maj: sémantique, révision vérification password #3
|
@ -2,11 +2,16 @@ security:
|
|||
enable_authenticator_manager: true
|
||||
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
|
||||
password_hashers:
|
||||
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
|
||||
app_hasher:
|
||||
# the service ID of your custom hasher (the FQCN using the default services.yaml)
|
||||
id: 'App\Security\Hasher\PasswordEncoder'
|
||||
# App\Entity\User: 'sha256'
|
||||
# Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
|
||||
# algorithm: 'sha256'
|
||||
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
|
||||
providers:
|
||||
pdo_user_provider:
|
||||
id: App\Security\PdoUserProvider
|
||||
id: App\Security\SQLLoginUserProvider
|
||||
firewalls:
|
||||
dev:
|
||||
pattern: ^/(_(profiler|wdt)|css|images|js)/
|
||||
|
@ -16,7 +21,7 @@ security:
|
|||
stateless: false
|
||||
provider: pdo_user_provider
|
||||
custom_authenticators:
|
||||
- App\Security\PdoUserAuthenticator
|
||||
- App\Security\SQLLoginUserAuthenticator
|
||||
|
||||
entry_point: form_login
|
||||
form_login:
|
||||
|
|
|
@ -1,9 +1,9 @@
|
|||
twig:
|
||||
globals:
|
||||
locales: "%app.supported_locales%"
|
||||
default_path: '%kernel.project_dir%/templates'
|
||||
form_themes:
|
||||
- 'bootstrap_5_layout.html.twig'
|
||||
globals:
|
||||
locales: "%app.supported_locales%"
|
||||
when@test:
|
||||
twig:
|
||||
strict_variables: true
|
||||
|
|
|
@ -1,8 +0,0 @@
|
|||
pdo:
|
||||
column_login_name: email
|
||||
column_password_name: password
|
||||
table_name: usager
|
||||
data_to_fetch:
|
||||
- email
|
||||
- lastname
|
||||
- firstname
|
|
@ -24,6 +24,9 @@ parameters:
|
|||
env(APP_LOCALES): "fr,en"
|
||||
locales: '%env(APP_LOCALES)%'
|
||||
app.supported_locales: ~
|
||||
|
||||
env(PEPPER): "257d62c24cd352c21b51c26dba678c8ff05011a89022aec106185bf67c69aa8b"
|
||||
|
||||
pepper: '%env(resolve:PEPPER)%'
|
||||
services:
|
||||
# default configuration for services in *this* file
|
||||
_defaults:
|
||||
|
@ -39,11 +42,11 @@ services:
|
|||
- '../src/Entity/'
|
||||
- '../src/Kernel.php'
|
||||
|
||||
App\Security\PdoUserAuthenticator:
|
||||
App\Security\SQLLoginUserAuthenticator:
|
||||
arguments:
|
||||
$baseUrl: '%base_url%'
|
||||
|
||||
App\Pdo\PdoRequest:
|
||||
App\SQLLogin\SQLLoginRequest:
|
||||
arguments:
|
||||
$config: []
|
||||
$dsn: "%database.dsn%"
|
||||
|
@ -58,5 +61,10 @@ services:
|
|||
App\EventListener\LocaleSubscriber:
|
||||
arguments:
|
||||
$defaultLocale: "%default_locale%"
|
||||
|
||||
App\Security\Hasher\PasswordEncoder:
|
||||
arguments:
|
||||
$pepper: '%pepper%'
|
||||
$hashAlgo: '%hashAlgo%'
|
||||
# add more service definitions when explicit configuration is needed
|
||||
# please note that last definitions always *replace* previous ones
|
||||
|
|
|
@ -0,0 +1,9 @@
|
|||
sql_login:
|
||||
login_column_name: email
|
||||
password_column_name: password
|
||||
salt_column_name: salt
|
||||
table_name: usager
|
||||
data_to_fetch:
|
||||
- email
|
||||
- lastname
|
||||
- firstname
|
|
@ -1,12 +1,15 @@
|
|||
CREATE TABLE IF NOT EXISTS usager (
|
||||
email VARCHAR ( 100 ) UNIQUE NOT NULL,
|
||||
password VARCHAR ( 255 ) NOT NULL,
|
||||
salt VARCHAR (255),
|
||||
lastname VARCHAR ( 255 ) NOT NULL,
|
||||
firstname VARCHAR ( 255 ) NOT NULL
|
||||
);
|
||||
INSERT INTO usager (email, password, salt, lastname, firstname) VALUES
|
||||
('test1@test.com', '8ad4025044b77ae6a5e3fcf99e53e44b15db9a4ecf468be21cbc6b9fbdae6d9f', 'cesaltestunexemple', 'Locke', 'John'),
|
||||
('test3@test.com', '504ae1c3e2f5fdaf41f868164dabcef21e17059f5f388b452718a1ce92692c67', 'cesaltestunautreexemple', 'Dupont', 'Henri');
|
||||
|
||||
INSERT INTO usager (email, password, lastname, firstname) VALUES
|
||||
('test1@test.com', '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92', 'Locke', 'John'),
|
||||
('test2@test.com', '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92', 'Dubois', 'Angela'),
|
||||
('test3@test.com', '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92', 'Dupont', 'Henri'),
|
||||
('test4@test.com', '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92', 'Durand', 'Isabelle');
|
||||
('test4@test.com', '50626fa21f45a275cea0efff13ff78fd02234cade322da08b7191c7e9150141d', 'Durand', 'Isabelle'),
|
||||
('test2@test.com', '50626fa21f45a275cea0efff13ff78fd02234cade322da08b7191c7e9150141d', 'Dubois', 'Angela');
|
||||
