symfony/src/Symfony/Component/Security/Http/RememberMe/TokenBasedRememberMeServices.php

<?php

/*
 * This file is part of the Symfony package.
 *
 * (c) Fabien Potencier <fabien@symfony.com>
 *
 * For the full copyright and license information, please view the LICENSE
 * file that was distributed with this source code.
 */

namespace Symfony\Component\Security\Http\RememberMe;

use Symfony\Component\HttpFoundation\Cookie;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;

/**
 * Concrete implementation of the RememberMeServicesInterface providing
 * remember-me capabilities without requiring a TokenProvider.
 *
 * @author Johannes M. Schmitt <schmittjoh@gmail.com>
 */
class TokenBasedRememberMeServices extends AbstractRememberMeServices
{
    /**
     * {@inheritDoc}
     */
    protected function processAutoLoginCookie(array $cookieParts, Request $request)
    {
        if (count($cookieParts) !== 4) {
            throw new AuthenticationException('The cookie is invalid.');
        }

        list($class, $username, $expires, $hash) = $cookieParts;
        if (false === $username = base64_decode($username, true)) {
            throw new AuthenticationException('$username contains a character from outside the base64 alphabet.');
        }
        try {
            $user = $this->getUserProvider($class)->loadUserByUsername($username);
        } catch (\Exception $ex) {
            if (!$ex instanceof AuthenticationException) {
                $ex = new AuthenticationException($ex->getMessage(), $ex->getCode(), $ex);
            }

            throw $ex;
        }

        if (!$user instanceof UserInterface) {
            throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user)));
        }

        if (true !== $this->compareHashes($hash, $this->generateCookieHash($class, $username, $expires, $user->getPassword()))) {
            throw new AuthenticationException('The cookie\'s hash is invalid.');
        }

        if ($expires < time()) {
            throw new AuthenticationException('The cookie has expired.');
        }

        return $user;
    }

    /**
     * Compares two hashes using a constant-time algorithm to avoid (remote)
     * timing attacks.
     *
     * This is the same implementation as used in the BasePasswordEncoder.
     *
     * @param string $hash1 The first hash
     * @param string $hash2 The second hash
     *
     * @return Boolean true if the two hashes are the same, false otherwise
     */
    private function compareHashes($hash1, $hash2)
    {
        if (strlen($hash1) !== $c = strlen($hash2)) {
            return false;
        }

        $result = 0;
        for ($i = 0; $i < $c; $i++) {
            $result |= ord($hash1[$i]) ^ ord($hash2[$i]);
        }

        return 0 === $result;
    }

    /**
     * {@inheritDoc}
     */
    protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
    {
        $user = $token->getUser();
        $expires = time() + $this->options['lifetime'];
        $value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword());

        $response->headers->setCookie(
            new Cookie(
                $this->options['name'],
                $value,
                $expires,
                $this->options['path'],
                $this->options['domain'],
                $this->options['secure'],
                $this->options['httponly']
            )
        );
    }

    /**
     * Generates the cookie value.
     *
     * @param string  $class
     * @param string  $username The username
     * @param integer $expires  The Unix timestamp when the cookie expires
     * @param string  $password The encoded password
     *
     * @throws \RuntimeException if username contains invalid chars
     *
     * @return string
     */
    protected function generateCookieValue($class, $username, $expires, $password)
    {
        return $this->encodeCookie(array(
            $class,
            base64_encode($username),
            $expires,
            $this->generateCookieHash($class, $username, $expires, $password)
        ));
    }

    /**
     * Generates a hash for the cookie to ensure it is not being tempered with
     *
     * @param string  $class
     * @param string  $username The username
     * @param integer $expires  The Unix timestamp when the cookie expires
     * @param string  $password The encoded password
     *
     * @throws \RuntimeException when the private key is empty
     *
     * @return string
     */
    protected function generateCookieHash($class, $username, $expires, $password)
    {
        return hash_hmac('sha256', $class.$username.$expires.$password, $this->getKey());
    }
}
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`<?php`

			`/*`
			`* This file is part of the Symfony package.`
			`*`
replaced symfony-project.org by symfony.com 2011-03-06 11:40:06 +00:00			`* (c) Fabien Potencier <fabien@symfony.com>`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`*`
			`* For the full copyright and license information, please view the LICENSE`
			`* file that was distributed with this source code.`
			`*/`

fixed CS (missing or misplaced license blocks) 2012-04-02 04:52:14 +01:00			`namespace Symfony\Component\Security\Http\RememberMe;`

			`use Symfony\Component\HttpFoundation\Cookie;`
			`use Symfony\Component\HttpFoundation\Request;`
			`use Symfony\Component\HttpFoundation\Response;`
			`use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;`
			`use Symfony\Component\Security\Core\Exception\AuthenticationException;`
			`use Symfony\Component\Security\Core\User\UserInterface;`

[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`/**`
			`* Concrete implementation of the RememberMeServicesInterface providing`
			`* remember-me capabilities without requiring a TokenProvider.`
			`*`
			`* @author Johannes M. Schmitt <schmittjoh@gmail.com>`
			`*/`
[Security] refactored remember-me code 2011-03-10 20:27:42 +00:00			`class TokenBasedRememberMeServices extends AbstractRememberMeServices`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`{`
			`/**`
			`* {@inheritDoc}`
			`*/`
			`protected function processAutoLoginCookie(array $cookieParts, Request $request)`
			`{`
			`if (count($cookieParts) !== 4) {`
			`throw new AuthenticationException('The cookie is invalid.');`
			`}`

