hydra-sql/src/Controller/MainController.php

<?php

namespace App\Controller;

use App\Entity\User;
use App\Form\UserType;
use App\Services\PdoServices;
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Exception\BadRequestException;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Session\SessionInterface;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
use Symfony\Contracts\HttpClient\HttpClientInterface;

class MainController extends AbstractController
{
    /**
     * @var Session
     */
    private $session;

    /**
     * @var UrlGeneratorInterface
     */
    private $router;

    /**
     * @var HttpClientInterface
     */
    public $client;
    private $pdoServices;

    public function __construct(PdoServices $pdoServices, HttpClientInterface $client, SessionInterface $session, UrlGeneratorInterface $router)
    {
        $this->pdoServices = $pdoServices;
        $this->session = $session;
        $this->client = $client;
        $this->router = $router;
    }

    /**
     * @Route("/oauth/login", name="app_login")
     */
    public function loginOidc(Request $request)
    {
        $challenge = $request->query->get('login_challenge');
        // S'il n'y a pas de challenge, on déclenche une bad request
        if (!$challenge) {
            throw new BadRequestException('pas de challenge');
        }
        // On vérifie que la requête d'identification provient bien de hydra
        $response = $this->client->request('GET', $this->getParameter('url_login_challenge').$challenge, [
            'headers' => [
                'Content-Type: application/json',
            ],
        ]);
        if (200 !== $response->getStatusCode()) {
            $this->session->clear();
            throw new BadRequestException('pa de code 200');
        }
        // si le challenge est validé par hydra, on le stocke en session pour l'utiliser par la suite et on redirige vers une route interne protégée qui va déclencher l'identification FranceConnect
        $this->session->set('challenge', $challenge);

        return $this->redirectToRoute('oauth_login');
    }

    /**
     * @Route("/oauth/connect", name="oauth_login")
     */
    public function oauth(Request $request)
    {
        if ($request->headers->get('referer') !== $this->router->generate('oauth_login', [], 0) && !in_array($request->headers->get('referer'), $this->getParameter('urlIssuer'))) {
            throw new BadRequestException('Vous devez passer par le issuer pour vous connecter');
        }

        $user = new User();
        $loginForm = $this->createForm(UserType::class, $user);
        $loginForm->handleRequest($request);
        if ($loginForm->isSubmitted() && $loginForm->isValid()) {
            $email = $loginForm->get('email')->getData();
            try {
                // requête préparée
                $datas = $this->pdoServices->fetchDatas($email);

                if (!$datas) {
                    // Si le hash du password n'est pas trouvé, c'est que l'email n'existe pas, on retourne la page de login avec une erreur
                    return $this->render('login.html.twig', [
                        'form' => $loginForm->createView(),
                        'error_mail' => 'mail non trouvé',
                    ]);
                }
                $hashPassword = $datas[$this->getParameter('passwordColumnName')];
                $password = $loginForm->get('password')->getData();

                if ($this->pdoServices->verifyPassword($password, $hashPassword)) {
                    // On défait la mot de passe qui ne servira plus
                    unset($datas[$this->getParameter('passwordColumnName')]);
                    $this->session->set('datas', $datas);
                    $response = $this->client->request('PUT', $this->getParameter('url_login_challenge_accept').$this->session->get('challenge'), [
                        'json' => [
                                'subject' => $email,
                                'acr' => 'string',
                        ],
                    ]);
                    // On initie l'acceptation du login challenge émis par hydra et on récupère l'url de redirection
                    $redirect_to = $response->toArray()['redirect_to'];

                    return $this->redirect($redirect_to, 301);
                } else {
                    return $this->render('login.html.twig', [
                        'form' => $loginForm->createView(),
                        'error_password' => 'Le mot de passe est incorrect',
                    ]);
                }
            } catch (\Exception $e) {
                dd($e);
            }
        }

        return $this->render('login.html.twig', [
            'form' => $loginForm->createView(),
        ]);
    }

    /**
     * @Route("/oauth/consent", name="consent")
     */
    public function consent(Request $request)
    {
        $challenge = $request->query->get('consent_challenge');
        if (!$challenge) {
            throw new BadRequestException("Le challenge n'est pas disponible");
        }

