vendor/scheb/2fa-bundle/Security/Http/Authenticator/TwoFactorAuthenticator.php line 36

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Scheb\TwoFactorBundle\Security\Http\Authenticator;
  7. use Psr\Log\LoggerInterface;
  8. use Psr\Log\NullLogger;
  9. use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorTokenInterface;
  10. use Scheb\TwoFactorBundle\Security\Http\Authentication\AuthenticationRequiredHandlerInterface;
  11. use Scheb\TwoFactorBundle\Security\Http\Authenticator\Passport\Badge\TrustedDeviceBadge;
  12. use Scheb\TwoFactorBundle\Security\Http\Authenticator\Passport\Credentials\TwoFactorCodeCredentials;
  13. use Scheb\TwoFactorBundle\Security\Http\Authenticator\Passport\TwoFactorPassport;
  14. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvent;
  15. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvents;
  16. use Scheb\TwoFactorBundle\Security\TwoFactor\TwoFactorFirewallConfig;
  17. use Scheb\TwoFactorBundle\Security\UsernameHelper;
  18. use Symfony\Component\HttpFoundation\Request;
  19. use Symfony\Component\HttpFoundation\Response;
  20. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  21. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  22. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  23. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  24. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  25. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  26. use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
  27. use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
  28. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
  29. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
  30. use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
  31. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  33. /**
  34.  * @final
  35.  */
  36. class TwoFactorAuthenticator implements AuthenticatorInterfaceInteractiveAuthenticatorInterface
  37. {
  38.     public const FLAG_2FA_COMPLETE '2fa_complete';
  40.     /**
  41.      * @var TwoFactorFirewallConfig
  42.      */
  43.     private $twoFactorFirewallConfig;
  45.     /**
  46.      * @var TokenStorageInterface
  47.      */
  48.     private $tokenStorage;
  50.     /**
  51.      * @var AuthenticationSuccessHandlerInterface
  52.      */
  53.     private $successHandler;
  55.     /**
  56.      * @var AuthenticationFailureHandlerInterface
  57.      */
  58.     private $failureHandler;
  60.     /**
  61.      * @var AuthenticationRequiredHandlerInterface
  62.      */
  63.     private $authenticationRequiredHandler;
  65.     /**
  66.      * @var EventDispatcherInterface
  67.      */
  68.     private $eventDispatcher;
  70.     /**
  71.      * @var LoggerInterface
  72.      */
  73.     private $logger;
  75.     public function __construct(
  76.         TwoFactorFirewallConfig $twoFactorFirewallConfig,
  77.         TokenStorageInterface $tokenStorage,
  78.         AuthenticationSuccessHandlerInterface $successHandler,
  79.         AuthenticationFailureHandlerInterface $failureHandler,
  80.         AuthenticationRequiredHandlerInterface $authenticationRequiredHandler,
  81.         EventDispatcherInterface $eventDispatcher,
  82.         ?LoggerInterface $logger null
  83.     ) {
  84.         $this->twoFactorFirewallConfig $twoFactorFirewallConfig;
  85.         $this->tokenStorage $tokenStorage;
  86.         $this->successHandler $successHandler;
  87.         $this->failureHandler $failureHandler;
  88.         $this->authenticationRequiredHandler $authenticationRequiredHandler;
  89.         $this->eventDispatcher $eventDispatcher;
  90.         $this->logger $logger ?? new NullLogger();
  91.     }
  93.     public function supports(Request $request): ?bool
  94.     {
  95.         return $this->twoFactorFirewallConfig->isCheckPathRequest($request);
  96.     }
  98.     /**
  99.      * @psalm-suppress InvalidReturnType
  100.      */
  101.     public function authenticate(Request $request): PassportInterface
  102.     {
  103.         // When the firewall is lazy, the token is not initialized in the "supports" stage, so this check does only work
  104.         // within the "authenticate" stage.