GRANT ALL PRIVILEGES ON DATABASE usager TO lasql
|
||||
|
|
45
readme.md
|
@ -35,7 +35,25 @@ HYDRA_ADMIN_BASE_URL='http://hydra:4445'
|
|||
DSN_REMOTE_DATABASE="pgsql:host='postgres';port=5432;dbname=lasql"
|
||||
APP_LOCALES="fr,en"
|
||||
```
|
||||
## Tests password
|
||||
|
||||
### Postgres
|
||||
|
||||
```
|
||||
Les mot de passe inscrits en bdd sont hachés en tenant compte du salt si non vide (cf données de la bdd plus bas) et du pepper inscrit en variable d'environnement (généré avec : bin2hex(random_bytes(32))
|
||||
Il faut inscrire dans slq_login_configuration salt_column_name: salt
|
||||
et conserver le pepper dans service.yaml
|
||||
env(PEPPER): "257d62c24cd352c21b51c26dba678c8ff05011a89022aec106185bf67c69aa8b"
|
||||
|
||||
```
|
||||
### mariadb
|
||||
```
|
||||
En plus de tester la connexion à une différente base de donnée, on teste le hashage de password sans salt ni pepper
|
||||
Il faut mettre dans sql_login_configuration salt_column_name: ~
|
||||
et dans service.yaml
|
||||
env(PEPPER): ~
|
||||
|
||||
```
|
||||
### test connexion mariadb
|
||||
```
|
||||
Modifier la variable d'environnement avec cette valeur
|
||||
|
@ -45,13 +63,23 @@ DSN_REMOTE_DATABASE="mysql:host=mariadb;port=3306;dbname=lasql;"
|
|||
|
||||
## Données de test
|
||||
|
||||
un base de données postgres est montée dans l'environnement pour tester la connexion:
|
||||
### postgres
|
||||
```
|
||||
|email|password|salt|lastname|firstname
|
||||
|test1@test.com| 8ad4025044b77ae6a5e3fcf99e53e44b15db9a4ecf468be21cbc6b9fbdae6d9f| cesaltestunexemple| Locke|John|
|
||||
|test2@test.com| 50626fa21f45a275cea0efff13ff78fd02234cade322da08b7191c7e9150141d| NULL| Dubois| Angela|
|
||||
|test3@test.com| 504ae1c3e2f5fdaf41f868164dabcef21e17059f5f388b452718a1ce92692c67| cesaltestunautreexemple| Dupont| Henri|
|
||||
|test4@test.com| 50626fa21f45a275cea0efff13ff78fd02234cade322da08b7191c7e9150141d| NULL| Durand|Isabelle|
|
||||
```
|
||||
|
||||
utilisateurs disponibles au démarage:
|
||||
('test1@test.com', '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92', 'Locke', 'John'),
|
||||
('test2@test.com', '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92', 'Dubois', 'Angela'),
|
||||
('test3@test.com', '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92', 'Dupont', 'Henri'),
|
||||
('test4@test.com', '8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92', 'Durand', 'Isabelle');
|
||||
### mariadb (sans salt)
|
||||
```
|
||||
|email|password|lastname|firstname
|
||||
|test1@test.com| 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92| Sassot|Charles|
|
||||
|test2@test.com| 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92| Dubois| Angela|
|
||||
|test3@test.com| 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92| Dupont| Henri|
|
||||
|test4@test.com| 8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92| Durand|Isabelle|
|
||||
```
|
||||
|
||||
Mot de passe = '123456' hashé en par sha256
|
||||
|
||||
|
@ -61,8 +89,9 @@ Permet d'adapter les requetes SQL en indiquant les noms de colonnes nécessaires
|
|||
pdo_configuration/pdo.yaml
|
||||
```
|
||||
pdo:
|
||||
column_login_name: email
|
||||
column_password_name: password
|
||||
login_column_name: email
|
||||
password_column_name: password
|
||||
salt_column_name: ~
|
||||
table_name: usager
|
||||
data_to_fetch:
|
||||
- email
|
||||
|
|
|
@ -3,14 +3,25 @@
|
|||
namespace App\Controller;
|
||||
|
||||
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
||||
use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\Routing\Annotation\Route;
|
||||
|
||||
class LocaleController extends AbstractController
|
||||
{
|
||||
#[Route(path: 'locale/{locale}', name: 'locale_change')]
|
||||
public function changeLocal(string $locale, Request $request)
|
||||
private ParameterBagInterface $params;
|
||||
|
||||
public function __construct(ParameterBagInterface $params)
|
||||
{
|
||||
$this->params = $params;
|
||||
}
|
||||
|
||||
#[Route(path: 'locale/{locale?}', name: 'locale_change')]
|
||||
public function changeLocal(?string $locale, Request $request)
|
||||
{
|
||||
if (empty($locale)) {
|
||||
$locale = $this->params->get('default_locale');
|
||||
}
|
||||
// On stocke la langue dans la session
|
||||
$request->getSession()->set('_locale', $locale);
|
||||
|
||||
|
|
|
@ -3,7 +3,7 @@
|
|||
namespace App\Controller;
|
||||
|
||||
use App\Form\LoginType;
|
||||
