Cadoles/hydra-sql
22
0
Fork 0
Code Issues 5 Pull Requests 3 Projects Releases Wiki Activity

login consent app sql

Browse Source
This commit is contained in:
Rudy Masson
2022-05-03 08:54:45 +02:00
parent e7253acfd8
commit f9a6535906
1652 changed files with 187600 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

129
vendor/symfony/security-http/RememberMe/AbstractRememberMeHandler.php vendored Normal file
View File

@ -0,0 +1,129 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Psr\Log\LoggerInterface;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
/**
* @author Wouter de Jong <wouter@wouterj.nl>
*/
abstract class AbstractRememberMeHandler implements RememberMeHandlerInterface
{
private $userProvider;
protected $requestStack;
protected $options;
protected $logger;
public function __construct(UserProviderInterface $userProvider, RequestStack $requestStack, array $options = [], LoggerInterface $logger = null)
{
$this->userProvider = $userProvider;
$this->requestStack = $requestStack;
$this->options = $options + [
'name' => 'REMEMBERME',
'lifetime' => 31536000,
'path' => '/',
'domain' => null,
'secure' => false,
'httponly' => true,
'samesite' => null,
'always_remember_me' => false,
'remember_me_parameter' => '_remember_me',
];
$this->logger = $logger;
}
/**
* Checks if the RememberMeDetails is a valid cookie to login the given User.
*
* This method should also:
* - Create a new remember-me cookie to be sent with the response (using {@see createCookie()});
* - If you store the token somewhere else (e.g. in a database), invalidate the stored token.
*
* @throws AuthenticationException throw this exception if the remember me details are not accepted
*/
abstract protected function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void;
/**
* {@inheritdoc}
*/
public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): UserInterface
{
try {
// @deprecated since Symfony 5.3, change to $this->userProvider->loadUserByIdentifier() in 6.0
$method = 'loadUserByIdentifier';
if (!method_exists($this->userProvider, 'loadUserByIdentifier')) {
trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($this->userProvider));
$method = 'loadUserByUsername';
}
$user = $this->userProvider->$method($rememberMeDetails->getUserIdentifier());
} catch (AuthenticationException $e) {
throw $e;
}
if (!$user instanceof UserInterface) {
throw new \LogicException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_debug_type($user)));
}
$this->processRememberMe($rememberMeDetails, $user);
if (null !== $this->logger) {
$this->logger->info('Remember-me cookie accepted.');
}
return $user;
}
/**
* {@inheritdoc}
*/
public function clearRememberMeCookie(): void
{
if (null !== $this->logger) {
$this->logger->debug('Clearing remember-me cookie.', ['name' => $this->options['name']]);
}
$this->createCookie(null);
}
/**
* Creates the remember-me cookie using the correct configuration.
*
* @param RememberMeDetails|null $rememberMeDetails The details for the cookie, or null to clear the remember-me cookie
*/
protected function createCookie(?RememberMeDetails $rememberMeDetails)
{
$request = $this->requestStack->getMainRequest();
if (!$request) {
throw new \LogicException('Cannot create the remember-me cookie; no master request available.');
}
// the ResponseListener configures the cookie saved in this attribute on the final response object
$request->attributes->set(ResponseListener::COOKIE_ATTR_NAME, new Cookie(
$this->options['name'],
$rememberMeDetails ? $rememberMeDetails->toString() : null,
$rememberMeDetails ? $rememberMeDetails->getExpires() : 1,
$this->options['path'],
$this->options['domain'],
$this->options['secure'] ?? $request->isSecure(),
$this->options['httponly'],
false,
$this->options['samesite']
));
}
}

309
vendor/symfony/security-http/RememberMe/AbstractRememberMeServices.php vendored Normal file
View File

