vendor/symfony/security-http/Firewall/UsernamePasswordJsonAuthenticationListener.php line 39

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Psr\Log\LoggerInterface;
  15. use Symfony\Component\HttpFoundation\JsonResponse;
  16. use Symfony\Component\HttpFoundation\Request;
  17. use Symfony\Component\HttpFoundation\Response;
  18. use Symfony\Component\HttpKernel\Event\RequestEvent;
  19. use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
  20. use Symfony\Component\PropertyAccess\Exception\AccessException;
  21. use Symfony\Component\PropertyAccess\PropertyAccess;
  22. use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
  23. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  26. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  27. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  28. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  29. use Symfony\Component\Security\Core\Security;
  30. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  31. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  32. use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
  33. use Symfony\Component\Security\Http\HttpUtils;
  34. use Symfony\Component\Security\Http\SecurityEvents;
  35. use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface;
  36. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  37. use Symfony\Contracts\Translation\TranslatorInterface;
  39. trigger_deprecation('symfony/security-http''5.3''The "%s" class is deprecated, use the new authenticator system instead.'UsernamePasswordJsonAuthenticationListener::class);
  41. /**
  42.  * UsernamePasswordJsonAuthenticationListener is a stateless implementation of
  43.  * an authentication via a JSON document composed of a username and a password.
  44.  *
  45.  * @author Kévin Dunglas <dunglas@gmail.com>
  46.  *
  47.  * @deprecated since Symfony 5.3, use the new authenticator system instead
  48.  */
  49. class UsernamePasswordJsonAuthenticationListener extends AbstractListener
  50. {
  51.     private $tokenStorage;
  52.     private $authenticationManager;
  53.     private $httpUtils;
  54.     private $providerKey;
  55.     private $successHandler;
  56.     private $failureHandler;
  57.     private $options;
  58.     private $logger;
  59.     private $eventDispatcher;
  60.     private $propertyAccessor;
  61.     private $sessionStrategy;
  63.     /**
  64.      * @var TranslatorInterface|null
  65.      */
  66.     private $translator;
  68.     public function __construct(TokenStorageInterface $tokenStorageAuthenticationManagerInterface $authenticationManagerHttpUtils $httpUtilsstring $providerKey, ?AuthenticationSuccessHandlerInterface $successHandler null, ?AuthenticationFailureHandlerInterface $failureHandler null, array $options = [], ?LoggerInterface $logger null, ?EventDispatcherInterface $eventDispatcher null, ?PropertyAccessorInterface $propertyAccessor null)
  69.     {
  70.         $this->tokenStorage $tokenStorage;
  71.         $this->authenticationManager $authenticationManager;
  72.         $this->httpUtils $httpUtils;
  73.         $this->providerKey $providerKey;
  74.         $this->successHandler $successHandler;
  75.         $this->failureHandler $failureHandler;
  76.         $this->logger $logger;
  77.         $this->eventDispatcher $eventDispatcher;
  78.         $this->options array_merge(['username_path' => 'username''password_path' => 'password'], $options);
  79.         $this->propertyAccessor $propertyAccessor ?: PropertyAccess::createPropertyAccessor();
  80.     }
  82.     public function supports(Request $request): ?bool
  83.     {
  84.         if (!str_contains($request->getRequestFormat() ?? '''json')
  85.             && !str_contains($request->getContentType() ?? '''json')
  86.         ) {
  87.             return false;
  88.         }
  90.         if (isset($this->options['check_path']) && !$this->httpUtils->checkRequestPath($request$this->options['check_path'])) {
  91.             return false;
  92.         }
  94.         return true;
  95.     }
  97.     /**
  98.      * {@inheritdoc}
  99.      */
  100.     public function authenticate(RequestEvent $event)
  101.     {
  102.         $request $event->getRequest();
  103.         $data json_decode($request->getContent());
  104.         $previousToken $this->tokenStorage->getToken();
  106.         try {
  107.             if (!$data instanceof \stdClass) {
  108.                 throw new BadRequestHttpException('Invalid JSON.');
  109.             }
  111.             try {
  112.                 $username $this->propertyAccessor->getValue($data$this->options['username_path']);
  113.             } catch (AccessException $e) {
  114.                 throw new BadRequestHttpException(sprintf('The key "%s" must be provided.'$this->options['username_path']), $e);
  115.             }
  117.             try {
  118.                 $password $this->propertyAccessor->getValue($data$this->options['password_path']);
  119.             } catch (AccessException $e) {
  120.                 throw new BadRequestHttpException(sprintf('The key "%s" must be provided.'$this->options['password_path']), $e);