use App\Security\PdoUserAuthenticator;
|
||||
use App\Security\SQLLoginUserAuthenticator;
|
||||
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
||||
use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
|
||||
use Symfony\Component\Form\FormError;
|
||||
|
@ -28,17 +28,17 @@ class SecurityController extends AbstractController
|
|||
$loginForm = $this->createForm(LoginType::class, null);
|
||||
$error = $authenticationUtils->getLastAuthenticationError();
|
||||
if ($error) {
|
||||
if ($request->getSession()->has(PdoUserAuthenticator::ERROR_LOGIN)) {
|
||||
if ($request->getSession()->has(SQLLoginUserAuthenticator::ERROR_LOGIN)) {
|
||||
$loginForm->get('login')->addError(new FormError($trans->trans('error.login', [], 'messages')));
|
||||
$request->getSession()->remove(PdoUserAuthenticator::ERROR_LOGIN);
|
||||
$request->getSession()->remove(SQLLoginUserAuthenticator::ERROR_LOGIN);
|
||||
}
|
||||
if ($request->getSession()->has(PdoUserAuthenticator::ERROR_PASSWORD)) {
|
||||
if ($request->getSession()->has(SQLLoginUserAuthenticator::ERROR_PASSWORD)) {
|
||||
$loginForm->get('password')->addError(new FormError($trans->trans('error.password', [], 'messages')));
|
||||
$request->getSession()->remove(PdoUserAuthenticator::ERROR_PASSWORD);
|
||||
$request->getSession()->remove(SQLLoginUserAuthenticator::ERROR_PASSWORD);
|
||||
}
|
||||
if ($request->getSession()->has(PdoUserAuthenticator::ERROR_PDO)) {
|
||||
if ($request->getSession()->has(SQLLoginUserAuthenticator::ERROR_PDO)) {
|
||||
$loginForm->addError(new FormError($trans->trans('error.pdo', [], 'messages')));
|
||||
$request->getSession()->remove(PdoUserAuthenticator::ERROR_PDO);
|
||||
$request->getSession()->remove(SQLLoginUserAuthenticator::ERROR_PDO);
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -1,25 +0,0 @@
|
|||
<?php
|
||||
|
||||
namespace App\DependencyInjection;
|
||||
|
||||
use App\Pdo\PdoRequest;
|
||||
use Symfony\Component\Config\Definition\Builder\TreeBuilder;
|
||||
use Symfony\Component\Config\Definition\ConfigurationInterface;
|
||||
|
||||
class PdoConfiguration implements ConfigurationInterface
|
||||
{
|
||||
public function getConfigTreeBuilder()
|
||||
{
|
||||
$treeBuilder = new TreeBuilder('pdo');
|
||||
$treeBuilder->getRootNode()->children()
|
||||
->scalarNode(PdoRequest::COLUMN_LOGIN_NAME)->isRequired()->cannotBeEmpty()->end()
|
||||
->scalarNode(PdoRequest::COLUMN_PASSWORD_NAME)->isRequired()->cannotBeEmpty()->end()
|
||||
->scalarNode(PdoRequest::TABLE_NAME)->isRequired()->cannotBeEmpty()->end()
|
||||
->arrayNode(PdoRequest::DATA_TO_FETCH)
|
||||
->scalarPrototype()->end()
|
||||
->end()
|
||||
->end();
|
||||
|
||||
return $treeBuilder;
|
||||
}
|
||||
}
|
|
@ -0,0 +1,26 @@
|
|||
<?php
|
||||
|
||||
namespace App\DependencyInjection;
|
||||
|
||||
use App\SQLLogin\SQLLoginRequest;
|
||||
use Symfony\Component\Config\Definition\Builder\TreeBuilder;
|
||||
use Symfony\Component\Config\Definition\ConfigurationInterface;
|
||||
|
||||
class SQLLoginConfiguration implements ConfigurationInterface
|
||||
{
|
||||
public function getConfigTreeBuilder()
|
||||
{
|
||||
$treeBuilder = new TreeBuilder('sql_login');
|
||||
$treeBuilder->getRootNode()->children()
|
||||
->scalarNode(SQLLoginRequest::LOGIN_COLUMN_NAME)->isRequired()->cannotBeEmpty()->end()
|
||||
->scalarNode(SQLLoginRequest::PASSWORD_COLUMN_NAME)->isRequired()->cannotBeEmpty()->end()
|
||||
->scalarNode(SQLLoginRequest::SALT_COLUMN_NAME)->end()
|
||||
->scalarNode(SQLLoginRequest::TABLE_NAME)->isRequired()->cannotBeEmpty()->end()
|
||||
->arrayNode(SQLLoginRequest::DATA_TO_FETCH)
|
||||
->scalarPrototype()->end()
|
||||
->end()
|
||||
->end();
|
||||
|
||||
return $treeBuilder;
|
||||
}
|
||||
}
|
|
@ -2,26 +2,26 @@
|
|||
|
||||
namespace App\DependencyInjection;
|
||||
|
||||
use App\Pdo\PdoRequest;
|
||||
use App\SQLLogin\SQLLoginRequest;
|
||||
use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
|
||||
use Symfony\Component\DependencyInjection\ContainerBuilder;
|
||||
use Symfony\Component\DependencyInjection\Extension\Extension;
|
||||
|
||||
class PdoExtension extends Extension implements CompilerPassInterface
|
||||
class SQLLoginExtension extends Extension implements CompilerPassInterface
|
||||
{
|
||||
/** @var array */
|
||||
protected $pdoConfig;
|
||||
|
||||
public function load(array $configs, ContainerBuilder $container)
|
||||
{
|
||||
