vendor/hwi/oauth-bundle/src/Security/Http/Authenticator/OAuthAuthenticator.php line 95

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the HWIOAuthBundle package.
  5.  *
  6.  * (c) Hardware Info <opensource@hardware.info>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace HWI\Bundle\OAuthBundle\Security\Http\Authenticator;
  14. use HWI\Bundle\OAuthBundle\OAuth\ResourceOwnerInterface;
  15. use HWI\Bundle\OAuthBundle\OAuth\State\State;
  16. use HWI\Bundle\OAuthBundle\Security\Core\Authentication\Token\OAuthToken;
  17. use HWI\Bundle\OAuthBundle\Security\Core\Exception\OAuthAwareExceptionInterface;
  18. use HWI\Bundle\OAuthBundle\Security\Core\User\OAuthAwareUserProviderInterface;
  19. use HWI\Bundle\OAuthBundle\Security\Http\Authenticator\Passport\Badge\OAuthTokenBadge;
  20. use HWI\Bundle\OAuthBundle\Security\Http\ResourceOwnerMapInterface;
  21. use Symfony\Component\HttpFoundation\RedirectResponse;
  22. use Symfony\Component\HttpFoundation\Request;
  23. use Symfony\Component\HttpFoundation\Response;
  24. use Symfony\Component\HttpKernel\HttpKernelInterface;
  25. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  26. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  27. use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
  28. use Symfony\Component\Security\Core\Exception\LazyResponseException;
  29. use Symfony\Component\Security\Core\User\UserInterface;
  30. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  31. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  32. use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
  33. use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
  34. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
  35. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  36. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  37. use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
  38. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  39. use Symfony\Component\Security\Http\HttpUtils;
  41. /**
  42.  * @author Vadim Borodavko <vadim.borodavko@gmail.com>
  43.  */
  44. final class OAuthAuthenticator implements AuthenticatorInterfaceAuthenticationEntryPointInterfaceInteractiveAuthenticatorInterface
  45. {
  46.     /**
  47.      * @param string[] $checkPaths
  48.      */
  49.     public function __construct(
  50.         private readonly HttpUtils $httpUtils,
  51.         private readonly OAuthAwareUserProviderInterface $userProvider,
  52.         private readonly ResourceOwnerMapInterface $resourceOwnerMap,
  53.         private readonly array $checkPaths,
  54.         private readonly AuthenticationSuccessHandlerInterface $successHandler,
  55.         private readonly AuthenticationFailureHandlerInterface $failureHandler,
  56.         private readonly HttpKernelInterface $kernel,
  57.         private readonly array $options
  58.     ) {
  59.     }
  61.     public function supports(Request $request): bool
  62.     {
  63.         foreach ($this->checkPaths as $checkPath) {
  64.             if ($this->httpUtils->checkRequestPath($request$checkPath)) {
  65.                 return true;
  66.             }
  67.         }
  69.         return false;
  70.     }
  72.     public function start(Request $request, ?AuthenticationException $authException null): Response
  73.     {
  74.         if ($this->options['use_forward'] ?? false) {
  75.             $subRequest $this->httpUtils->createRequest($request$this->options['login_path']);
  77.             $iterator $request->query->getIterator();
  78.             $subRequest->query->add(iterator_to_array($iterator));
  80.             $response $this->kernel->handle($subRequestHttpKernelInterface::SUB_REQUEST);
  81.             if (200 === $response->getStatusCode()) {
  82.                 $response->headers->set('X-Status-Code''401');
  83.             }
  85.             return $response;
  86.         }
  88.         return new RedirectResponse($this->httpUtils->generateUri($request$this->options['login_path']));
  89.     }
  91.     /**
  92.      * @throws AuthenticationException
  93.      * @throws LazyResponseException
  94.      */
  95.     public function authenticate(Request $request): Passport
  96.     {
  97.         [$resourceOwner$checkPath] = $this->resourceOwnerMap->getResourceOwnerByRequest($request);
  99.         if (!$resourceOwner instanceof ResourceOwnerInterface) {
  100.             throw new AuthenticationException('No resource owner match the request.');
  101.         }
  103.         if (!$resourceOwner->handles($request)) {
  104.             throw new AuthenticationException('No oauth code in the request.');
  105.         }
  107.         // If resource owner supports only one url authentication, call redirect
  108.         if ($request->query->has('authenticated') && $resourceOwner->getOption('auth_with_one_url')) {
  109.             $request->attributes->set('service'$resourceOwner->getName());
  111.             throw new LazyResponseException(new RedirectResponse(sprintf('%s?code=%s&authenticated=true'$this->httpUtils->generateUri($request'hwi_oauth_connect_service'), $request->query->get('code'))));
  112.         }
  114.         $resourceOwner->isCsrfTokenValid(
  115.             $this->extractCsrfTokenFromState($request->get('state'))
  116.         );
  118.         $accessToken $resourceOwner->getAccessToken(
  119.             $request,
  120.             $this->httpUtils->createRequest($request$checkPath)->getUri()
  121.         );
  123.         $token = new OAuthToken($accessToken);
  124.         $token->setResourceOwnerName($resourceOwner->getName());
  125.         $token $this->refreshToken($token);
  127.         $user $token->getUser();
  129.         $userBadge class_exists(UserBadge::class)
  130.             ? new UserBadge(
  131.                 $user method_exists($user'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername() : null,
  132.                 static function () use ($user) { return $user; }
  133.             )
  134.             : $user;
  136.         return new SelfValidatingPassport($userBadge, [new RememberMeBadge(), new OAuthTokenBadge($token)]);
  137.     }
  139.     /**
  140.      * This function can be used for refreshing an expired token
  141.      * or for custom "password grant" authenticator, if site owner also owns oauth instance.