@ -0,0 +1,309 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Psr\Log\LoggerInterface;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CookieTheftException;
use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
use Symfony\Component\Security\Core\Exception\UserNotFoundException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
use Symfony\Component\Security\Http\ParameterBagUtils;
trigger_deprecation('symfony/security-http', '5.4', 'The "%s" class is deprecated, use "%s" instead.', AbstractRememberMeServices::class, AbstractRememberMeHandler::class);
/**
* Base class implementing the RememberMeServicesInterface.
*
* @author Johannes M. Schmitt <schmittjoh@gmail.com>
*
* @deprecated since Symfony 5.4, use {@see AbstractRememberMeHandler} instead
*/
abstract class AbstractRememberMeServices implements RememberMeServicesInterface, LogoutHandlerInterface
{
public const COOKIE_DELIMITER = ':';
protected $logger;
protected $options = [
'secure' => false,
'httponly' => true,
'samesite' => null,
'path' => null,
'domain' => null,
];
private $firewallName;
private $secret;
private $userProviders;
/**
* @throws \InvalidArgumentException
*/
public function __construct(iterable $userProviders, string $secret, string $firewallName, array $options = [], LoggerInterface $logger = null)
{
if (empty($secret)) {
throw new \InvalidArgumentException('$secret must not be empty.');
}
if ('' === $firewallName) {
throw new \InvalidArgumentException('$firewallName must not be empty.');
}
if (!\is_array($userProviders) && !$userProviders instanceof \Countable) {
$userProviders = iterator_to_array($userProviders, false);
}
if (0 === \count($userProviders)) {
throw new \InvalidArgumentException('You must provide at least one user provider.');
}
$this->userProviders = $userProviders;
$this->secret = $secret;
$this->firewallName = $firewallName;
$this->options = array_merge($this->options, $options);
$this->logger = $logger;
}
/**
* Returns the parameter that is used for checking whether remember-me
* services have been requested.
*
* @return string
*/
public function getRememberMeParameter()
{
return $this->options['remember_me_parameter'];
}
/**
* @return string
*/
public function getSecret()
{
return $this->secret;
}
/**
* Implementation of RememberMeServicesInterface. Detects whether a remember-me
* cookie was set, decodes it, and hands it to subclasses for further processing.
*
* @throws CookieTheftException
* @throws \RuntimeException
*/
final public function autoLogin(Request $request): ?TokenInterface
{
if (($cookie = $request->attributes->get(self::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
return null;
}
if (null === $cookie = $request->cookies->get($this->options['name'])) {
return null;
}
if (null !== $this->logger) {
$this->logger->debug('Remember-me cookie detected.');
}
$cookieParts = $this->decodeCookie($cookie);
try {
$user = $this->processAutoLoginCookie($cookieParts, $request);
if (!$user instanceof UserInterface) {
throw new \RuntimeException('processAutoLoginCookie() must return a UserInterface implementation.');
}
if (null !== $this->logger) {
$this->logger->info('Remember-me cookie accepted.');
}
return new RememberMeToken($user, $this->firewallName, $this->secret);
} catch (CookieTheftException $e) {
$this->loginFail($request, $e);
throw $e;
} catch (UserNotFoundException $e) {
if (null !== $this->logger) {
$this->logger->info('User for remember-me cookie not found.', ['exception' => $e]);
}
$this->loginFail($request, $e);
} catch (UnsupportedUserException $e) {
if (null !== $this->logger) {
$this->logger->warning('User class for remember-me cookie not supported.', ['exception' => $e]);
}
$this->loginFail($request, $e);
} catch (AuthenticationException $e) {
if (null !== $this->logger) {
$this->logger->debug('Remember-Me authentication failed.', ['exception' => $e]);
}
$this->loginFail($request, $e);
} catch (\Exception $e) {
$this->loginFail($request, $e);
throw $e;
}
return null;
}
/**
* Implementation for LogoutHandlerInterface. Deletes the cookie.
*/
public function logout(Request $request, Response $response, TokenInterface $token)
{
$this->cancelCookie($request);