$configuration = new PdoConfiguration();
|
||||
$configuration = new SQLLoginConfiguration();
|
||||
$config = $this->processConfiguration($configuration, $configs);
|
||||
$this->pdoConfig = $config;
|
||||
}
|
||||
|
||||
public function process(ContainerBuilder $container)
|
||||
{
|
||||
$definition = $container->getDefinition(PdoRequest::class);
|
||||
$definition = $container->getDefinition(SQLLoginRequest::class);
|
||||
$definition->replaceArgument('$config', $this->pdoConfig);
|
||||
}
|
||||
}
|
|
@ -6,8 +6,7 @@ use Symfony\Component\Security\Core\User\UserInterface;
|
|||
|
||||
class User implements UserInterface
|
||||
{
|
||||
/** @var array */
|
||||
protected $attributes;
|
||||
protected array $attributes = [];
|
||||
private string $login;
|
||||
private string $password;
|
||||
private bool $rememberMe;
|
||||
|
|
|
@ -4,15 +4,16 @@ namespace App\EventListener;
|
|||
|
||||
use App\Hydra\HydraService;
|
||||
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
|
||||
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
|
||||
use Symfony\Component\Security\Http\Event\LogoutEvent;
|
||||
|
||||
class LogoutSubscriber implements EventSubscriberInterface
|
||||
{
|
||||
private HydraService $hydra;
|
||||
|
||||
public function __construct(
|
||||
private UrlGeneratorInterface $urlGenerator,
|
||||
private HydraService $hydra
|
||||
HydraService $hydra
|
||||
) {
|
||||
$this->hydra = $hydra;
|
||||
}
|
||||
|
||||
public static function getSubscribedEvents(): array
|
||||
|
|
|
@ -3,29 +3,23 @@
|
|||
namespace App\Hydra;
|
||||
|
||||
use App\Hydra\Exception\InvalidChallengeException;
|
||||
use App\Services\PdoService;
|
||||
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
||||
use Symfony\Component\HttpFoundation\Exception\BadRequestException;
|
||||
use Symfony\Component\HttpFoundation\RedirectResponse;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
use Symfony\Component\HttpFoundation\Session\SessionInterface;
|
||||
use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
|
||||
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
|
||||
|
||||
class HydraService extends AbstractController
|
||||
{
|
||||
public SessionInterface $session;
|
||||
public UrlGeneratorInterface $router;
|
||||
public Client $client;
|
||||
public PdoService $pdoServices;
|
||||
public TokenStorageInterface $tokenStorage;
|
||||
|
||||
public function __construct(PdoService $pdoServices, Client $client, SessionInterface $session, UrlGeneratorInterface $router, TokenStorageInterface $tokenStorage)
|
||||
public function __construct(Client $client, SessionInterface $session, TokenStorageInterface $tokenStorage)
|
||||
{
|
||||
$this->pdoServices = $pdoServices;
|
||||
$this->session = $session;
|
||||
$this->client = $client;
|
||||
$this->router = $router;
|
||||
$this->tokenStorage = $tokenStorage;
|
||||
}
|
||||
|
||||
|
|
|
@ -2,7 +2,7 @@
|
|||
|
||||
namespace App;
|
||||
|
||||
use App\DependencyInjection\PdoExtension;
|
||||
use App\DependencyInjection\SQLLoginExtension;
|
||||
use Symfony\Bundle\FrameworkBundle\Kernel\MicroKernelTrait;
|
||||
use Symfony\Component\Config\Loader\LoaderInterface;
|
||||
use Symfony\Component\DependencyInjection\ContainerBuilder;
|
||||
|
@ -22,10 +22,10 @@ class Kernel extends BaseKernel
|
|||
$this->microKernelConfigureContainer($loader);
|
||||
|
||||
$loader->load(function (ContainerBuilder $container) use ($loader) {
|
||||
$envLanguage = \getenv('APP_LOCALES');
|
||||
$envLanguage = getenv('APP_LOCALES');
|
||||
$container->setParameter('app.supported_locales', explode(',', $envLanguage));
|
||||
$container->registerExtension(new PdoExtension());
|
||||
$loader->load($this->getConfigDir().'/pdo_configuration/*.{yml,yaml}', 'glob');
|
||||
$container->registerExtension(new SQLLoginExtension());
|
||||
$loader->load($this->getConfigDir().'/sql_login_configuration/*.{yml,yaml}', 'glob');
|
||||
});
|
||||
}
|
||||
}
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
<?php
|
||||
|
||||
namespace App\Pdo\Exception;
|
||||
|
||||
use Exception;
|
||||
|
||||
class InvalidLoginException extends Exception
|
||||
{
|
||||
}
|
|
@ -1,9 +0,0 @@
|
|||
<?php
|
||||
|
||||
namespace App\Pdo\Exception;
|
||||
|
||||
use Exception;
|
||||
|
||||
class InvalidPasswordException extends Exception
|
||||
{
|
||||
}
|
|
@ -1,66 +0,0 @@
|
|||
<?php
|
||||
|
||||
namespace App\Pdo;
|
||||
|
||||
class PdoRequest
