AbstractRememberMeServices.php 10 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303
  1. <?php
  2. /*
  3. * This file is part of the Symfony package.
  4. *
  5. * (c) Fabien Potencier <fabien@symfony.com>
  6. *
  7. * For the full copyright and license information, please view the LICENSE
  8. * file that was distributed with this source code.
  9. */
  10. namespace Symfony\Component\Security\Http\RememberMe;
  11. use Psr\Log\LoggerInterface;
  12. use Symfony\Component\HttpFoundation\Cookie;
  13. use Symfony\Component\HttpFoundation\Request;
  14. use Symfony\Component\HttpFoundation\Response;
  15. use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
  16. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  17. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  18. use Symfony\Component\Security\Core\Exception\CookieTheftException;
  19. use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
  20. use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
  21. use Symfony\Component\Security\Core\User\UserInterface;
  22. use Symfony\Component\Security\Core\User\UserProviderInterface;
  23. use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
  24. use Symfony\Component\Security\Http\ParameterBagUtils;
  25. /**
  26. * Base class implementing the RememberMeServicesInterface.
  27. *
  28. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  29. */
  30. abstract class AbstractRememberMeServices implements RememberMeServicesInterface, LogoutHandlerInterface
  31. {
  32. public const COOKIE_DELIMITER = ':';
  33. protected $logger;
  34. protected $options = [
  35. 'secure' => false,
  36. 'httponly' => true,
  37. 'samesite' => null,
  38. ];
  39. private $firewallName;
  40. private $secret;
  41. private $userProviders;
  42. /**
  43. * @throws \InvalidArgumentException
  44. */
  45. public function __construct(iterable $userProviders, string $secret, string $firewallName, array $options = [], LoggerInterface $logger = null)
  46. {
  47. if (empty($secret)) {
  48. throw new \InvalidArgumentException('$secret must not be empty.');
  49. }
  50. if ('' === $firewallName) {
  51. throw new \InvalidArgumentException('$firewallName must not be empty.');
  52. }
  53. if (!\is_array($userProviders) && !$userProviders instanceof \Countable) {
  54. $userProviders = iterator_to_array($userProviders, false);
  55. }
  56. if (0 === \count($userProviders)) {
  57. throw new \InvalidArgumentException('You must provide at least one user provider.');
  58. }
  59. $this->userProviders = $userProviders;
  60. $this->secret = $secret;
  61. $this->firewallName = $firewallName;
  62. $this->options = array_merge($this->options, $options);
  63. $this->logger = $logger;
  64. }
  65. /**
  66. * Returns the parameter that is used for checking whether remember-me
  67. * services have been requested.
  68. *
  69. * @return string
  70. */
  71. public function getRememberMeParameter()
  72. {
  73. return $this->options['remember_me_parameter'];
  74. }
  75. /**
  76. * @return string
  77. */
  78. public function getSecret()
  79. {
  80. return $this->secret;
  81. }
  82. /**
  83. * Implementation of RememberMeServicesInterface. Detects whether a remember-me
  84. * cookie was set, decodes it, and hands it to subclasses for further processing.
  85. *
  86. * @throws CookieTheftException
  87. * @throws \RuntimeException
  88. */
  89. final public function autoLogin(Request $request): ?TokenInterface
  90. {
  91. if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
  92. return null;
  93. }
  94. if (null === $cookie = $request->cookies->get($this->options['name'])) {
  95. return null;
  96. }
  97. if (null !== $this->logger) {
  98. $this->logger->debug('Remember-me cookie detected.');
  99. }
  100. $cookieParts = $this->decodeCookie($cookie);
  101. try {
  102. $user = $this->processAutoLoginCookie($cookieParts, $request);
  103. if (!$user instanceof UserInterface) {
  104. throw new \RuntimeException('processAutoLoginCookie() must return a UserInterface implementation.');
  105. }
  106. if (null !== $this->logger) {
  107. $this->logger->info('Remember-me cookie accepted.');
  108. }
  109. return new RememberMeToken($user, $this->firewallName, $this->secret);
  110. } catch (CookieTheftException $e) {
  111. $this->loginFail($request, $e);
  112. throw $e;
  113. } catch (UsernameNotFoundException $e) {
  114. if (null !== $this->logger) {
  115. $this->logger->info('User for remember-me cookie not found.', ['exception' => $e]);
  116. }
  117. $this->loginFail($request, $e);
  118. } catch (UnsupportedUserException $e) {
  119. if (null !== $this->logger) {
  120. $this->logger->warning('User class for remember-me cookie not supported.', ['exception' => $e]);
  121. }
  122. $this->loginFail($request, $e);
  123. } catch (AuthenticationException $e) {
  124. if (null !== $this->logger) {
  125. $this->logger->debug('Remember-Me authentication failed.', ['exception' => $e]);
  126. }
  127. $this->loginFail($request, $e);
  128. } catch (\Exception $e) {
  129. $this->loginFail($request, $e);
  130. throw $e;
  131. }
  132. return null;
  133. }
  134. /**
  135. * Implementation for LogoutHandlerInterface. Deletes the cookie.