}
/**
* Implementation for RememberMeServicesInterface. Deletes the cookie when
* an attempted authentication fails.
*/
final public function loginFail(Request $request, \Exception $exception = null)
{
$this->cancelCookie($request);
$this->onLoginFail($request, $exception);
}
/**
* Implementation for RememberMeServicesInterface. This is called when an
* authentication is successful.
*/
final public function loginSuccess(Request $request, Response $response, TokenInterface $token)
{
// Make sure any old remember-me cookies are cancelled
$this->cancelCookie($request);
if (!$token->getUser() instanceof UserInterface) {
if (null !== $this->logger) {
$this->logger->debug('Remember-me ignores token since it does not contain a UserInterface implementation.');
}
return;
}
if (!$this->isRememberMeRequested($request)) {
if (null !== $this->logger) {
$this->logger->debug('Remember-me was not requested.');
}
return;
}
if (null !== $this->logger) {
$this->logger->debug('Remember-me was requested; setting cookie.');
}
// Remove attribute from request that sets a NULL cookie.
// It was set by $this->cancelCookie()
// (cancelCookie does other things too for some RememberMeServices
// so we should still call it at the start of this method)
$request->attributes->remove(self::COOKIE_ATTR_NAME);
$this->onLoginSuccess($request, $response, $token);
}
/**
* Subclasses should validate the cookie and do any additional processing
* that is required. This is called from autoLogin().
*
* @return UserInterface
*/
abstract protected function processAutoLoginCookie(array $cookieParts, Request $request);
protected function onLoginFail(Request $request, \Exception $exception = null)
{
}
/**
* This is called after a user has been logged in successfully, and has
* requested remember-me capabilities. The implementation usually sets a
* cookie and possibly stores a persistent record of it.
*/
abstract protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token);
final protected function getUserProvider(string $class): UserProviderInterface
{
foreach ($this->userProviders as $provider) {
if ($provider->supportsClass($class)) {
return $provider;
}
}
throw new UnsupportedUserException(sprintf('There is no user provider for user "%s". Shouldn\'t the "supportsClass()" method of your user provider return true for this classname?', $class));
}
/**
* Decodes the raw cookie value.
*
* @return array
*/
protected function decodeCookie(string $rawCookie)
{
return explode(self::COOKIE_DELIMITER, base64_decode($rawCookie));
}
/**
* Encodes the cookie parts.
*
* @return string
*
* @throws \InvalidArgumentException When $cookieParts contain the cookie delimiter. Extending class should either remove or escape it.
*/
protected function encodeCookie(array $cookieParts)
{
foreach ($cookieParts as $cookiePart) {
if (str_contains($cookiePart, self::COOKIE_DELIMITER)) {
throw new \InvalidArgumentException(sprintf('$cookieParts should not contain the cookie delimiter "%s".', self::COOKIE_DELIMITER));
}
}
return base64_encode(implode(self::COOKIE_DELIMITER, $cookieParts));
}
/**
* Deletes the remember-me cookie.
*/
protected function cancelCookie(Request $request)
{
if (null !== $this->logger) {
$this->logger->debug('Clearing remember-me cookie.', ['name' => $this->options['name']]);
}
$request->attributes->set(self::COOKIE_ATTR_NAME, new Cookie($this->options['name'], null, 1, $this->options['path'], $this->options['domain'], $this->options['secure'] ?? $request->isSecure(), $this->options['httponly'], false, $this->options['samesite']));
}
/**
* Checks whether remember-me capabilities were requested.
*
* @return bool
*/
protected function isRememberMeRequested(Request $request)
{
if (true === $this->options['always_remember_me']) {
return true;
}
$parameter = ParameterBagUtils::getRequestParameterValue($request, $this->options['remember_me_parameter']);
if (null === $parameter && null !== $this->logger) {
$this->logger->debug('Did not send remember-me cookie.', ['parameter' => $this->options['remember_me_parameter']]);
}
return 'true' === $parameter || 'on' === $parameter || '1' === $parameter || 'yes' === $parameter || true === $parameter;
}
}