			`list($class, $username, $expires, $hash) = $cookieParts;`
			`if (false === $username = base64_decode($username, true)) {`
			`throw new AuthenticationException('$username contains a character from outside the base64 alphabet.');`
			`}`
			`try {`
			`$user = $this->getUserProvider($class)->loadUserByUsername($username);`
			`} catch (\Exception $ex) {`
			`if (!$ex instanceof AuthenticationException) {`
[Security] Fix AuthenticationException constructor calls 2012-07-15 14:26:13 +01:00			`$ex = new AuthenticationException($ex->getMessage(), $ex->getCode(), $ex);`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`}`

			`throw $ex;`
			`}`

[Security] various changes, see below - visibility changes from protected to private - AccountInterface -> UserInterface - SecurityContext::vote() -> SecurityContext::isGranted() 2011-03-07 17:17:46 +00:00			`if (!$user instanceof UserInterface) {`
			`throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_class($user)));`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`}`

			`if (true !== $this->compareHashes($hash, $this->generateCookieHash($class, $username, $expires, $user->getPassword()))) {`
			`throw new AuthenticationException('The cookie\'s hash is invalid.');`
			`}`

			`if ($expires < time()) {`
			`throw new AuthenticationException('The cookie has expired.');`
			`}`

[Security] refactored remember-me code 2011-03-10 20:27:42 +00:00			`return $user;`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`}`

			`/**`
			`* Compares two hashes using a constant-time algorithm to avoid (remote)`
			`* timing attacks.`
			`*`
			`* This is the same implementation as used in the BasePasswordEncoder.`
			`*`
			`* @param string $hash1 The first hash`
			`* @param string $hash2 The second hash`
			`*`
			`* @return Boolean true if the two hashes are the same, false otherwise`
			`*/`
[Security] various changes, see below - visibility changes from protected to private - AccountInterface -> UserInterface - SecurityContext::vote() -> SecurityContext::isGranted() 2011-03-07 17:17:46 +00:00			`private function compareHashes($hash1, $hash2)`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`{`
			`if (strlen($hash1) !== $c = strlen($hash2)) {`
			`return false;`
			`}`

			`$result = 0;`
			`for ($i = 0; $i < $c; $i++) {`
			`$result \|= ord($hash1[$i]) ^ ord($hash2[$i]);`
			`}`

			`return 0 === $result;`
			`}`

			`/**`
			`* {@inheritDoc}`
			`*/`
			`protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)`
			`{`
			`$user = $token->getUser();`
			`$expires = time() + $this->options['lifetime'];`
			`$value = $this->generateCookieValue(get_class($user), $user->getUsername(), $expires, $user->getPassword());`

			`$response->headers->setCookie(`
			`new Cookie(`
			`$this->options['name'],`
			`$value,`
			`$expires,`
			`$this->options['path'],`
			`$this->options['domain'],`
			`$this->options['secure'],`
			`$this->options['httponly']`
			`)`
			`);`
			`}`

			`/**`
[Security] Fixed Typo 2011-03-01 17:55:12 +00:00			`* Generates the cookie value.`
			`*`
			`* @param string $class`
			`* @param string $username The username`
fixed various typos 2013-12-27 15:08:19 +00:00			`* @param integer $expires The Unix timestamp when the cookie expires`
[Security] Fixed Typo 2011-03-01 17:55:12 +00:00			`* @param string $password The encoded password`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`*`
			`* @throws \RuntimeException if username contains invalid chars`
[Security] Fixed Typo 2011-03-01 17:55:12 +00:00			`*`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`* @return string`
			`*/`
			`protected function generateCookieValue($class, $username, $expires, $password)`
			`{`
			`return $this->encodeCookie(array(`
			`$class,`
			`base64_encode($username),`
			`$expires,`
			`$this->generateCookieHash($class, $username, $expires, $password)`
			`));`
			`}`

			`/**`
			`* Generates a hash for the cookie to ensure it is not being tempered with`
			`*`
fixed CS 2012-05-18 18:41:48 +01:00			`* @param string $class`
fixed phpdoc @param alignment 2012-05-15 21:19:31 +01:00			`* @param string $username The username`
fixed various typos 2013-12-27 15:08:19 +00:00			`* @param integer $expires The Unix timestamp when the cookie expires`
fixed phpdoc @param alignment 2012-05-15 21:19:31 +01:00			`* @param string $password The encoded password`
[DoctrineBridge] fixed some CS 2011-12-13 07:50:54 +00:00			`*`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`* @throws \RuntimeException when the private key is empty`
[DoctrineBridge] fixed some CS 2011-12-13 07:50:54 +00:00			`*`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`* @return string`
			`*/`
			`protected function generateCookieHash($class, $username, $expires, $password)`
			`{`
Use HMAC construction for remember me cookie hashes 2013-06-04 16:50:20 +01:00			`return hash_hmac('sha256', $class.$username.$expires.$password, $this->getKey());`
[Security] many improvements, and fixes 2011-01-25 19:28:26 +00:00			`}`
			`}`