vendor/scheb/2fa-bundle/Security/TwoFactor/Provider/TwoFactorProviderPreparationListener.php line 106

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Scheb\TwoFactorBundle\Security\TwoFactor\Provider;
  7. use Psr\Log\LoggerInterface;
  8. use Psr\Log\NullLogger;
  9. use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorTokenInterface;
  10. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvent;
  11. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvents;
  12. use Scheb\TwoFactorBundle\Security\TwoFactor\Provider\Exception\UnexpectedTokenException;
  13. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  14. use Symfony\Component\HttpKernel\Event\KernelEvent;
  15. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  16. use Symfony\Component\HttpKernel\KernelEvents;
  17. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  18. use Symfony\Component\Security\Core\AuthenticationEvents;
  19. use Symfony\Component\Security\Core\Event\AuthenticationEvent;
  21. /**
  22. * @final
  23. */
  24. class TwoFactorProviderPreparationListener implements EventSubscriberInterface
  25. {
  26. // This must trigger very first, followed by AuthenticationSuccessEventSuppressor
  27. public const AUTHENTICATION_SUCCESS_LISTENER_PRIORITY = PHP_INT_MAX;
  29. // Execute right before ContextListener, which is serializing the security token into the session
  30. public const RESPONSE_LISTENER_PRIORITY = 1;
  32. /** @deprecated */
  33. public const LISTENER_PRIORITY = self::AUTHENTICATION_SUCCESS_LISTENER_PRIORITY;
  35. /**
  36. * @var TwoFactorProviderRegistry
  37. */
  38. private $providerRegistry;
  40. /**
  41. * @var PreparationRecorderInterface
  42. */
  43. private $preparationRecorder;
  45. /**
  46. * @var TwoFactorTokenInterface|null
  47. */
  48. private $twoFactorToken;
  50. /**
  51. * @var LoggerInterface
  52. */
  53. private $logger;
  55. /**
  56. * @var string
  57. */
  58. private $firewallName;
  60. /**
  61. * @var bool
  62. */
  63. private $prepareOnLogin;
  65. /**
  66. * @var bool
  67. */
  68. private $prepareOnAccessDenied;
  70. public function __construct(
  71. TwoFactorProviderRegistry $providerRegistry,
  72. PreparationRecorderInterface $preparationRecorder,
  73. ?LoggerInterface $logger,
  74. string $firewallName,
  75. bool $prepareOnLogin,
  76. bool $prepareOnAccessDenied
  77. ) {
  78. $this->providerRegistry = $providerRegistry;
  79. $this->preparationRecorder = $preparationRecorder;
  80. $this->logger = $logger ?? new NullLogger();
  81. $this->firewallName = $firewallName;
  82. $this->prepareOnLogin = $prepareOnLogin;
  83. $this->prepareOnAccessDenied = $prepareOnAccessDenied;
  84. }
  86. public function onLogin(AuthenticationEvent $event): void
  87. {
  88. $token = $event->getAuthenticationToken();
  89. if ($this->prepareOnLogin && $this->supports($token)) {
  90. /** @var TwoFactorTokenInterface $token */
  91. // After login, when the token is a TwoFactorTokenInterface, execute preparation
  92. $this->twoFactorToken = $token;
  93. }
  94. }
  96. public function onAccessDenied(TwoFactorAuthenticationEvent $event): void
  97. {
  98. $token = $event->getToken();
  99. if ($this->prepareOnAccessDenied && $this->supports($token)) {
  100. /** @var TwoFactorTokenInterface $token */
  101. // Whenever two-factor authentication is required, execute preparation
  102. $this->twoFactorToken = $token;
  103. }
  104. }
  106. public function onTwoFactorForm(TwoFactorAuthenticationEvent $event): void
  107. {
  108. $token = $event->getToken();
  109. if ($this->supports($token)) {
  110. /** @var TwoFactorTokenInterface $token */
  111. // Whenever two-factor authentication form is shown, execute preparation
  112. $this->twoFactorToken = $token;
  113. }
  114. }
  116. public function onKernelResponse(ResponseEvent $event): void
  117. {
  118. // Compatibility for Symfony >= 5.3
  119. if (method_exists(KernelEvent::class, 'isMainRequest')) {
  120. if (!$event->isMainRequest()) {
  121. return;
  122. }
  123. } else {
  124. if (!$event->isMasterRequest()) {
  125. return;
  126. }
  127. }
  129. // Unset the token from context. This is important for environments where this instance of the class is reused
  130. // for multiple requests, such as PHP PM.
  131. $twoFactorToken = $this->twoFactorToken;
  132. $this->twoFactorToken = null;
  134. if (!($twoFactorToken instanceof TwoFactorTokenInterface)) {
  135. return;
  136. }
  138. $providerName = $twoFactorToken->getCurrentTwoFactorProvider();
  139. if (null === $providerName) {
  140. return;
  141. }
  143. $firewallName = $twoFactorToken->getProviderKey(true);
  145. try {
  146. if ($this->preparationRecorder->isTwoFactorProviderPrepared($firewallName, $providerName)) {
  147. $this->logger->info(sprintf('Two-factor provider "%s" was already prepared.', $providerName));
  149. return;
  150. }
  152. $user = $twoFactorToken->getUser();
  153. $this->providerRegistry->getProvider($providerName)->prepareAuthentication($user);
  154. $this->preparationRecorder->setTwoFactorProviderPrepared($firewallName, $providerName);
  155. $this->logger->info(sprintf('Two-factor provider "%s" prepared.', $providerName));
  156. } catch (UnexpectedTokenException $e) {
  157. $this->logger->info(sprintf('Two-factor provider "%s" was not prepared, security token was change within the request.', $providerName));
  158. }
  159. }
  161. private function supports(TokenInterface $token): bool
  162. {
  163. return $token instanceof TwoFactorTokenInterface && $token->getProviderKey(true) === $this->firewallName;
  164. }
  166. public static function getSubscribedEvents()
  167. {
  168. return [
  169. AuthenticationEvents::AUTHENTICATION_SUCCESS => ['onLogin', self::AUTHENTICATION_SUCCESS_LISTENER_PRIORITY],
  170. TwoFactorAuthenticationEvents::REQUIRE => 'onAccessDenied',
  171. TwoFactorAuthenticationEvents::FORM => 'onTwoFactorForm',
  172. KernelEvents::RESPONSE => ['onKernelResponse', self::RESPONSE_LISTENER_PRIORITY],
  173. ];
  174. }
  175. }