132
vendor/symfony/security-http/RememberMe/PersistentRememberMeHandler.php vendored Normal file
View File

@ -0,0 +1,132 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Psr\Log\LoggerInterface;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
use Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface;
use Symfony\Component\Security\Core\Authentication\RememberMe\TokenVerifierInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CookieTheftException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
/**
* Implements remember-me tokens using a {@see TokenProviderInterface}.
*
* This requires storing remember-me tokens in a database. This allows
* more control over the invalidation of remember-me tokens. See
* {@see SignatureRememberMeHandler} if you don't want to use a database.
*
* @author Wouter de Jong <wouter@wouterj.nl>
*/
final class PersistentRememberMeHandler extends AbstractRememberMeHandler
{
private $tokenProvider;
private $tokenVerifier;
private $secret;
public function __construct(TokenProviderInterface $tokenProvider, string $secret, UserProviderInterface $userProvider, RequestStack $requestStack, array $options, LoggerInterface $logger = null, TokenVerifierInterface $tokenVerifier = null)
{
parent::__construct($userProvider, $requestStack, $options, $logger);
if (!$tokenVerifier && $tokenProvider instanceof TokenVerifierInterface) {
$tokenVerifier = $tokenProvider;
}
$this->tokenProvider = $tokenProvider;
$this->tokenVerifier = $tokenVerifier;
$this->secret = $secret;
}
/**
* {@inheritdoc}
*/
public function createRememberMeCookie(UserInterface $user): void
{
$series = base64_encode(random_bytes(64));
$tokenValue = $this->generateHash(base64_encode(random_bytes(64)));
$token = new PersistentToken(\get_class($user), method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(), $series, $tokenValue, new \DateTime());
$this->tokenProvider->createNewToken($token);
$this->createCookie(RememberMeDetails::fromPersistentToken($token, time() + $this->options['lifetime']));
}
/**
* {@inheritdoc}
*/
public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void
{
if (!str_contains($rememberMeDetails->getValue(), ':')) {
throw new AuthenticationException('The cookie is incorrectly formatted.');
}
[$series, $tokenValue] = explode(':', $rememberMeDetails->getValue());
$persistentToken = $this->tokenProvider->loadTokenBySeries($series);
if ($this->tokenVerifier) {
$isTokenValid = $this->tokenVerifier->verifyToken($persistentToken, $tokenValue);
} else {
$isTokenValid = hash_equals($persistentToken->getTokenValue(), $tokenValue);
}
if (!$isTokenValid) {
throw new CookieTheftException('This token was already used. The account is possibly compromised.');
}
if ($persistentToken->getLastUsed()->getTimestamp() + $this->options['lifetime'] < time()) {
throw new AuthenticationException('The cookie has expired.');
}
// if a token was regenerated less than a minute ago, there is no need to regenerate it
// if multiple concurrent requests reauthenticate a user we do not want to update the token several times
if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
$tokenValue = $this->generateHash(base64_encode(random_bytes(64)));
$tokenLastUsed = new \DateTime();
if ($this->tokenVerifier) {
$this->tokenVerifier->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
}
$this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
}
$this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));
}
/**
* {@inheritdoc}
*/
public function clearRememberMeCookie(): void
{
parent::clearRememberMeCookie();
$cookie = $this->requestStack->getMainRequest()->cookies->get($this->options['name']);
if (null === $cookie) {
return;
}
$rememberMeDetails = RememberMeDetails::fromRawCookie($cookie);
[$series, ] = explode(':', $rememberMeDetails->getValue());
$this->tokenProvider->deleteTokenBySeries($series);
}
/**
* @internal
*/
public function getTokenProvider(): TokenProviderInterface
{
return $this->tokenProvider;
}
private function generateHash(string $tokenValue): string
{
return hash_hmac('sha256', $tokenValue, $this->secret);
}
}

167
vendor/symfony/security-http/RememberMe/PersistentTokenBasedRememberMeServices.php vendored Normal file
View File