|
||||
{
|
||||
public const DATA_TO_FETCH = 'data_to_fetch';
|
||||
public const COLUMN_LOGIN_NAME = 'column_login_name';
|
||||
public const COLUMN_PASSWORD_NAME = 'column_password_name';
|
||||
public const TABLE_NAME = 'table_name';
|
||||
|
||||
protected array $config;
|
||||
protected string $dsn;
|
||||
protected string $user;
|
||||
protected string $password;
|
||||
|
||||
public function __construct(array $config = [], string $dsn, string $user, string $password)
|
||||
{
|
||||
$this->config = $config;
|
||||
$this->dsn = $dsn;
|
||||
$this->user = $user;
|
||||
$this->password = $password;
|
||||
}
|
||||
|
||||
public function getDatabaseDsn()
|
||||
{
|
||||
return $this->dsn;
|
||||
}
|
||||
|
||||
public function getDbUser()
|
||||
{
|
||||
return $this->user;
|
||||
}
|
||||
|
||||
public function getDbPassword()
|
||||
{
|
||||
return $this->password;
|
||||
}
|
||||
|
||||
public function getNameLogin()
|
||||
{
|
||||
return $this->config[self::COLUMN_LOGIN_NAME];
|
||||
}
|
||||
|
||||
public function getNamePassword()
|
||||
{
|
||||
return $this->config[self::COLUMN_PASSWORD_NAME];
|
||||
}
|
||||
|
||||
public function getRequestScope()
|
||||
{
|
||||
$scope = '';
|
||||
foreach ($this->config[self::DATA_TO_FETCH] as $data) {
|
||||
$scope .= $data.',';
|
||||
}
|
||||
$scope = substr($scope, 0, -1);
|
||||
$request = 'SELECT '.$scope.' FROM '.$this->config[self::TABLE_NAME].' WHERE '.$this->config[self::COLUMN_LOGIN_NAME].' = :'.$this->config[self::COLUMN_LOGIN_NAME].';';
|
||||
|
||||
return $request;
|
||||
}
|
||||
|
||||
public function getRequestLogin()
|
||||
{
|
||||
return 'SELECT '.$this->config[self::COLUMN_PASSWORD_NAME].' FROM '.$this->config[self::TABLE_NAME].' WHERE '.$this->config[self::COLUMN_LOGIN_NAME].' = :'.$this->config[self::COLUMN_LOGIN_NAME].';';
|
||||
}
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
<?php
|
||||
|
||||
namespace App\SQLLogin\Exception;
|
||||
|
||||
use Exception;
|
||||
|
||||
class InvalidSQLLoginException extends Exception
|
||||
{
|
||||
}
|
|
@ -0,0 +1,9 @@
|
|||
<?php
|
||||
|
||||
namespace App\SQLLogin\Exception;
|
||||
|
||||
use Exception;
|
||||
|
||||
class InvalidSQLPasswordException extends Exception
|
||||
{
|
||||
}
|
|
@ -1,11 +1,11 @@
|
|||
<?php
|
||||
|
||||
namespace App\Pdo;
|
||||
namespace App\SQLLogin;
|
||||
|
||||
use PDO;
|
||||
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
||||
|
||||
class PdoConnect extends AbstractController
|
||||
class SQLLoginConnect extends AbstractController
|
||||
{
|
||||
/**
|
||||
* @var Singleton
|
||||
|
@ -35,7 +35,7 @@ class PdoConnect extends AbstractController
|
|||
public static function getInstance()
|
||||
{
|
||||
if (is_null(self::$_instance)) {
|
||||
self::$_instance = new PdoConnect();
|
||||
self::$_instance = new SQLLoginConnect();
|
||||
}
|
||||
|
||||
return self::$_instance;
|
|
@ -0,0 +1,77 @@
|
|||
<?php
|
||||
|
||||
namespace App\SQLLogin;
|
||||
|
||||
class SQLLoginRequest
|
||||
{
|
||||
public const DATA_TO_FETCH = 'data_to_fetch';
|
||||
public const LOGIN_COLUMN_NAME = 'login_column_name';
|
||||
public const SALT_COLUMN_NAME = 'salt_column_name';
|
||||
public const PASSWORD_COLUMN_NAME = 'password_column_name';
|
||||
public const TABLE_NAME = 'table_name';
|
||||
|
||||
protected array $config;
|
||||
protected string $dsn;
|
||||
protected string $user;
|
||||
protected string $password;
|
||||
|
||||
public function __construct(array $config = [], string $dsn, string $user, string $password)
|
||||
{
|
||||
$this->config = $config;
|
||||
$this->dsn = $dsn;
|
||||
$this->user = $user;
|
||||
$this->password = $password;
|
||||
}
|
||||
|
||||
public function getDatabaseDsn()
|
||||
{
|
||||
return $this->dsn;
|
||||
}
|
||||
|
||||
public function getDbUser()
|
||||
{
|
||||
return $this->user;
|
||||
}
|
||||
|
||||
public function getDbPassword()
|
||||
{
|
||||
return $this->password;
|
||||
}
|
||||
|
||||
public function getLoginColumnName()
|
||||
{
|
||||
return $this->config[self::LOGIN_COLUMN_NAME];
|
||||
}
|
||||
|
||||
public function egtPasswordColumnName()
|
||||
{
|
||||
return $this->config[self::PASSWORD_COLUMN_NAME];
|
||||
}
|
||||
|
||||
public function getSaltColumnName()
|
||||
{
|
||||
return $this->config[self::SALT_COLUMN_NAME];
|
||||
}
|
||||
|
||||
public function getRequestScope()
|
||||
{
|
||||
$scope = '';
|
||||