  136. */
  137. public function logout(Request $request, Response $response, TokenInterface $token)
  138. {
  139. $this->cancelCookie($request);
  140. }
  141. /**
  142. * Implementation for RememberMeServicesInterface. Deletes the cookie when
  143. * an attempted authentication fails.
  144. */
  145. final public function loginFail(Request $request, \Exception $exception = null)
  146. {
  147. $this->cancelCookie($request);
  148. $this->onLoginFail($request, $exception);
  149. }
  150. /**
  151. * Implementation for RememberMeServicesInterface. This is called when an
  152. * authentication is successful.
  153. */
  154. final public function loginSuccess(Request $request, Response $response, TokenInterface $token)
  155. {
  156. // Make sure any old remember-me cookies are cancelled
  157. $this->cancelCookie($request);
  158. if (!$token->getUser() instanceof UserInterface) {
  159. if (null !== $this->logger) {
  160. $this->logger->debug('Remember-me ignores token since it does not contain a UserInterface implementation.');
  161. }
  162. return;
  163. }
  164. if (!$this->isRememberMeRequested($request)) {
  165. if (null !== $this->logger) {
  166. $this->logger->debug('Remember-me was not requested.');
  167. }
  168. return;
  169. }
  170. if (null !== $this->logger) {
  171. $this->logger->debug('Remember-me was requested; setting cookie.');
  172. }
  173. // Remove attribute from request that sets a NULL cookie.
  174. // It was set by $this->cancelCookie()
  175. // (cancelCookie does other things too for some RememberMeServices
  176. // so we should still call it at the start of this method)
  177. $request->attributes->remove(self::COOKIE_ATTR_NAME);
  178. $this->onLoginSuccess($request, $response, $token);
  179. }
  180. /**
  181. * Subclasses should validate the cookie and do any additional processing
  182. * that is required. This is called from autoLogin().
  183. *
  184. * @return UserInterface
  185. */
  186. abstract protected function processAutoLoginCookie(array $cookieParts, Request $request);
  187. protected function onLoginFail(Request $request, \Exception $exception = null)
  188. {
  189. }
  190. /**
  191. * This is called after a user has been logged in successfully, and has
  192. * requested remember-me capabilities. The implementation usually sets a
  193. * cookie and possibly stores a persistent record of it.
  194. */
  195. abstract protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token);
  196. final protected function getUserProvider(string $class): UserProviderInterface
  197. {
  198. foreach ($this->userProviders as $provider) {
  199. if ($provider->supportsClass($class)) {
  200. return $provider;
  201. }
  202. }
  203. throw new UnsupportedUserException(sprintf('There is no user provider for user "%s". Shouldn\'t the "supportsClass()" method of your user provider return true for this classname?', $class));
  204. }
  205. /**
  206. * Decodes the raw cookie value.
  207. *
  208. * @return array
  209. */
  210. protected function decodeCookie(string $rawCookie)
  211. {
  212. return explode(self::COOKIE_DELIMITER, base64_decode($rawCookie));
  213. }
  214. /**
  215. * Encodes the cookie parts.
  216. *
  217. * @return string
  218. *
  219. * @throws \InvalidArgumentException When $cookieParts contain the cookie delimiter. Extending class should either remove or escape it.
  220. */
  221. protected function encodeCookie(array $cookieParts)
  222. {
  223. foreach ($cookieParts as $cookiePart) {
  224. if (false !== strpos($cookiePart, self::COOKIE_DELIMITER)) {
  225. throw new \InvalidArgumentException(sprintf('$cookieParts should not contain the cookie delimiter "%s".', self::COOKIE_DELIMITER));
  226. }
  227. }
  228. return base64_encode(implode(self::COOKIE_DELIMITER, $cookieParts));
  229. }
  230. /**
  231. * Deletes the remember-me cookie.
  232. */
  233. protected function cancelCookie(Request $request)
  234. {
  235. if (null !== $this->logger) {
  236. $this->logger->debug('Clearing remember-me cookie.', ['name' => $this->options['name']]);
  237. }
  238. $request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'] ?? $request->isSecure(), $this->options['httponly'], false, $this->options['samesite']));
  239. }
  240. /**
  241. * Checks whether remember-me capabilities were requested.
  242. *
  243. * @return bool
  244. */
  245. protected function isRememberMeRequested(Request $request)
  246. {
  247. if (true === $this->options['always_remember_me']) {
  248. return true;
  249. }
  250. $parameter = ParameterBagUtils::getRequestParameterValue($request, $this->options['remember_me_parameter']);
  251. if (null === $parameter && null !== $this->logger) {
  252. $this->logger->debug('Did not send remember-me cookie.', ['parameter' => $this->options['remember_me_parameter']]);
  253. }
  254. return 'true' === $parameter || 'on' === $parameter || '1' === $parameter || 'yes' === $parameter || true === $parameter;
  255. }
  256. }