@ -0,0 +1,167 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentTokenInterface;
use Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Exception\CookieTheftException;
trigger_deprecation('symfony/security-http', '5.4', 'The "%s" class is deprecated, use "%s" instead.', PersistentTokenBasedRememberMeServices::class, PersistentRememberMeHandler::class);
/**
* Concrete implementation of the RememberMeServicesInterface which needs
* an implementation of TokenProviderInterface for providing remember-me
* capabilities.
*
* @author Johannes M. Schmitt <schmittjoh@gmail.com>
*
* @deprecated since Symfony 5.4, use {@see PersistentRememberMeHandler} instead
*/
class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
{
private const HASHED_TOKEN_PREFIX = 'sha256_';
/** @var TokenProviderInterface */
private $tokenProvider;
public function setTokenProvider(TokenProviderInterface $tokenProvider)
{
$this->tokenProvider = $tokenProvider;
}
/**
* {@inheritdoc}
*/
protected function cancelCookie(Request $request)
{
// Delete cookie on the client
parent::cancelCookie($request);
// Delete cookie from the tokenProvider
if (null !== ($cookie = $request->cookies->get($this->options['name']))
&& 2 === \count($parts = $this->decodeCookie($cookie))
) {
[$series] = $parts;
$this->tokenProvider->deleteTokenBySeries($series);
}
}
/**
* {@inheritdoc}
*/
protected function processAutoLoginCookie(array $cookieParts, Request $request)
{
if (2 !== \count($cookieParts)) {
throw new AuthenticationException('The cookie is invalid.');
}
[$series, $tokenValue] = $cookieParts;
$persistentToken = $this->tokenProvider->loadTokenBySeries($series);
if (!$this->isTokenValueValid($persistentToken, $tokenValue)) {
throw new CookieTheftException('This token was already used. The account is possibly compromised.');
}
if ($persistentToken->getLastUsed()->getTimestamp() + $this->options['lifetime'] < time()) {
throw new AuthenticationException('The cookie has expired.');
}
$tokenValue = base64_encode(random_bytes(64));
$this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());
$request->attributes->set(self::COOKIE_ATTR_NAME,
new Cookie(
$this->options['name'],
$this->encodeCookie([$series, $tokenValue]),
time() + $this->options['lifetime'],
$this->options['path'],
$this->options['domain'],
$this->options['secure'] ?? $request->isSecure(),
$this->options['httponly'],
false,
$this->options['samesite']
)
);
$userProvider = $this->getUserProvider($persistentToken->getClass());
// @deprecated since Symfony 5.3, change to $persistentToken->getUserIdentifier() in 6.0
if (method_exists($persistentToken, 'getUserIdentifier')) {
$userIdentifier = $persistentToken->getUserIdentifier();
} else {
trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "getUserIdentifier()" in persistent token "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($persistentToken));
$userIdentifier = $persistentToken->getUsername();
}
// @deprecated since Symfony 5.3, change to $userProvider->loadUserByIdentifier() in 6.0
if (method_exists($userProvider, 'loadUserByIdentifier')) {
return $userProvider->loadUserByIdentifier($userIdentifier);
} else {
trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($userProvider));
return $userProvider->loadUserByUsername($userIdentifier);
}
}
/**
* {@inheritdoc}
*/
protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
{
$series = base64_encode(random_bytes(64));
$tokenValue = base64_encode(random_bytes(64));
$this->tokenProvider->createNewToken(
new PersistentToken(
\get_class($user = $token->getUser()),
// @deprecated since Symfony 5.3, change to $user->getUserIdentifier() in 6.0
method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(),
$series,
$this->generateHash($tokenValue),
new \DateTime()
)
);
$response->headers->setCookie(
new Cookie(
$this->options['name'],
$this->encodeCookie([$series, $tokenValue]),
time() + $this->options['lifetime'],
$this->options['path'],
$this->options['domain'],
$this->options['secure'] ?? $request->isSecure(),
$this->options['httponly'],
false,
$this->options['samesite']
)
);
}
private function generateHash(string $tokenValue): string
{
return self::HASHED_TOKEN_PREFIX.hash_hmac('sha256', $tokenValue, $this->getSecret());
}
private function isTokenValueValid(PersistentTokenInterface $persistentToken, string $tokenValue): bool
{
if (0 === strpos($persistentToken->getTokenValue(), self::HASHED_TOKEN_PREFIX)) {
return hash_equals($persistentToken->getTokenValue(), $this->generateHash($tokenValue));
}
return hash_equals($persistentToken->getTokenValue(), $tokenValue);
}
}

88
vendor/symfony/security-http/RememberMe/RememberMeDetails.php vendored Normal file
View File

