. // }}} namespace App\Security; use function App\Core\I18n\_m; use App\Core\Router\Router; use App\Entity\LocalUser; use App\Entity\User; use App\Util\Exception\NoSuchActorException; use App\Util\Nickname; use Exception; use Stringable; use Symfony\Component\HttpFoundation\RedirectResponse; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\Routing\Generator\UrlGeneratorInterface; use Symfony\Component\Security\Core\Authentication\Token\TokenInterface; use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException; use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException; use Symfony\Component\Security\Core\Security; use Symfony\Component\Security\Core\User\UserInterface; use Symfony\Component\Security\Core\User\UserProviderInterface; use Symfony\Component\Security\Csrf\CsrfToken; use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface; use Symfony\Component\Security\Guard\Authenticator\AbstractFormLoginAuthenticator; use Symfony\Component\Security\Http\Util\TargetPathTrait; /** * User authenticator * * @category Authentication * @package GNUsocial * * @author Hugo Sales * @copyright 2020-2021 Free Software Foundation, Inc http://www.fsf.org * @license https://www.gnu.org/licenses/agpl.html GNU AGPL v3 or later */ class Authenticator extends AbstractFormLoginAuthenticator { use TargetPathTrait; public const LOGIN_ROUTE = 'security_login'; private $urlGenerator; private $csrfTokenManager; public function __construct(UrlGeneratorInterface $urlGenerator, CsrfTokenManagerInterface $csrfTokenManager) { $this->urlGenerator = $urlGenerator; $this->csrfTokenManager = $csrfTokenManager; } public function supports(Request $request) { return self::LOGIN_ROUTE === $request->attributes->get('_route') && $request->isMethod('POST'); } public function getCredentials(Request $request) { return [ 'nickname_or_email' => $request->request->get('nickname_or_email'), 'password' => $request->request->get('password'), 'csrf_token' => $request->request->get('_csrf_token'), ]; } /** * Get a user given credentials and a CSRF token */ public function getUser($credentials, UserProviderInterface $userProvider) { $token = new CsrfToken('authenticate', $credentials['csrf_token']); if (!$this->csrfTokenManager->isTokenValid($token)) { throw new InvalidCsrfTokenException(); } try { if (filter_var($credentials['nickname_or_email'], \FILTER_VALIDATE_EMAIL) !== false) { $user = LocalUser::getByEmail($credentials['nickname_or_email']); } else { $user = LocalUser::getByNickname(Nickname::normalize($credentials['nickname_or_email'], check_already_used: false, which: Nickname::CHECK_LOCAL_USER, check_is_allowed: false)); } if ($user === null) { throw new NoSuchActorException('No such local user.'); } $credentials['nickname'] = $user->getNickname(); } catch (Exception) { throw new CustomUserMessageAuthenticationException( _m('Invalid login credentials.'), ); } return $user; } /** * @param LocalUser $user */ public function checkCredentials($credentials, $user) { if (!$user->checkPassword($credentials['password'])) { throw new CustomUserMessageAuthenticationException(_m('Invalid login credentials.')); } else { return true; } } /** * After a successful login, redirect user to the path saved in their session or to the root of the website */ public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { $nickname = $token->getUser(); if ($nickname instanceof Stringable) { $nickname = (string) $nickname; } elseif ($nickname instanceof UserInterface) { $nickname = $nickname->getUsername(); } $request->getSession()->set( Security::LAST_USERNAME, $nickname, ); if ($targetPath = $this->getTargetPath($request->getSession(), $providerKey)) { return new RedirectResponse($targetPath); } return new RedirectResponse(Router::url('/')); } protected function getLoginUrl() { return Router::url(self::LOGIN_ROUTE); } }