foreach ($this->config[self::DATA_TO_FETCH] as $data) {
|
||||
$scope .= $data.',';
|
||||
}
|
||||
$scope = substr($scope, 0, -1);
|
||||
$request = 'SELECT '.$scope.' FROM '.$this->config[self::TABLE_NAME].' WHERE '.$this->config[self::LOGIN_COLUMN_NAME].' = :'.$this->config[self::LOGIN_COLUMN_NAME].';';
|
||||
|
||||
return $request;
|
||||
}
|
||||
|
||||
public function getRequestPassword()
|
||||
{
|
||||
$passwordColumns = $this->config[self::PASSWORD_COLUMN_NAME];
|
||||
if (!empty($this->config[self::SALT_COLUMN_NAME])) {
|
||||
$passwordColumns .= ', '.$this->config[self::SALT_COLUMN_NAME];
|
||||
}
|
||||
|
||||
return 'SELECT '.$passwordColumns.' FROM '.$this->config[self::TABLE_NAME].' WHERE '.$this->config[self::LOGIN_COLUMN_NAME].' = :'.$this->config[self::LOGIN_COLUMN_NAME].';';
|
||||
}
|
||||
}
|
|
@ -0,0 +1,49 @@
|
|||
<?php
|
||||
|
||||
namespace App\Security\Hasher;
|
||||
|
||||
use App\SQLLogin\Exception\InvalidSQLPasswordException;
|
||||
use Symfony\Component\PasswordHasher\Exception\InvalidPasswordException;
|
||||
use Symfony\Component\PasswordHasher\Hasher\CheckPasswordLengthTrait;
|
||||
use Symfony\Component\PasswordHasher\LegacyPasswordHasherInterface;
|
||||
|
||||
class PasswordEncoder implements LegacyPasswordHasherInterface
|
||||
{
|
||||
use CheckPasswordLengthTrait;
|
||||
protected ?string $pepper;
|
||||
protected string $hashAlgo;
|
||||
|
||||
public function __construct(?string $pepper, string $hashAlgo)
|
||||
{
|
||||
$this->pepper = $pepper;
|
||||
$this->hashAlgo = $hashAlgo;
|
||||
}
|
||||
|
||||
public function hash(string $plainPassword, string $salt = null): string
|
||||
{
|
||||
if ($this->isPasswordTooLong($plainPassword)) {
|
||||
throw new InvalidPasswordException();
|
||||
}
|
||||
$hash = hash($this->hashAlgo, $plainPassword.$salt.$this->pepper);
|
||||
rmasson marked this conversation as resolved
Outdated
wpetit
commented
Je pense que ce code ne sera pas compatible avec les applications ayant choisies d'utiliser les algorithmes Normalement, en PHP on utilise les méthodes Autre chose: la méthode assume un certain format pour la concaténation des différents éléments à hacher ( Je pense que ce code ne sera pas compatible avec les applications ayant choisies d'utiliser les algorithmes `argon2id`, `scrypt` et `bcrypt` (qui sont d'ailleurs les recommandations OWASP [^1] aujourd'hui).
Normalement, en PHP on utilise les méthodes `password_hash()` [^2] et `password_verify()` [^3] pour utiliser ces algorithmes (et d'ailleurs le salt est directement stocké dans le hash final [^4]).
Autre chose: la méthode assume un certain format pour la concaténation des différents éléments à hacher (`$plainPassword.$salt.$this->pepper`). Il est fort peu probable que cette séquence soit toujours respectée dans toutes les applications. À mon avis il serait certainement préférable d'utiliser un patron (avec la méthode `strstr()` [^5] par exemple) pour permettre à l'utilisateur de spécifiquer le format de concaténation.
[^1]: https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html
[^2]: https://www.php.net/manual/en/function.password-hash.php
[^3]: https://www.php.net/manual/en/function.password-verify.php
[^4]: https://stackoverflow.com/questions/40993645/understanding-bcrypt-salt-as-used-by-php-password-hash
[^5]: https://www.php.net/manual/en/function.strtr.php
rmasson
commented
j'ai utilisé les fonction password_algos() et hash_algos() pour faire la différence entre les algos, pour utiliser hash() ou password_hash() Mais effectivement le pattern est pas pris en compte j'ai utilisé les fonction password_algos() et hash_algos() pour faire la différence entre les algos, pour utiliser hash() ou password_hash()
Mais effectivement le pattern est pas pris en compte
|
||||
|
||||
return $hash;
|
||||
}
|
||||
|
||||
public function verify(string $hashedPassword, string $plainPassword, string $salt = null): bool
|
||||
{
|
||||
if ('' === $plainPassword || $this->isPasswordTooLong($plainPassword)) {
|
||||
return false;
|
||||
}
|
||||
|
||||
if ($this->hash($plainPassword, $salt) === $hashedPassword) {
|
||||
wpetit
commented
Il ne faut pas utiliser l'opérateur Il serait mieux d'utiliser https://www.php.net/manual/en/function.hash-equals.php je pense dans ce cas. Il ne faut pas utiliser l'opérateur `===` pour faire des comparaisons de mots de passe (ça ouvre à des failles du type "Timing attack" [^1]).