@ -0,0 +1,88 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
/**
* @author Wouter de Jong <wouter@wouterj.nl>
*/
class RememberMeDetails
{
public const COOKIE_DELIMITER = ':';
private $userFqcn;
private $userIdentifier;
private $expires;
private $value;
public function __construct(string $userFqcn, string $userIdentifier, int $expires, string $value)
{
$this->userFqcn = $userFqcn;
$this->userIdentifier = $userIdentifier;
$this->expires = $expires;
$this->value = $value;
}
public static function fromRawCookie(string $rawCookie): self
{
$cookieParts = explode(self::COOKIE_DELIMITER, base64_decode($rawCookie), 4);
if (false === $cookieParts[1] = base64_decode($cookieParts[1], true)) {
throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
}
if (4 !== \count($cookieParts)) {
throw new AuthenticationException('The cookie contains invalid data.');
}
return new static(...$cookieParts);
}
public static function fromPersistentToken(PersistentToken $persistentToken, int $expires): self
{
return new static($persistentToken->getClass(), $persistentToken->getUserIdentifier(), $expires, $persistentToken->getSeries().':'.$persistentToken->getTokenValue());
}
public function withValue(string $value): self
{
$details = clone $this;
$details->value = $value;
return $details;
}
public function getUserFqcn(): string
{
return $this->userFqcn;
}
public function getUserIdentifier(): string
{
return $this->userIdentifier;
}
public function getExpires(): int
{
return $this->expires;
}
public function getValue(): string
{
return $this->value;
}
public function toString(): string
{
// $userIdentifier is encoded because it might contain COOKIE_DELIMITER, we assume other values don't
return base64_encode(implode(self::COOKIE_DELIMITER, [$this->userFqcn, base64_encode($this->userIdentifier), $this->expires, $this->value]));
}
}

54
vendor/symfony/security-http/RememberMe/RememberMeHandlerInterface.php vendored Normal file
View File

@ -0,0 +1,54 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
/**
* Handles creating and validating remember-me cookies.
*
* If you want to add a custom implementation, you want to extend from
* {@see AbstractRememberMeHandler} instead.
*
* @author Wouter de Jong <wouter@wouterj.nl>
*/
interface RememberMeHandlerInterface
{
/**
* Creates a remember-me cookie.
*
* The actual cookie should be set as an attribute on the main request,
* which is transformed into a response cookie by {@see ResponseListener}.
*/
public function createRememberMeCookie(UserInterface $user): void;
/**
* Validates the remember-me cookie and returns the associated User.
*
* Every cookie should only be used once. This means that this method should also:
* - Create a new remember-me cookie to be sent with the response (using the
* {@see ResponseListener::COOKIE_ATTR_NAME} request attribute);
* - If you store the token somewhere else (e.g. in a database), invalidate the
* stored token.
*
* @throws AuthenticationException
*/
public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): UserInterface;
/**
* Clears the remember-me cookie.
*
* This should set a cookie with a `null` value on the request attribute.
*/
public function clearRememberMeCookie(): void;
}

79
vendor/symfony/security-http/RememberMe/RememberMeServicesInterface.php vendored Normal file
View File

@ -0,0 +1,79 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
trigger_deprecation('symfony/security-http', '5.4', 'The "%s" interface is deprecated, use "%s" instead.', RememberMeServicesInterface::class, RememberMeHandlerInterface::class);
/**
* Interface that needs to be implemented by classes which provide remember-me
* capabilities.
*
* We provide two implementations out-of-the-box:
* - TokenBasedRememberMeServices (does not require a TokenProvider)
* - PersistentTokenBasedRememberMeServices (requires a TokenProvider)
*
* @author Johannes M. Schmitt <schmittjoh@gmail.com>
*
* @method logout(Request $request, Response $response, TokenInterface $token)
*
* @deprecated since Symfony 5.4, use {@see RememberMeHandlerInterface} instead
*/
interface RememberMeServicesInterface
{
/**
* This attribute name can be used by the implementation if it needs to set
* a cookie on the Request when there is no actual Response, yet.
*/
public const COOKIE_ATTR_NAME = '_security_remember_me_cookie';
/**
* This method will be called whenever the TokenStorage does not contain
* a TokenInterface object and the framework wishes to provide an implementation
* with an opportunity to authenticate the request using remember-me capabilities.
*
* No attempt whatsoever is made to determine whether the browser has requested
* remember-me services or presented a valid cookie. Any and all such determinations
* are left to the implementation of this method.
*
* If a browser has presented an unauthorised cookie for whatever reason,
* make sure to throw an AuthenticationException as this will consequentially
* result in a call to loginFail() and therefore an invalidation of the cookie.
*
* @return TokenInterface|null
*/
public function autoLogin(Request $request);
/**
* Called whenever an interactive authentication attempt was made, but the
* credentials supplied by the user were missing or otherwise invalid.
*
* This method needs to take care of invalidating the cookie.
*/
public function loginFail(Request $request, \Exception $exception = null);
/**
* Called whenever an interactive authentication attempt is successful
* (e.g. a form login).
*
* An implementation may always set a remember-me cookie in the Response,
* although this is not recommended.
*
* Instead, implementations should typically look for a request parameter
* (such as an HTTP POST parameter) that indicates the browser has explicitly
* requested for the authentication to be remembered.
*/
public function loginSuccess(Request $request, Response $response, TokenInterface $token);
}

