vendor/scheb/2fa-bundle/Security/Http/Firewall/TwoFactorListener.php line 36

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Scheb\TwoFactorBundle\Security\Http\Firewall;
  7. use Psr\Log\LoggerInterface;
  8. use Psr\Log\NullLogger;
  9. use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorTokenFactoryInterface;
  10. use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorTokenInterface;
  11. use Scheb\TwoFactorBundle\Security\Http\Authentication\AuthenticationRequiredHandlerInterface;
  12. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvent;
  13. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvents;
  14. use Scheb\TwoFactorBundle\Security\TwoFactor\Trusted\TrustedDeviceManagerInterface;
  15. use Scheb\TwoFactorBundle\Security\TwoFactor\TwoFactorFirewallConfig;
  16. use Scheb\TwoFactorBundle\Security\UsernameHelper;
  17. use Symfony\Component\EventDispatcher\EventDispatcherInterface;
  18. use Symfony\Component\HttpFoundation\Request;
  19. use Symfony\Component\HttpFoundation\Response;
  20. use Symfony\Component\HttpKernel\Event\RequestEvent;
  21. use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
  22. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  23. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  24. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  25. use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
  26. use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
  27. use Symfony\Component\Security\Csrf\CsrfToken;
  28. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  29. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  30. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  31. use Symfony\Component\Security\Http\Firewall\AbstractListener;
  33. /**
  34.  * @final
  35.  */
  36. class TwoFactorListener extends AbstractListener
  37. {
  38.     /**
  39.      * @var TokenStorageInterface
  40.      */
  41.     private $tokenStorage;
  43.     /**
  44.      * @var AuthenticationManagerInterface
  45.      */
  46.     private $authenticationManager;
  48.     /**
  49.      * @var TwoFactorFirewallConfig
  50.      */
  51.     private $twoFactorFirewallConfig;
  53.     /**
  54.      * @var AuthenticationSuccessHandlerInterface
  55.      */
  56.     private $successHandler;
  58.     /**
  59.      * @var AuthenticationFailureHandlerInterface
  60.      */
  61.     private $failureHandler;
  63.     /**
  64.      * @var AuthenticationRequiredHandlerInterface
  65.      */
  66.     private $authenticationRequiredHandler;
  68.     /**
  69.      * @var CsrfTokenManagerInterface
  70.      */
  71.     private $csrfTokenManager;
  73.     /**
  74.      * @var TrustedDeviceManagerInterface|null
  75.      */
  76.     private $trustedDeviceManager;
  78.     /**
  79.      * @var EventDispatcherInterface
  80.      */
  81.     private $eventDispatcher;
  83.     /**
  84.      * @var TwoFactorTokenFactoryInterface
  85.      */
  86.     private $twoFactorTokenFactory;
  88.     /**
  89.      * @var LoggerInterface
  90.      */
  91.     private $logger;
  93.     public function __construct(
  94.         TokenStorageInterface $tokenStorage,
  95.         AuthenticationManagerInterface $authenticationManager,
  96.         TwoFactorFirewallConfig $twoFactorFirewallConfig,
  97.         AuthenticationSuccessHandlerInterface $successHandler,
  98.         AuthenticationFailureHandlerInterface $failureHandler,
  99.         AuthenticationRequiredHandlerInterface $authenticationRequiredHandler,
  100.         CsrfTokenManagerInterface $csrfTokenManager,
  101.         ?TrustedDeviceManagerInterface $trustedDeviceManager,
  102.         EventDispatcherInterface $eventDispatcher,
  103.         TwoFactorTokenFactoryInterface $twoFactorTokenFactory,
  104.         ?LoggerInterface $logger null
  105.     ) {
  106.         $this->tokenStorage $tokenStorage;
  107.         $this->authenticationManager $authenticationManager;
  108.         $this->twoFactorFirewallConfig $twoFactorFirewallConfig;
  109.         $this->successHandler $successHandler;
  110.         $this->failureHandler $failureHandler;
  111.         $this->authenticationRequiredHandler $authenticationRequiredHandler;
  112.         $this->csrfTokenManager $csrfTokenManager;
  113.         $this->trustedDeviceManager $trustedDeviceManager;
  114.         $this->eventDispatcher $eventDispatcher;
  115.         $this->twoFactorTokenFactory $twoFactorTokenFactory;
  116.         $this->logger $logger ?? new NullLogger();
  117.     }
  119.     public function supports(Request $request): ?bool
  120.     {
  121.         return $this->twoFactorFirewallConfig->isCheckPathRequest($request);
  122.     }
  124.     public function authenticate(RequestEvent $event): void
  125.     {
  126.         // When the firewall is lazy, the token is not initialized in the "supports" stage, so this check does only work
  127.         // within the "authenticate" stage.