Il serait mieux d'utiliser https://www.php.net/manual/en/function.hash-equals.php je pense dans ce cas.
[^1]: https://www.chosenplaintext.ca/articles/beginners-guide-constant-time-cryptography.html
|
||||
return true;
|
||||
} else {
|
||||
throw new InvalidSQLPasswordException();
|
||||
}
|
||||
}
|
||||
|
||||
public function needsRehash(string $hashedPassword): bool
|
||||
{
|
||||
return false;
|
||||
}
|
||||
}
|
|
@ -3,8 +3,9 @@
|
|||
namespace App\Security;
|
||||
|
||||
use App\Entity\User;
|
||||
use App\Pdo\Exception\InvalidPasswordException;
|
||||
use App\Services\PdoService;
|
||||
use App\Security\Hasher\PasswordEncoder;
|
||||
use App\Service\SQLLoginService;
|
||||
use App\SQLLogin\Exception\InvalidSQLPasswordException;
|
||||
use PDOException;
|
||||
use Symfony\Component\HttpFoundation\RedirectResponse;
|
||||
use Symfony\Component\HttpFoundation\Request;
|
||||
|
@ -19,7 +20,7 @@ use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
|
|||
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
|
||||
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
|
||||
|
||||
class PdoUserAuthenticator extends AbstractAuthenticator
|
||||
class SQLLoginUserAuthenticator extends AbstractAuthenticator
|
||||
{
|
||||
public const LOGIN_ROUTE = 'app_login';
|
||||
public const ERROR_LOGIN = 'error_login';
|
||||
|
@ -27,14 +28,16 @@ class PdoUserAuthenticator extends AbstractAuthenticator
|
|||
public const ERROR_PDO = 'error_pdo';
|
||||
|
||||
protected string $baseUrl;
|
||||
private PdoService $pdoService;
|
||||
private SQLLoginService $pdoService;
|
||||
wpetit
commented
Je pense que la variable n'a pas été renommée Je pense que la variable n'a pas été renommée `$pdoService` en accord avec le changement de nom du service.
|
||||
private UrlGeneratorInterface $router;
|
||||
private PasswordEncoder $passwordHasher;
|
||||
|
||||
public function __construct(string $baseUrl, PdoService $pdoService, UrlGeneratorInterface $router)
|
||||
public function __construct(string $baseUrl, SQLLoginService $pdoService, UrlGeneratorInterface $router, PasswordEncoder $passwordHasher)
|
||||
wpetit
commented
Idem, cf. commentaire précédent Idem, cf. [commentaire précédent](https://forge.cadoles.com/Cadoles/hydra-sql/pulls/3/files#issuecomment-55979)
|
||||
{
|
||||
$this->baseUrl = $baseUrl;
|
||||
$this->pdoService = $pdoService;
|
||||
wpetit
commented
Idem, cf. commentaire précédent Idem, cf. [commentaire précédent](https://forge.cadoles.com/Cadoles/hydra-sql/pulls/3/files#issuecomment-55979)
|
||||
$this->router = $router;
|
||||
$this->passwordHasher = $passwordHasher;
|
||||
}
|
||||
|
||||
/**
|
||||
|
@ -65,20 +68,22 @@ class PdoUserAuthenticator extends AbstractAuthenticator
|
|||
{
|
||||
$form = $request->request->get('login');
|
||||
$login = $form['login'];
|
||||
$password = $form['password'];
|
||||
$plaintextPassword = $form['password'];
|
||||
$rememberMe = isset($form['_remember_me']) ? true : false;
|
||||
try {
|
||||
// requête préparée
|
||||
$remoteHashedPassword = $this->pdoService->fetchPassword($login);
|
||||
list($remoteHashedPassword, $remoteSalt) = $this->pdoService->fetchPassword($login);
|
||||
} catch (PDOException $e) {
|
||||
$request->getSession()->set(self::ERROR_PDO, true);
|
||||
throw new AuthenticationException();
|
||||
}
|
||||
if ($remoteHashedPassword) {
|
||||
try {
|
||||
$this->pdoService->verifyPassword($password, $remoteHashedPassword);
|
||||
// Comparaison remote hash et hash du input password + salt
|
||||
$this->passwordHasher->verify($remoteHashedPassword, $plaintextPassword, $remoteSalt);
|
||||
$attributes = $this->pdoService->fetchDatas($login);
|
||||
$user = new User($login, $password, $attributes, $rememberMe);
|
||||
$user = new User($login, $remoteHashedPassword, $attributes, $rememberMe);
|
||||
|
||||
$loader = function (string $userIdentifier) use ($user) {
|
||||
return $user->getLogin() == $userIdentifier ? $user : null;
|
||||
};
|
||||
|
@ -89,7 +94,7 @@ class PdoUserAuthenticator extends AbstractAuthenticator
|
|||
$passport->setAttribute('attributes', $user->getAttributes());
|
||||
|
||||
return $passport;
|
||||
} catch (InvalidPasswordException $e) {
|
||||
} catch (InvalidSQLPasswordException $e) {
|
||||
$request->getSession()->set(self::ERROR_PASSWORD, true);
|
||||
throw new AuthenticationException();
|
||||
} catch (PDOException $e) {
|
|
@ -9,7 +9,7 @@ use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
