticationManagerInterface $authenticationManager, SessionAuthenticationStrategyInterface $sessionStrategy, HttpUtils $httpUtils, string $providerKey, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options = [], ?LoggerInterface $logger = null, ?EventDispatcherInterface $dispatcher = null, ?CsrfTokenManagerInterface $csrfTokenManager = null)
  41. {
  42. parent::__construct($tokenStorage, $authenticationManager, $sessionStrategy, $httpUtils, $providerKey, $successHandler, $failureHandler, array_merge([
  43. 'username_parameter' => '_username',
  44. 'password_parameter' => '_password',
  45. 'csrf_parameter' => '_csrf_token',
  46. 'csrf_token_id' => 'authenticate',
  47. 'post_only' => true,
  48. ], $options), $logger, $dispatcher);
  49. $this->csrfTokenManager = $csrfTokenManager;
  50. }
  51. /**
  52. * {@inheritdoc}
  53. */
  54. protected function requiresAuthentication(Request $request)
  55. {
  56. if ($this->options['post_only'] && !$request->isMethod('POST')) {
  57. return false;
  58. }
  59. return parent::requiresAuthentication($request);
  60. }
  61. /**
  62. * {@inheritdoc}
  63. */
  64. protected function attemptAuthentication(Request $request)
  65. {
  66. if (null !== $this->csrfTokenManager) {
  67. $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
  68. if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
  69. throw new InvalidCsrfTokenException('Invalid CSRF token.');
  70. }
  71. }
  72. if ($this->options['post_only']) {
  73. $username = ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']);
  74. $password = ParameterBagUtils::getParameterBagValue($request->request, $this->options['password_parameter']);
  75. } else {
  76. $username = ParameterBagUtils::getRequestParameterValue($request, $this->options['username_parameter']);
  77. $password = ParameterBagUtils::getRequestParameterValue($request, $this->options['password_parameter']);
  78. }
  79. if (!\is_string($username) && (!\is_object($username) || !method_exists($username, '__toString'))) {
  80. throw new BadRequestHttpException(sprintf('The key "%s" must be a string, "%s" given.', $this->options['username_parameter'], get_debug_type($username)));
  81. }
  82. $username = trim($username);
  83. if (\strlen($username) > Security::MAX_USERNAME_LENGTH) {
  84. throw new BadCredentialsException('Invalid username.');
  85. }
  86. if (null === $password) {
  87. throw new \LogicException(sprintf('The key "%s" cannot be null; check that the password field name of the form matches.', $this->options['password_parameter']));
  88. }
  89. $request->getSession()->set(Security::LAST_USERNAME, $username);
  90. return $this->authenticationManager->authenticate(new UsernamePasswordToken($username, $password, $this->providerKey));
  91. }
  92. }