vendor/contao/core-bundle/src/Security/Authentication/Provider/AuthenticationProvider.php line 87

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. /*
  6.  * This file is part of Contao.
  7.  *
  8.  * (c) Leo Feyer
  9.  *
  10.  * @license LGPL-3.0-or-later
  11.  */
  13. namespace Contao\CoreBundle\Security\Authentication\Provider;
  15. use Contao\CoreBundle\Framework\ContaoFramework;
  16. use Contao\CoreBundle\Security\Exception\LockedException;
  17. use Contao\System;
  18. use Contao\User;
  19. use Scheb\TwoFactorBundle\Security\Authentication\Exception\InvalidTwoFactorCodeException;
  20. use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorTokenInterface;
  21. use Scheb\TwoFactorBundle\Security\TwoFactor\AuthenticationContextFactoryInterface;
  22. use Scheb\TwoFactorBundle\Security\TwoFactor\Handler\AuthenticationHandlerInterface;
  23. use Scheb\TwoFactorBundle\Security\TwoFactor\Trusted\TrustedDeviceManagerInterface;
  24. use Symfony\Component\HttpFoundation\RequestStack;
  25. use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
  26. use Symfony\Component\Security\Core\Authentication\Provider\DaoAuthenticationProvider;
  27. use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
  28. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  29. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  30. use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
  31. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  32. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  33. use Symfony\Component\Security\Core\User\UserCheckerInterface;
  34. use Symfony\Component\Security\Core\User\UserInterface;
  35. use Symfony\Component\Security\Core\User\UserProviderInterface;
  37. class AuthenticationProvider extends DaoAuthenticationProvider
  38. {
  39.     /**
  40.      * @var UserCheckerInterface
  41.      */
  42.     private $userChecker;
  44.     /**
  45.      * @var string
  46.      */
  47.     private $providerKey;
  49.     /**
  50.      * @var ContaoFramework
  51.      */
  52.     private $framework;
  54.     /**
  55.      * @var AuthenticationProviderInterface
  56.      */
  57.     private $twoFactorAuthenticationProvider;
  59.     /**
  60.      * @var AuthenticationHandlerInterface
  61.      */
  62.     private $twoFactorAuthenticationHandler;
  64.     /**
  65.      * @var AuthenticationContextFactoryInterface
  66.      */
  67.     private $authenticationContextFactory;
  69.     /**
  70.      * @var RequestStack
  71.      */
  72.     private $requestStack;
  74.     /**
  75.      * @var TrustedDeviceManagerInterface
  76.      */
  77.     private $trustedDeviceManager;
  79.     /**
  80.      * @internal Do not inherit from this class; decorate the "contao.security.authentication_provider" service instead
  81.      *
  82.      * @todo Replace EncoderFactoryInterface with Symfony\Component\PasswordHasher\Hasher\PasswordHasherFactoryInterface
  83.      */
  84.     public function __construct(UserProviderInterface $userProviderUserCheckerInterface $userCheckerstring $providerKeyEncoderFactoryInterface $encoderFactoryContaoFramework $frameworkAuthenticationProviderInterface $twoFactorAuthenticationProviderAuthenticationHandlerInterface $twoFactorAuthenticationHandlerAuthenticationContextFactoryInterface $authenticationContextFactoryRequestStack $requestStackTrustedDeviceManagerInterface $trustedDeviceManager)
  85.     {
  86.         /** @phpstan-ignore-next-line */
  87.         parent::__construct($userProvider$userChecker$providerKey$encoderFactoryfalse);
  89.         $this->userChecker $userChecker;
  90.         $this->providerKey $providerKey;
  91.         $this->framework $framework;
  92.         $this->twoFactorAuthenticationProvider $twoFactorAuthenticationProvider;
  93.         $this->twoFactorAuthenticationHandler $twoFactorAuthenticationHandler;
  94.         $this->authenticationContextFactory $authenticationContextFactory;
  95.         $this->requestStack $requestStack;
  96.         $this->trustedDeviceManager $trustedDeviceManager;
  97.     }
  99.     public function authenticate(TokenInterface $token): TokenInterface
  100.     {
  101.         if ($token instanceof TwoFactorTokenInterface) {
  102.             return $this->checkTwoFactor($token);
  103.         }
  105.         $wasAlreadyAuthenticated $token->isAuthenticated();
  106.         $token parent::authenticate($token);
  108.         // Only trigger two-factor authentication when the provider was called
  109.         // with an unauthenticated token. When we get an authenticated token,
  110.         // the system will refresh it and starting two-factor authentication
  111.         // would trigger an endless loop.
  112.         if ($wasAlreadyAuthenticated) {
  113.             return $token;
  114.         }
  116.         // AnonymousToken and TwoFactorTokenInterface can be ignored.
