src/Security/LoginFormAuthenticator.php line 31

  1. <?php
  3. declare(strict_types=1);
  5. namespace App\Security;
  7. use App\Enum\BaseRoleEnum;
  8. use App\Exception\UserImpersonateException;
  9. use App\Repository\UserRepository;
  10. use Gesdinet\JWTRefreshTokenBundle\Generator\RefreshTokenGeneratorInterface;
  11. use Gesdinet\JWTRefreshTokenBundle\Model\RefreshTokenManagerInterface;
  12. use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
  13. use Symfony\Component\HttpFoundation\Cookie;
  14. use Symfony\Component\HttpFoundation\RedirectResponse;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
  18. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  19. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  20. use Symfony\Component\Security\Core\Security;
  21. use Symfony\Component\Security\Core\User\UserInterface;
  22. use Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator;
  23. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
  24. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
  25. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  26. use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
  27. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  28. use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
  29. use Symfony\Component\Security\Http\Util\TargetPathTrait;
  31. final class LoginFormAuthenticator extends AbstractLoginFormAuthenticator
  32. {
  33.     use TargetPathTrait;
  35.     public const LOGIN_ROUTE 'login';
  37.     public function __construct(
  38.         private readonly UrlGeneratorInterface $urlGenerator,
  39.         private readonly UserRepository $userRepository,
  40.         private readonly UserPasswordHasherInterface $passwordHasher,
  41.         private readonly JWTTokenManagerInterface $JWTTokenManager,
  42.         private readonly RefreshTokenGeneratorInterface $refreshTokenGenerator,
  43.         private readonly RefreshTokenManagerInterface $refreshTokenManager
  44.     )
  45.     {
  46.     }
  48.     public function authenticate(Request $request): Passport
  49.     {
  50.         $email $request->request->get('email''');
  52.         $request->getSession()->set(Security::LAST_USERNAME$email);
  54.         if (str_contains($email'::')) {
  55.             if (null !== $selfValidationPassport $this->impersonateUser($request$email)) {
  56.                 return $selfValidationPassport;
  57.             }
  58.         }
  60.         return new Passport(
  61.             new UserBadge($email),
  62.             new PasswordCredentials($request->request->get('password','')),
  63.             [
  64.                 new CsrfTokenBadge('authenticate'$request->get('_csrf_token','')),
  65.                 new RememberMeBadge()
  66.             ]
  67.         );
  68.     }
  70.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $firewallName): ?Response
  71.     {
  72.         $route $this->urlGenerator->generate('index');
  74.         if ($targetPath $this->getTargetPath($request->getSession(), $firewallName)) {
  75.             $route $targetPath;
  76.         }
  78.         $response = new RedirectResponse($route);
  80.         if (null !== $authImpersonateToken $request->getSession()->get('auth-token-impersonate')) {
  81.             $authToken $authImpersonateToken;
  83.             $request->getSession()->remove('auth-token-impersonate');
  84.         } else {
  85.             $authToken $this->createAuthToken($token->getUser());
  86.         }
  88.         $response->headers->setCookie(new Cookie(
  89.                 'auth-token',
  90.                 $authToken,
  91.                 time() + (86400 30),
  92.                 '/',
  93.                 null,
  94.                 false,
  95.                 false
  96.             )
  97.         );
  99.         if (null !== $authImpersonateToken $request->getSession()->get('auth-refresh-token-impersonate')) {
  100.             $authRefreshToken $authImpersonateToken;
  102.             $request->getSession()->remove('auth-refresh-token-impersonate');
  103.         } else {
  104.             $authRefreshToken $this->createAuthRefreshToken($token->getUser());
  105.         }
  107.         $response->headers->setCookie(new Cookie(
  108.                 'auth-refresh-token',
  109.                 $authRefreshToken,
  110.                 time() + (86400 30),
  111.                 '/',
  112.                 null,
  113.                 false,
  114.                 false
  115.             )
  116.         );
  118.         return $response;
  119.     }
  121.     protected function getLoginUrl(Request $request): string
  122.     {
  123.         return $this->urlGenerator->generate(self::LOGIN_ROUTE);
  124.     }
  126.     private function impersonateUser(Request $requeststring $email): ?SelfValidatingPassport
  127.     {
  128.         $usernames explode('::'$email);
  130.         $adminUsername $usernames[0];
  132.         $admin $this->userRepository->findOneBy(['email' => $adminUsername]);
  134.         if (
  135.             null !== $admin
  136.             &&
  137.             BaseRoleEnum::ROLE_ADMIN === $admin->getRoles()[0]
  138.             &&
  139.             $this->passwordHasher->isPasswordValid(
  140.                 $admin,
  141.                 $request->request->get('password','')
  142.             )
  143.         ) {
  144.             try {
  145.                 $this->setAuthTokensInSession($request$usernames);
  147.                 return new SelfValidatingPassport(new UserBadge($usernames[1]));
  148.             } catch (UserImpersonateException) {
  149.                 return null;
  150.             }
  151.         }
  153.         return null;
  154.     }
  156.     /**
  157.      * @throws UserImpersonateException
  158.      */
  159.     private function setAuthTokensInSession(Request $request, array $usernames): void
  160.     {
  161.         $userToImpersonate $this->userRepository->findOneBy(['email' => $usernames[1]]);
  163.         if (null === $userToImpersonate) {
  164.             throw UserImpersonateException::forUserForImpersonatingDoesNotExist();
  165.         }
  167.         $request->getSession()->set('auth-token-impersonate'$this->createAuthToken($userToImpersonate));
  168.         $request->getSession()->set('auth-refresh-token-impersonate'$this->createAuthRefreshToken($userToImpersonate));
  169.     }
  171.     private function createAuthToken(UserInterface $user): string
  172.     {
  173.         return $this->JWTTokenManager->create($user);
  174.     }
  176.     private function createAuthRefreshToken(UserInterface $user): string
  177.     {
  178.         $refreshToken $this->refreshTokenGenerator->createForUserWithTtl($user86400 30);
  180.         $this->refreshTokenManager->save($refreshToken);
  182.         return $refreshToken->getRefreshToken();
  183.     }
  184. }