  105.         $currentToken $this->tokenStorage->getToken();
  106.         if (!($currentToken instanceof TwoFactorTokenInterface)) {
  107.             // This should only happen when the check path is called outside of a 2fa process
  108.             // access_control can't handle this, as it's called after the authenticator
  109.             throw new AccessDeniedException('User is not in a two-factor authentication process.');
  110.         }
  112.         $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::ATTEMPT$request$currentToken);
  114.         $credentials = new TwoFactorCodeCredentials($this->twoFactorFirewallConfig->getAuthCodeFromRequest($request));
  115.         $passport = new TwoFactorPassport($currentToken$credentials, []);
  116.         if ($currentToken->hasAttribute(TwoFactorTokenInterface::ATTRIBUTE_NAME_USE_REMEMBER_ME)) {
  117.             $rememberMeBadge = new RememberMeBadge();
  118.             $rememberMeBadge->enable();
  119.             $passport->addBadge($rememberMeBadge);
  120.         }
  122.         if ($this->twoFactorFirewallConfig->isCsrfProtectionEnabled()) {
  123.             $tokenValue $this->twoFactorFirewallConfig->getCsrfTokenFromRequest($request);
  124.             $tokenId $this->twoFactorFirewallConfig->getCsrfTokenId();
  125.             $passport->addBadge(new CsrfTokenBadge($tokenId$tokenValue));
  126.         }
  128.         // Make sure the trusted device package is installed
  129.         if (class_exists(TrustedDeviceBadge::class) && $this->shouldSetTrustedDevice($request$passport)) {
  130.             $passport->addBadge(new TrustedDeviceBadge());
  131.         }
  133.         /** @psalm-suppress InvalidReturnStatement */
  135.         return $passport;
  136.     }
  138.     private function shouldSetTrustedDevice(Request $requestTwoFactorPassport $passport): bool
  139.     {
  140.         return $this->twoFactorFirewallConfig->hasTrustedDeviceParameterInRequest($request)
  141.             || (
  142.                 $this->twoFactorFirewallConfig->isRememberMeSetsTrusted()
  143.                 && $passport->hasBadge(RememberMeBadge::class)
  144.             );
  145.     }
  147.     public function createAuthenticatedToken(PassportInterface $passportstring $firewallName): TokenInterface
  148.     {
  149.         /** @var TwoFactorPassport $passport */
  150.         $twoFactorToken $passport->getTwoFactorToken();
  152.         if ($this->isAuthenticationComplete($twoFactorToken)) {
  153.             $authenticatedToken $twoFactorToken->getAuthenticatedToken(); // Authentication complete, unwrap the token
  154.             $authenticatedToken->setAttribute(self::FLAG_2FA_COMPLETEtrue);
  156.             return $authenticatedToken;
  157.         }
  159.         return $twoFactorToken;
  160.     }
  162.     private function isAuthenticationComplete(TwoFactorTokenInterface $token): bool
  163.     {
  164.         return !$this->twoFactorFirewallConfig->isMultiFactor() || $token->allTwoFactorProvidersAuthenticated();
  165.     }
  167.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $firewallName): ?Response
  168.     {
  169.         $this->logger->info('User has been two-factor authenticated successfully.', ['username' => UsernameHelper::getTokenUsername($token)]);
  170.         $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::SUCCESS$request$token);
  172.         // When it's still a TwoFactorTokenInterface, keep showing the auth form
  173.         if ($token instanceof TwoFactorTokenInterface) {
  174.             $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::REQUIRE, $request$token);
  176.             return $this->authenticationRequiredHandler->onAuthenticationRequired($request$token);
  177.         }
  179.         $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::COMPLETE$request$token);
  181.         return $this->successHandler->onAuthenticationSuccess($request$token);
  182.     }
  184.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): ?Response
  185.     {
  186.         /** @var TwoFactorTokenInterface $currentToken */
  187.         $currentToken $this->tokenStorage->getToken();
  188.         $this->logger->info('Two-factor authentication request failed.', ['exception' => $exception]);
  189.         $this->dispatchTwoFactorAuthenticationEvent(TwoFactorAuthenticationEvents::FAILURE$request$currentToken);
  191.         return $this->failureHandler->onAuthenticationFailure($request$exception);
  192.     }
  194.     private function dispatchTwoFactorAuthenticationEvent(string $eventTypeRequest $requestTokenInterface $token): void
  195.     {
  196.         $event = new TwoFactorAuthenticationEvent($request$token);
  197.         $this->eventDispatcher->dispatch($event$eventType);
  198.     }
  200.     public function isInteractive(): bool
  201.     {
  202.         return true;
  203.     }
  204. }