  142.      *
  143.      * @template T of OAuthToken
  144.      *
  145.      * @param T $token
  146.      *
  147.      * @return T
  148.      */
  149.     public function refreshToken(OAuthToken $token): OAuthToken
  150.     {
  151.         if (!$token->isExpired() && null !== $token->getUser()) {
  152.             return $this->recreateToken($token$token->getUser());
  153.         }
  155.         $resourceOwner $this->resourceOwnerMap->getResourceOwnerByName($token->getResourceOwnerName());
  156.         if (!$resourceOwner) {
  157.             throw new AuthenticationServiceException('Unknown resource owner set on token: '.$token->getResourceOwnerName());
  158.         }
  160.         if ($token->isExpired()) {
  161.             $expiredToken $token;
  162.             if ($refreshToken $expiredToken->getRefreshToken()) {
  163.                 $tokenClass $expiredToken::class;
  164.                 $token = new $tokenClass($resourceOwner->refreshAccessToken($refreshToken));
  165.                 $token->setResourceOwnerName($expiredToken->getResourceOwnerName());
  166.                 if (!$token->getRefreshToken()) {
  167.                     $token->setRefreshToken($expiredToken->getRefreshToken());
  168.                 }
  169.                 $token->copyPersistentDataFrom($expiredToken);
  170.             } else {
  171.                 // if you cannot refresh token, you do not need to make user_info request to oauth-resource
  172.                 if (null !== $expiredToken->getUser()) {
  173.                     return $expiredToken;
  174.                 }
  175.             }
  176.             unset($expiredToken);
  177.         }
  179.         $userResponse $resourceOwner->getUserInformation($token->getRawToken());
  181.         try {
  182.             $user $this->userProvider->loadUserByOAuthUserResponse($userResponse);
  183.         } catch (OAuthAwareExceptionInterface $e) {
  184.             $e->setToken($token);
  185.             $e->setResourceOwnerName($token->getResourceOwnerName());
  187.             throw $e;
  188.         }
  190.         if (!$user instanceof UserInterface) {
  191.             throw new AuthenticationServiceException('loadUserByOAuthUserResponse() must return a UserInterface.');
  192.         }
  194.         return $this->recreateToken($token$user);
  195.     }
  197.     /**
  198.      * @template T of OAuthToken
  199.      *
  200.      * @param T              $token
  201.      * @param ?UserInterface $user
  202.      *
  203.      * @return T
  204.      */
  205.     public function recreateToken(OAuthToken $token, ?UserInterface $user null): OAuthToken
  206.     {
  207.         $user $user instanceof UserInterface $user $token->getUser();
  209.         $tokenClass $token::class;
  210.         if ($user) {
  211.             $newToken = new $tokenClass(
  212.                 $token->getRawToken(),
  213.                 method_exists($user'getRoles') ? $user->getRoles() : []
  214.             );
  215.             $newToken->setUser($user);
  216.         } else {
  217.             $newToken = new $tokenClass($token->getRawToken());
  218.         }
  220.         $newToken->setResourceOwnerName($token->getResourceOwnerName());
  221.         $newToken->setRefreshToken($token->getRefreshToken());
  222.         $newToken->setCreatedAt($token->getCreatedAt());
  223.         $newToken->setTokenSecret($token->getTokenSecret());
  224.         $newToken->setAttributes($token->getAttributes());
  226.         // required for compatibility with Symfony 5.4
  227.         if (method_exists($newToken'setAuthenticated')) {
  228.             $newToken->setAuthenticated((bool) $userfalse);
  229.         }
  231.         $newToken->copyPersistentDataFrom($token);
  233.         return $newToken;
  234.     }
  236.     public function createToken(Passport $passportstring $firewallName): TokenInterface
  237.     {
  238.         return $this->createAuthenticatedToken($passport$firewallName);
  239.     }
  241.     /**
  242.      * @param Passport $passport
  243.      */
  244.     public function createAuthenticatedToken($passportstring $firewallName): TokenInterface
  245.     {
  246.         $badge $passport->getBadge(OAuthTokenBadge::class);
  247.         if ($badge instanceof OAuthTokenBadge) {
  248.             return $badge->getToken();
  249.         }
  251.         throw new \LogicException(sprintf('Given passport must contain instance of "%s".'OAuthTokenBadge::class));
  252.     }
  254.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $firewallName): ?Response
  255.     {
  256.         return $this->successHandler->onAuthenticationSuccess($request$token);
  257.     }
  259.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): Response
  260.     {
  261.         return $this->failureHandler->onAuthenticationFailure($request$exception);
  262.     }
  264.     public function isInteractive(): bool
  265.     {
  266.         return true;
  267.     }
  269.     private function extractCsrfTokenFromState(?string $stateParameter): ?string
  270.     {
  271.         $state = new State($stateParameter);
  273.         return $state->getCsrfToken() ?: $stateParameter;
  274.     }
  275. }