  121.             }
  123.             if (!\is_string($username)) {
  124.                 throw new BadRequestHttpException(sprintf('The key "%s" must be a string.'$this->options['username_path']));
  125.             }
  127.             if (\strlen($username) > Security::MAX_USERNAME_LENGTH) {
  128.                 throw new BadCredentialsException('Invalid username.');
  129.             }
  131.             if (!\is_string($password)) {
  132.                 throw new BadRequestHttpException(sprintf('The key "%s" must be a string.'$this->options['password_path']));
  133.             }
  135.             $token = new UsernamePasswordToken($username$password$this->providerKey);
  137.             $authenticatedToken $this->authenticationManager->authenticate($token);
  138.             $response $this->onSuccess($request$authenticatedToken$previousToken);
  139.         } catch (AuthenticationException $e) {
  140.             $response $this->onFailure($request$e);
  141.         } catch (BadRequestHttpException $e) {
  142.             $request->setRequestFormat('json');
  144.             throw $e;
  145.         }
  147.         if (null === $response) {
  148.             return;
  149.         }
  151.         $event->setResponse($response);
  152.     }
  154.     private function onSuccess(Request $requestTokenInterface $token, ?TokenInterface $previousToken): ?Response
  155.     {
  156.         if (null !== $this->logger) {
  157.             // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
  158.             $this->logger->info('User has been authenticated successfully.', ['username' => method_exists($token'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()]);
  159.         }
  161.         $this->migrateSession($request$token$previousToken);
  163.         $this->tokenStorage->setToken($token);
  165.         if (null !== $this->eventDispatcher) {
  166.             $loginEvent = new InteractiveLoginEvent($request$token);
  167.             $this->eventDispatcher->dispatch($loginEventSecurityEvents::INTERACTIVE_LOGIN);
  168.         }
  170.         if (!$this->successHandler) {
  171.             return null// let the original request succeeds
  172.         }
  174.         $response $this->successHandler->onAuthenticationSuccess($request$token);
  176.         if (!$response instanceof Response) {
  177.             throw new \RuntimeException('Authentication Success Handler did not return a Response.');
  178.         }
  180.         return $response;
  181.     }
  183.     private function onFailure(Request $requestAuthenticationException $failed): Response
  184.     {
  185.         if (null !== $this->logger) {
  186.             $this->logger->info('Authentication request failed.', ['exception' => $failed]);
  187.         }
  189.         $token $this->tokenStorage->getToken();
  190.         if ($token instanceof UsernamePasswordToken && $this->providerKey === $token->getFirewallName()) {
  191.             $this->tokenStorage->setToken(null);
  192.         }
  194.         if (!$this->failureHandler) {
  195.             if (null !== $this->translator) {
  196.                 $errorMessage $this->translator->trans($failed->getMessageKey(), $failed->getMessageData(), 'security');
  197.             } else {
  198.                 $errorMessage strtr($failed->getMessageKey(), $failed->getMessageData());
  199.             }
  201.             return new JsonResponse(['error' => $errorMessage], 401);
  202.         }
  204.         $response $this->failureHandler->onAuthenticationFailure($request$failed);
  206.         if (!$response instanceof Response) {
  207.             throw new \RuntimeException('Authentication Failure Handler did not return a Response.');
  208.         }
  210.         return $response;
  211.     }
  213.     /**
  214.      * Call this method if your authentication token is stored to a session.
  215.      *
  216.      * @final
  217.      */
  218.     public function setSessionAuthenticationStrategy(SessionAuthenticationStrategyInterface $sessionStrategy)
  219.     {
  220.         $this->sessionStrategy $sessionStrategy;
  221.     }
  223.     public function setTranslator(TranslatorInterface $translator)
  224.     {
  225.         $this->translator $translator;
  226.     }
  228.     private function migrateSession(Request $requestTokenInterface $token, ?TokenInterface $previousToken)
  229.     {
  230.         if (!$this->sessionStrategy || !$request->hasSession() || !$request->hasPreviousSession()) {
  231.             return;
  232.         }
  234.         if ($previousToken) {
  235.             $user method_exists($token'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
  236.             $previousUser method_exists($previousToken'getUserIdentifier') ? $previousToken->getUserIdentifier() : $previousToken->getUsername();
  238.             if ('' !== ($user ?? '') && $user === $previousUser) {
  239.                 return;
  240.             }
  241.         }
  243.         $this->sessionStrategy->onAuthentication($request$token);
  244.     }
  245. }