|
|||
use Symfony\Component\Security\Core\User\UserInterface;
|
||||
use Symfony\Component\Security\Core\User\UserProviderInterface;
|
||||
|
||||
class PdoUserProvider implements UserProviderInterface
|
||||
class SQLLoginUserProvider implements UserProviderInterface
|
||||
{
|
||||
protected RequestStack $requestStack;
|
||||
|
|
@ -1,25 +1,23 @@
|
|||
<?php
|
||||
|
||||
namespace App\Services;
|
||||
namespace App\Service;
|
||||
|
||||
use App\SQLLogin\SQLLoginConnect;
|
||||
use App\SQLLogin\SQLLoginRequest;
|
||||
use PDO;
|
||||
use PDOException;
|
||||
use App\Pdo\PdoConnect;
|
||||
use App\Pdo\PdoRequest;
|
||||
use Sentry\captureException;
|
||||
use App\Pdo\Exception\InvalidPasswordException;
|
||||
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
||||
use Symfony\Component\DependencyInjection\ParameterBag\ParameterBagInterface;
|
||||
|
||||
class PdoService extends AbstractController
|
||||
class SQLLoginService extends AbstractController
|
||||
{
|
||||
private $params;
|
||||
public PdoRequest $pdoRequest;
|
||||
public SQLLoginRequest $sqlLoginRequest;
|
||||
|
||||
public function __construct(ParameterBagInterface $params, PdoRequest $pdoRequest)
|
||||
public function __construct(ParameterBagInterface $params, SQLLoginRequest $sqlLoginRequest)
|
||||
{
|
||||
$this->params = $params;
|
||||
$this->pdoRequest = $pdoRequest;
|
||||
$this->sqlLoginRequest = $sqlLoginRequest;
|
||||
}
|
||||
|
||||
public function fetchDatas($login)
|
||||
|
@ -28,11 +26,11 @@ class PdoService extends AbstractController
|
|||
$dbh = $this->getConnection();
|
||||
|
||||
// forge de la requête
|
||||
$request = $this->pdoRequest->getRequestScope();
|
||||
$request = $this->sqlLoginRequest->getRequestScope();
|
||||
|
||||
// Préparation de la requête
|
||||
$query = $dbh->prepare($request);
|
||||
$query->execute([$this->pdoRequest->getNameLogin() => $login]);
|
||||
$query->execute([$this->sqlLoginRequest->getLoginColumnName() => $login]);
|
||||
$datas = $query->fetch(PDO::FETCH_ASSOC);
|
||||
} catch (PDOException $e) {
|
||||
\Sentry\captureException($e);
|
||||
|
@ -52,9 +50,9 @@ class PdoService extends AbstractController
|
|||
{
|
||||
try {
|
||||
$dbh = $this->getConnection();
|
||||
$request = $this->pdoRequest->getRequestLogin();
|
||||
$request = $this->sqlLoginRequest->getRequestPassword();
|
||||
$query = $dbh->prepare($request);
|
||||
$query->execute([$this->pdoRequest->getNameLogin() => $login]);
|
||||
$query->execute([$this->sqlLoginRequest->getLoginColumnName() => $login]);
|
||||
$password = $query->fetch(PDO::FETCH_ASSOC);
|
||||
} catch (PDOException $e) {
|
||||
\Sentry\captureException($e);
|
||||
|
@ -62,7 +60,10 @@ class PdoService extends AbstractController
|
|||
throw new PDOException();
|
||||
}
|
||||
if ($password) {
|
||||
return $password[$this->pdoRequest->getNamePassword()];
|
||||
return [
|
||||
$password[$this->sqlLoginRequest->egtPasswordColumnName()],
|
||||
isset($password[$this->sqlLoginRequest->getSaltColumnName()]) ? $password[$this->sqlLoginRequest->getSaltColumnName()] : null,
|
||||
];
|
||||
}
|
||||
|
||||
return false;
|
||||
|
@ -71,19 +72,8 @@ class PdoService extends AbstractController
|
|||
public function getConnection()
|
||||
{
|
||||
// Appel du singleton
|
||||
$pdo = PdoConnect::getInstance();
|
||||
$pdo = SQLLoginConnect::getInstance();
|
||||
wpetit
commented
Idem, cf. commentaire précédent Idem, cf. [commentaire précédent](https://forge.cadoles.com/Cadoles/hydra-sql/pulls/3/files#issuecomment-55979)
|
||||
// Connection bdd
|
||||
return $pdo->connect($this->pdoRequest->getDatabaseDsn(), $this->pdoRequest->getDbUser(), $this->pdoRequest->getDbPassword());
|
||||
}
|
||||
|
||||
public function verifyPassword($password, $hashedPassword)
|
||||
{
|
||||
$hashAlgo = $this->params->get('hashAlgo') ?? 'sha256';
|
||||
|
||||
if ($hashedPassword === hash($hashAlgo, $password)) {
|
||||
return true;
|
||||
} else {
|
||||
throw new InvalidPasswordException();
|
||||
}
|
||||
return $pdo->connect($this->sqlLoginRequest->getDatabaseDsn(), $this->sqlLoginRequest->getDbUser(), $this->sqlLoginRequest->getDbPassword());
|
||||
}
|
||||
}
|
|
@ -1 +1 @@
|
|||
123
|
||||
134
|
||||
wpetit
commented
Ce fichier doit il vraiment être commit dans le dépôt ? Attention avec les Ce fichier doit il vraiment être commit dans le dépôt ? Attention avec les `git add -A` :P
|
||||
|
|
Hmm, je pense que par défaut le pepper devrait être vide.