  117.         if ($token instanceof AnonymousToken || $token instanceof TwoFactorTokenInterface) {
  118.             return $token;
  119.         }
  121.         // Skip two-factor authentication on trusted devices
  122.         if ($this->trustedDeviceManager->isTrustedDevice($token->getUser(), $this->providerKey)) {
  123.             return $token;
  124.         }
  126.         $request $this->requestStack->getMasterRequest();
  127.         $context $this->authenticationContextFactory->create($request$token$this->providerKey);
  129.         return $this->twoFactorAuthenticationHandler->beginTwoFactorAuthentication($context);
  130.     }
  132.     public function supports(TokenInterface $token): bool
  133.     {
  134.         return parent::supports($token) || $this->twoFactorAuthenticationProvider->supports($token);
  135.     }
  137.     public function checkAuthentication(UserInterface $userUsernamePasswordToken $token): void
  138.     {
  139.         if (!$user instanceof User) {
  140.             parent::checkAuthentication($user$token);
  142.             return;
  143.         }
  145.         try {
  146.             parent::checkAuthentication($user$token);
  147.         } catch (AuthenticationException $exception) {
  148.             if (!$exception instanceof BadCredentialsException) {
  149.                 throw $exception;
  150.             }
  152.             if (!$this->triggerCheckCredentialsHook($user$token)) {
  153.                 $exception = new BadCredentialsException(
  154.                     sprintf('Invalid password submitted for username "%s"'$user->username),
  155.                     $exception->getCode(),
  156.                     $exception
  157.                 );
  159.                 throw $this->onBadCredentials($user$exception);
  160.             }
  161.         }
  162.     }
  164.     private function checkTwoFactor(TokenInterface $token): TokenInterface
  165.     {
  166.         $user $token->getUser();
  168.         if (!$user instanceof User) {
  169.             return $this->twoFactorAuthenticationProvider->authenticate($token);
  170.         }
  172.         try {
  173.             $this->userChecker->checkPreAuth($user);
  174.             $token $this->twoFactorAuthenticationProvider->authenticate($token);
  175.             $this->userChecker->checkPostAuth($user);
  177.             return $token;
  178.         } catch (AuthenticationException $exception) {
  179.             if (!$exception instanceof InvalidTwoFactorCodeException) {
  180.                 throw $exception;
  181.             }
  183.             $exception = new InvalidTwoFactorCodeException(
  184.                 sprintf('Invalid two-factor code submitted for username "%s"'$user->username),
  185.                 $exception->getCode(),
  186.                 $exception
  187.             );
  189.             throw $this->onBadCredentials($user$exception);
  190.         }
  191.     }
  193.     /**
  194.      * Counts the login attempts and locks the user after three failed attempts
  195.      * following a specific delay scheme.
  196.      *
  197.      * After the third failed attempt A, the authentication server waits for an
  198.      * increased (A - 2) * 60 seconds. After 3 attempts, the server waits for 60 seconds,
  199.      * at the fourth failed attempt, it waits for 2 * 60 = 120 seconds and so on.
  200.      */
  201.     private function onBadCredentials(User $userAuthenticationException $exception): AuthenticationException
  202.     {
  203.         ++$user->loginAttempts;
  205.         if ($user->loginAttempts 3) {
  206.             $user->save();
  208.             return $exception;
  209.         }
  211.         $lockedSeconds = ($user->loginAttempts 2) * 60;
  213.         $user->locked time() + $lockedSeconds;
  214.         $user->save();
  216.         $exception = new LockedException(
  217.             $lockedSeconds,
  218.             sprintf('User "%s" has been locked for %s seconds'$user->username$lockedSeconds),
  219.             0,
  220.             $exception
  221.         );
  223.         $exception->setUser($user);
  225.         return $exception;
  226.     }
  228.     private function triggerCheckCredentialsHook(User $userUsernamePasswordToken $token): bool
  229.     {
  230.         $this->framework->initialize();
  232.         if (empty($GLOBALS['TL_HOOKS']['checkCredentials']) || !\is_array($GLOBALS['TL_HOOKS']['checkCredentials'])) {
  233.             return false;
  234.         }
  236.         trigger_deprecation('contao/core-bundle''4.5''Using the "checkCredentials" hook has been deprecated and will no longer work in Contao 5.0.');
  238.         /** @var System $system */
  239.         $system $this->framework->getAdapter(System::class);
  240.         $username $token->getUsername();
  241.         $credentials $token->getCredentials();
  243.         foreach ($GLOBALS['TL_HOOKS']['checkCredentials'] as $callback) {
  244.             if ($system->importStatic($callback[0])->{$callback[1]}($username$credentials$user)) {
  245.                 return true;
  246.             }
  247.         }
  249.         return false;
  250.     }
  251. }