54
vendor/symfony/security-http/RememberMe/ResponseListener.php vendored Normal file
View File

@ -0,0 +1,54 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\HttpKernel\Event\ResponseEvent;
use Symfony\Component\HttpKernel\KernelEvents;
/**
* Adds remember-me cookies to the Response.
*
* @author Johannes M. Schmitt <schmittjoh@gmail.com>
*
* @final
*/
class ResponseListener implements EventSubscriberInterface
{
/**
* This attribute name can be used by the implementation if it needs to set
* a cookie on the Request when there is no actual Response, yet.
*/
public const COOKIE_ATTR_NAME = '_security_remember_me_cookie';
public function onKernelResponse(ResponseEvent $event)
{
if (!$event->isMainRequest()) {
return;
}
$request = $event->getRequest();
$response = $event->getResponse();
if ($request->attributes->has(self::COOKIE_ATTR_NAME)) {
$response->headers->setCookie($request->attributes->get(self::COOKIE_ATTR_NAME));
}
}
/**
* {@inheritdoc}
*/
public static function getSubscribedEvents(): array
{
return [KernelEvents::RESPONSE => 'onKernelResponse'];
}
}

71
vendor/symfony/security-http/RememberMe/SignatureRememberMeHandler.php vendored Normal file
View File

@ -0,0 +1,71 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Psr\Log\LoggerInterface;
use Symfony\Component\HttpFoundation\RequestStack;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\Signature\Exception\ExpiredSignatureException;
use Symfony\Component\Security\Core\Signature\Exception\InvalidSignatureException;
use Symfony\Component\Security\Core\Signature\SignatureHasher;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Core\User\UserProviderInterface;
/**
* Implements safe remember-me cookies using the {@see SignatureHasher}.
*
* This handler doesn't require a database for the remember-me tokens.
* However, it cannot invalidate a specific user session, all sessions for
* that user will be invalidated instead. Use {@see PersistentRememberMeHandler}
* if you need this.
*
* @author Wouter de Jong <wouter@wouterj.nl>
*/
final class SignatureRememberMeHandler extends AbstractRememberMeHandler
{
private $signatureHasher;
public function __construct(SignatureHasher $signatureHasher, UserProviderInterface $userProvider, RequestStack $requestStack, array $options, LoggerInterface $logger = null)
{
parent::__construct($userProvider, $requestStack, $options, $logger);
$this->signatureHasher = $signatureHasher;
}
/**
* {@inheritdoc}
*/
public function createRememberMeCookie(UserInterface $user): void
{
$expires = time() + $this->options['lifetime'];
$value = $this->signatureHasher->computeSignatureHash($user, $expires);
$details = new RememberMeDetails(\get_class($user), method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(), $expires, $value);
$this->createCookie($details);
}
/**
* {@inheritdoc}
*/
public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void
{
try {
$this->signatureHasher->verifySignatureHash($user, $rememberMeDetails->getExpires(), $rememberMeDetails->getValue());
} catch (InvalidSignatureException $e) {
throw new AuthenticationException('The cookie\'s hash is invalid.', 0, $e);
} catch (ExpiredSignatureException $e) {
throw new AuthenticationException('The cookie has expired.', 0, $e);
}
$this->createRememberMeCookie($user);
}
}