        // Vérification du consent_challenge avec hydra
        $response = $this->client->request('GET', $this->getParameter('url_consent_challenge').$challenge, [
            'headers' => [
                'Content-Type: application/json',
            ],
        ]);
        if (200 !== $response->getStatusCode()) {
            $this->session->clear();
            throw new BadRequestException("Le challenge n'est pas authorisé");
        }
        $response = $this->client->request('PUT', $this->getParameter('url_consent_challenge_accept').$challenge, [
            'headers' => [
                'Content-Type: application/json',
            ],
            'json' => [
                'grant_scope' => ['openid', 'offline_access'],
                'session' => [
                    'id_token' => [
                      'user' => $this->session->get('datas'),
                    ],
                  ],
            ],
        ]);
        $redirect_to = $response->toArray()['redirect_to'];

        return $this->redirect($redirect_to, 301);
    }

    /**
     * @Route("/oauth/logout", name="app_logout")
     */
    public function logout()
    {
        $this->session->clear();

        return $this->redirect($this->getParameter('urlLogoutSuccess'));
    }
}
first commit 2022-04-07 11:49:17 +02:00			`<?php`

			`namespace App\Controller;`

login consent app sql 2022-05-03 08:54:45 +02:00			`use App\Entity\User;`
			`use App\Form\UserType;`
			`use App\Services\PdoServices;`
first commit 2022-04-07 11:49:17 +02:00			`use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;`
login consent app sql 2022-05-03 08:54:45 +02:00			`use Symfony\Component\HttpFoundation\Exception\BadRequestException;`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`use Symfony\Component\HttpFoundation\Request;`
			`use Symfony\Component\HttpFoundation\Session\SessionInterface;`
			`use Symfony\Component\Routing\Annotation\Route;`
factorisation 2022-05-03 15:09:42 +02:00			`use Symfony\Component\Routing\Generator\UrlGeneratorInterface;`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`use Symfony\Contracts\HttpClient\HttpClientInterface;`
first commit 2022-04-07 11:49:17 +02:00
			`class MainController extends AbstractController`
			`{`
factorisation 2022-05-03 15:09:42 +02:00			`/**`
login consent app sql 2022-05-03 08:54:45 +02:00			`* @var Session`
			`*/`
			`private $session;`
php-cs-fixer 2022-05-04 17:13:04 +02:00
factorisation 2022-05-03 15:09:42 +02:00			`/**`
			`* @var UrlGeneratorInterface`
			`*/`
			`private $router;`
first commit 2022-04-07 11:49:17 +02:00
login consent app sql 2022-05-03 08:54:45 +02:00			`/**`
			`* @var HttpClientInterface`
			`*/`
			`public $client;`
			`private $pdoServices;`
montée php8.1, ubuntu 22.04 2022-04-07 14:35:36 +02:00
factorisation 2022-05-03 15:09:42 +02:00			`public function __construct(PdoServices $pdoServices, HttpClientInterface $client, SessionInterface $session, UrlGeneratorInterface $router)`
login consent app sql 2022-05-03 08:54:45 +02:00			`{`
			`$this->pdoServices = $pdoServices;`
			`$this->session = $session;`
			`$this->client = $client;`
factorisation 2022-05-03 15:09:42 +02:00			`$this->router = $router;`
login consent app sql 2022-05-03 08:54:45 +02:00			`}`

			`/**`
			`* @Route("/oauth/login", name="app_login")`
			`*/`
			`public function loginOidc(Request $request)`
			`{`
			`$challenge = $request->query->get('login_challenge');`
			`// S'il n'y a pas de challenge, on déclenche une bad request`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`if (!$challenge) {`
login consent app sql 2022-05-03 08:54:45 +02:00			`throw new BadRequestException('pas de challenge');`
			`}`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`// On vérifie que la requête d'identification provient bien de hydra`
login consent app sql 2022-05-03 08:54:45 +02:00			`$response = $this->client->request('GET', $this->getParameter('url_login_challenge').$challenge, [`
			`'headers' => [`
			`'Content-Type: application/json',`
			`],`
			`]);`
			`if (200 !== $response->getStatusCode()) {`
			`$this->session->clear();`
			`throw new BadRequestException('pa de code 200');`
			`}`
			`// si le challenge est validé par hydra, on le stocke en session pour l'utiliser par la suite et on redirige vers une route interne protégée qui va déclencher l'identification FranceConnect`
			`$this->session->set('challenge', $challenge);`

			`return $this->redirectToRoute('oauth_login');`
			`}`

			`/**`
			`* @Route("/oauth/connect", name="oauth_login")`
			`*/`
			`public function oauth(Request $request)`
			`{`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`if ($request->headers->get('referer') !== $this->router->generate('oauth_login', [], 0) && !in_array($request->headers->get('referer'), $this->getParameter('urlIssuer'))) {`
factorisation 2022-05-03 15:09:42 +02:00			`throw new BadRequestException('Vous devez passer par le issuer pour vous connecter');`
			`}`