  128.         $token $this->tokenStorage->getToken();
  129.         if (!($token instanceof TwoFactorTokenInterface) || $token->getProviderKey(true) !== $this->twoFactorFirewallConfig->getFirewallName()) {
  130.             // This should only happen when the check path is called outside of a 2fa process and not protected via access_control
  131.             // or when the firewall is configured in an odd way (different firewall name)
  132.             throw new AuthenticationServiceException('Tried to perform two-factor authentication, but two-factor authentication is not in progress.');
  133.         }
  135.         $response $this->attemptAuthentication($event->getRequest(), $token);
  136.         $event->setResponse($response);
  137.     }
  139.     private function attemptAuthentication(Request $requestTwoFactorTokenInterface $beginToken): Response
  140.     {
  141.         $authCode $this->twoFactorFirewallConfig->getAuthCodeFromRequest($request);
  142.         try {
  143.             if (!$this->hasValidCsrfToken($request)) {
  144.                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
  145.             }
  147.             $token $beginToken->createWithCredentials($authCode);
  148.             $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::ATTEMPT$request$token);
  149.             /** @psalm-suppress InternalMethod */
  150.             $resultToken $this->authenticationManager->authenticate($token);
  152.             return $this->onSuccess($request$resultToken$beginToken);
  153.         } catch (AuthenticationException $failureException) {
  154.             return $this->onFailure($request$beginToken$failureException);
  155.         }
  156.     }
  158.     public function hasValidCsrfToken(Request $request): bool
  159.     {
  160.         $tokenValue $this->twoFactorFirewallConfig->getCsrfTokenFromRequest($request);
  161.         $tokenId $this->twoFactorFirewallConfig->getCsrfTokenId();
  162.         $token = new CsrfToken($tokenId$tokenValue);
  164.         return $this->csrfTokenManager->isTokenValid($token);
  165.     }
  167.     private function onFailure(Request $requestTwoFactorTokenInterface $tokenAuthenticationException $failureException): Response
  168.     {
  169.         $this->logger->info('Two-factor authentication request failed.', ['exception' => $failureException]);
  170.         $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::FAILURE$request$token);
  172.         return $this->failureHandler->onAuthenticationFailure($request$failureException);
  173.     }
  175.     private function onSuccess(Request $requestTokenInterface $tokenTwoFactorTokenInterface $previousTwoFactorToken): Response
  176.     {
  177.         $this->logger->info('User has been two-factor authenticated successfully.', ['username' => UsernameHelper::getTokenUsername($token)]);
  178.         $this->tokenStorage->setToken($token);
  179.         $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::SUCCESS$request$token);
  181.         // When it's still a TwoFactorTokenInterface, keep showing the auth form
  182.         if ($token instanceof TwoFactorTokenInterface) {
  183.             $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::REQUIRE, $request$token);
  185.             return $this->authenticationRequiredHandler->onAuthenticationRequired($request$token);
  186.         }
  188.         $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::COMPLETE$request$token);
  190.         $firewallName $previousTwoFactorToken->getProviderKey(true);
  191.         if ($this->trustedDeviceManager // Make sure the trusted device package is installed
  192.             && $this->shouldSetTrustedDevice($request$previousTwoFactorToken)
  193.             && $this->trustedDeviceManager->canSetTrustedDevice($token->getUser(), $request$firewallName)
  194.         ) {
  195.             $this->trustedDeviceManager->addTrustedDevice($token->getUser(), $firewallName);
  196.         }
  198.         $response $this->successHandler->onAuthenticationSuccess($request$token);
  199.         $this->addRememberMeCookies($previousTwoFactorToken$response);
  201.         return $response;
  202.     }
  204.     private function shouldSetTrustedDevice(Request $requestTwoFactorTokenInterface $previousTwoFactorToken): bool
  205.     {
  206.         return $this->twoFactorFirewallConfig->hasTrustedDeviceParameterInRequest($request)
  207.             || (
  208.                 $this->twoFactorFirewallConfig->isRememberMeSetsTrusted()
  209.                 && $previousTwoFactorToken->hasAttribute(TwoFactorTokenInterface::ATTRIBUTE_NAME_REMEMBER_ME_COOKIE)
  210.             );
  211.     }
  213.     private function dispatchTwoFactorAuthenticationEvent(string $eventTypeRequest $requestTokenInterface $token): void
  214.     {
  215.         $event = new TwoFactorAuthenticationEvent($request$token);
  216.         $this->eventDispatcher->dispatch($event$eventType);
  217.     }
  219.     private function addRememberMeCookies(TwoFactorTokenInterface $twoFactorTokenResponse $response): void
  220.     {
  221.         // Add the remember-me cookie that was previously suppressed by two-factor authentication
  222.         if ($twoFactorToken->hasAttribute(TwoFactorTokenInterface::ATTRIBUTE_NAME_REMEMBER_ME_COOKIE)) {
  223.             $rememberMeCookies $twoFactorToken->getAttribute(TwoFactorTokenInterface::ATTRIBUTE_NAME_REMEMBER_ME_COOKIE);
  224.             foreach ($rememberMeCookies as $cookie) {
  225.                 $response->headers->setCookie($cookie);
  226.             }
  227.         }
  228.     }
  229. }