136
vendor/symfony/security-http/RememberMe/TokenBasedRememberMeServices.php vendored Normal file
View File

@ -0,0 +1,136 @@
<?php
/*
* This file is part of the Symfony package.
*
* (c) Fabien Potencier <fabien@symfony.com>
*
* For the full copyright and license information, please view the LICENSE
* file that was distributed with this source code.
*/
namespace Symfony\Component\Security\Http\RememberMe;
use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
trigger_deprecation('symfony/security-http', '5.4', 'The "%s" class is deprecated, use "%s" instead.', TokenBasedRememberMeServices::class, SignatureRememberMeHandler::class);
/**
* Concrete implementation of the RememberMeServicesInterface providing
* remember-me capabilities without requiring a TokenProvider.
*
* @author Johannes M. Schmitt <schmittjoh@gmail.com>
*
* @deprecated since Symfony 5.4, use {@see SignatureRememberMeHandler} instead
*/
class TokenBasedRememberMeServices extends AbstractRememberMeServices
{
/**
* {@inheritdoc}
*/
protected function processAutoLoginCookie(array $cookieParts, Request $request)
{
if (4 !== \count($cookieParts)) {
throw new AuthenticationException('The cookie is invalid.');
}
[$class, $userIdentifier, $expires, $hash] = $cookieParts;
if (false === $userIdentifier = base64_decode($userIdentifier, true)) {
throw new AuthenticationException('$userIdentifier contains a character from outside the base64 alphabet.');
}
try {
$userProvider = $this->getUserProvider($class);
// @deprecated since Symfony 5.3, change to $userProvider->loadUserByIdentifier() in 6.0
if (method_exists($userProvider, 'loadUserByIdentifier')) {
$user = $userProvider->loadUserByIdentifier($userIdentifier);
} else {
trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($userProvider));
$user = $userProvider->loadUserByUsername($userIdentifier);
}
} catch (\Exception $e) {
if (!$e instanceof AuthenticationException) {
$e = new AuthenticationException($e->getMessage(), $e->getCode(), $e);
}
throw $e;
}
if (!$user instanceof UserInterface) {
throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_debug_type($user)));
}
if (true !== hash_equals($this->generateCookieHash($class, $userIdentifier, $expires, $user->getPassword()), $hash)) {
throw new AuthenticationException('The cookie\'s hash is invalid.');
}
if ($expires < time()) {
throw new AuthenticationException('The cookie has expired.');
}
return $user;
}
/**
* {@inheritdoc}
*/
protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
{
$user = $token->getUser();
$expires = time() + $this->options['lifetime'];
// @deprecated since Symfony 5.3, change to $user->getUserIdentifier() in 6.0
$value = $this->generateCookieValue(\get_class($user), method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(), $expires, $user->getPassword());
$response->headers->setCookie(
new Cookie(
$this->options['name'],
$value,
$expires,
$this->options['path'],
$this->options['domain'],
$this->options['secure'] ?? $request->isSecure(),
$this->options['httponly'],
false,
$this->options['samesite']
)
);
}
/**
* Generates the cookie value.
*
* @param int $expires The Unix timestamp when the cookie expires
* @param string|null $password The encoded password
*
* @return string
*/
protected function generateCookieValue(string $class, string $userIdentifier, int $expires, ?string $password)
{
// $userIdentifier is encoded because it might contain COOKIE_DELIMITER,
// we assume other values don't
return $this->encodeCookie([
$class,
base64_encode($userIdentifier),
$expires,
$this->generateCookieHash($class, $userIdentifier, $expires, $password),
]);
}
/**
* Generates a hash for the cookie to ensure it is not being tampered with.
*
* @param int $expires The Unix timestamp when the cookie expires
* @param string|null $password The encoded password
*
* @return string
*/
protected function generateCookieHash(string $class, string $userIdentifier, int $expires, ?string $password)
{
return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$userIdentifier.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
}
}