login consent app sql 2022-05-03 08:54:45 +02:00			`$user = new User();`
			`$loginForm = $this->createForm(UserType::class, $user);`
			`$loginForm->handleRequest($request);`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`if ($loginForm->isSubmitted() && $loginForm->isValid()) {`
login consent app sql 2022-05-03 08:54:45 +02:00			`$email = $loginForm->get('email')->getData();`
			`try {`
factorisation 2022-05-03 15:09:42 +02:00			`// requête préparée`
			`$datas = $this->pdoServices->fetchDatas($email);`
login consent app sql 2022-05-03 08:54:45 +02:00
php-cs-fixer 2022-05-04 17:13:04 +02:00			`if (!$datas) {`
login consent app sql 2022-05-03 08:54:45 +02:00			`// Si le hash du password n'est pas trouvé, c'est que l'email n'existe pas, on retourne la page de login avec une erreur`
			`return $this->render('login.html.twig', [`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`'form' => $loginForm->createView(),`
			`'error_mail' => 'mail non trouvé',`
login consent app sql 2022-05-03 08:54:45 +02:00			`]);`
			`}`
factorisation 2022-05-03 15:09:42 +02:00			`$hashPassword = $datas[$this->getParameter('passwordColumnName')];`
login consent app sql 2022-05-03 08:54:45 +02:00			`$password = $loginForm->get('password')->getData();`

php-cs-fixer 2022-05-04 17:13:04 +02:00			`if ($this->pdoServices->verifyPassword($password, $hashPassword)) {`
deplacmeent composer.phar et php-cs-fixer 2022-05-04 16:53:32 +02:00			`// On défait la mot de passe qui ne servira plus`
factorisation 2022-05-03 15:09:42 +02:00			`unset($datas[$this->getParameter('passwordColumnName')]);`
			`$this->session->set('datas', $datas);`
login consent app sql 2022-05-03 08:54:45 +02:00			`$response = $this->client->request('PUT', $this->getParameter('url_login_challenge_accept').$this->session->get('challenge'), [`
			`'json' => [`
			`'subject' => $email,`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`'acr' => 'string',`
login consent app sql 2022-05-03 08:54:45 +02:00			`],`
			`]);`
			`// On initie l'acceptation du login challenge émis par hydra et on récupère l'url de redirection`
			`$redirect_to = $response->toArray()['redirect_to'];`

php-cs-fixer 2022-05-04 17:13:04 +02:00			`return $this->redirect($redirect_to, 301);`
			`} else {`
login consent app sql 2022-05-03 08:54:45 +02:00			`return $this->render('login.html.twig', [`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`'form' => $loginForm->createView(),`
			`'error_password' => 'Le mot de passe est incorrect',`
login consent app sql 2022-05-03 08:54:45 +02:00			`]);`
			`}`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`} catch (\Exception $e) {`
login consent app sql 2022-05-03 08:54:45 +02:00			`dd($e);`
			`}`
			`}`
php-cs-fixer 2022-05-04 17:13:04 +02:00
login consent app sql 2022-05-03 08:54:45 +02:00			`return $this->render('login.html.twig', [`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`'form' => $loginForm->createView(),`
login consent app sql 2022-05-03 08:54:45 +02:00			`]);`
			`}`

			`/**`
			`* @Route("/oauth/consent", name="consent")`
			`*/`
			`public function consent(Request $request)`
			`{`
			`$challenge = $request->query->get('consent_challenge');`
			`if (!$challenge) {`
			`throw new BadRequestException("Le challenge n'est pas disponible");`
			`}`

			`// Vérification du consent_challenge avec hydra`
			`$response = $this->client->request('GET', $this->getParameter('url_consent_challenge').$challenge, [`
			`'headers' => [`
			`'Content-Type: application/json',`
			`],`
			`]);`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`if (200 !== $response->getStatusCode()) {`
login consent app sql 2022-05-03 08:54:45 +02:00			`$this->session->clear();`
			`throw new BadRequestException("Le challenge n'est pas authorisé");`
			`}`
			`$response = $this->client->request('PUT', $this->getParameter('url_consent_challenge_accept').$challenge, [`
			`'headers' => [`
			`'Content-Type: application/json',`
			`],`
			`'json' => [`
			`'grant_scope' => ['openid', 'offline_access'],`
			`'session' => [`
			`'id_token' => [`
			`'user' => $this->session->get('datas'),`
			`],`
			`],`
			`],`
			`]);`
			`$redirect_to = $response->toArray()['redirect_to'];`

			`return $this->redirect($redirect_to, 301);`
			`}`
factorisation 2022-05-03 15:09:42 +02:00
			`/**`
			`* @Route("/oauth/logout", name="app_logout")`
			`*/`
			`public function logout()`
			`{`
			`$this->session->clear();`

			`return $this->redirect($this->getParameter('urlLogoutSuccess'));`
			`}`
php-cs-fixer 2022-05-04 17:13:04 +02:00			`}`