vendor/symfony/security-guard/Provider/GuardAuthenticationProvider.php line 32

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Guard\Provider;
  14. use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
  15. use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
  16. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  17. use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
  18. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  19. use Symfony\Component\Security\Core\Exception\AuthenticationExpiredException;
  20. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  21. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  22. use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
  23. use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
  24. use Symfony\Component\Security\Core\User\UserCheckerInterface;
  25. use Symfony\Component\Security\Core\User\UserInterface;
  26. use Symfony\Component\Security\Core\User\UserProviderInterface;
  27. use Symfony\Component\Security\Guard\AuthenticatorInterface;
  28. use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;
  29. use Symfony\Component\Security\Guard\Token\GuardTokenInterface;
  30. use Symfony\Component\Security\Guard\Token\PreAuthenticationGuardToken;
  32. trigger_deprecation('symfony/security-guard', '5.3', 'The "%s" class is deprecated, use the new authenticator system instead.', GuardAuthenticationProvider::class);
  34. /**
  35. * Responsible for accepting the PreAuthenticationGuardToken and calling
  36. * the correct authenticator to retrieve the authenticated token.
  37. *
  38. * @author Ryan Weaver <ryan@knpuniversity.com>
  39. *
  40. * @deprecated since Symfony 5.3, use the new authenticator system instead
  41. */
  42. class GuardAuthenticationProvider implements AuthenticationProviderInterface
  43. {
  44. private $guardAuthenticators;
  45. private $userProvider;
  46. private $providerKey;
  47. private $userChecker;
  48. private $passwordHasher;
  50. /**
  51. * @param iterable<array-key, AuthenticatorInterface> $guardAuthenticators The authenticators, with keys that match what's passed to GuardAuthenticationListener
  52. * @param string $providerKey The provider (i.e. firewall) key
  53. * @param UserPasswordHasherInterface $passwordHasher
  54. */
  55. public function __construct(iterable $guardAuthenticators, UserProviderInterface $userProvider, string $providerKey, UserCheckerInterface $userChecker, $passwordHasher = null)
  56. {
  57. $this->guardAuthenticators = $guardAuthenticators;
  58. $this->userProvider = $userProvider;
  59. $this->providerKey = $providerKey;
  60. $this->userChecker = $userChecker;
  61. $this->passwordHasher = $passwordHasher;
  63. if ($passwordHasher instanceof UserPasswordEncoderInterface) {
  64. trigger_deprecation('symfony/security-core', '5.3', sprintf('Passing a "%s" instance to the "%s" constructor is deprecated, use "%s" instead.', UserPasswordEncoderInterface::class, __CLASS__, UserPasswordHasherInterface::class));
  65. }
  66. }
  68. /**
  69. * Finds the correct authenticator for the token and calls it.
  70. *
  71. * @param GuardTokenInterface $token
  72. *
  73. * @return TokenInterface
  74. */
  75. public function authenticate(TokenInterface $token)
  76. {
  77. if (!$token instanceof GuardTokenInterface) {
  78. throw new \InvalidArgumentException('GuardAuthenticationProvider only supports GuardTokenInterface.');
  79. }
  81. if (!$token instanceof PreAuthenticationGuardToken) {
  82. /*
  83. * The listener *only* passes PreAuthenticationGuardToken instances.
  84. * This means that an authenticated token (e.g. PostAuthenticationGuardToken)
  85. * is being passed here, which happens if that token becomes
  86. * "not authenticated" (e.g. happens if the user changes between
  87. * requests). In this case, the user should be logged out, so
  88. * we will return an AnonymousToken to accomplish that.
  89. */
  91. // this should never happen - but technically, the token is
  92. // authenticated... so it could just be returned
  93. if ($token->isAuthenticated(false)) {
  94. return $token;
  95. }
  97. // this causes the user to be logged out
  98. throw new AuthenticationExpiredException();
  99. }
  101. $guardAuthenticator = $this->findOriginatingAuthenticator($token);
  103. if (null === $guardAuthenticator) {
  104. throw new AuthenticationException(sprintf('Token with provider key "%s" did not originate from any of the guard authenticators of provider "%s".', $token->getGuardProviderKey(), $this->providerKey));
  105. }
  107. return $this->authenticateViaGuard($guardAuthenticator, $token);
  108. }
  110. private function authenticateViaGuard(AuthenticatorInterface $guardAuthenticator, PreAuthenticationGuardToken $token): GuardTokenInterface
  111. {
  112. // get the user from the GuardAuthenticator
  113. $user = $guardAuthenticator->getUser($token->getCredentials(), $this->userProvider);
  115. if (null === $user) {
  116. $e = new UserNotFoundException(sprintf('Null returned from "%s::getUser()".', get_debug_type($guardAuthenticator)));
  117. // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
  118. $e->setUserIdentifier(method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername());
  120. throw $e;
  121. }
  123. if (!$user instanceof UserInterface) {
  124. throw new \UnexpectedValueException(sprintf('The "%s::getUser()" method must return a UserInterface. You returned "%s".', get_debug_type($guardAuthenticator), get_debug_type($user)));
  125. }
  127. if ($guardAuthenticator instanceof PasswordAuthenticatedInterface && !$user instanceof PasswordAuthenticatedUserInterface) {
  128. trigger_deprecation('symfony/security-guard', '5.3', 'Not implementing the "%s" interface in class "%s" while using password-based guard authenticators is deprecated.', PasswordAuthenticatedUserInterface::class, get_debug_type($user));
  129. }
  131. $this->userChecker->checkPreAuth($user);
  132. if (true !== $checkCredentialsResult = $guardAuthenticator->checkCredentials($token->getCredentials(), $user)) {
  133. if (false !== $checkCredentialsResult) {
  134. throw new \TypeError(sprintf('"%s::checkCredentials()" must return a boolean value.', get_debug_type($guardAuthenticator)));
  135. }
  137. throw new BadCredentialsException(sprintf('Authentication failed because "%s::checkCredentials()" did not return true.', get_debug_type($guardAuthenticator)));
  138. }
  139. if ($this->userProvider instanceof PasswordUpgraderInterface && $guardAuthenticator instanceof PasswordAuthenticatedInterface && null !== $this->passwordHasher && (null !== $password = $guardAuthenticator->getPassword($token->getCredentials())) && $this->passwordHasher->needsRehash($user)) {
  140. if ($this->passwordHasher instanceof UserPasswordEncoderInterface) {
  141. // @deprecated since Symfony 5.3
  142. $this->userProvider->upgradePassword($user, $this->passwordHasher->encodePassword($user, $password));
  143. } else {
  144. $this->userProvider->upgradePassword($user, $this->passwordHasher->hashPassword($user, $password));
  145. }
  146. }
  147. $this->userChecker->checkPostAuth($user);
  149. // turn the UserInterface into a TokenInterface
  150. $authenticatedToken = $guardAuthenticator->createAuthenticatedToken($user, $this->providerKey);
  151. if (!$authenticatedToken instanceof TokenInterface) {
  152. throw new \UnexpectedValueException(sprintf('The "%s::createAuthenticatedToken()" method must return a TokenInterface. You returned "%s".', get_debug_type($guardAuthenticator), get_debug_type($authenticatedToken)));
  153. }
  155. return $authenticatedToken;
  156. }
  158. private function findOriginatingAuthenticator(PreAuthenticationGuardToken $token): ?AuthenticatorInterface
  159. {
  160. // find the *one* GuardAuthenticator that this token originated from
  161. foreach ($this->guardAuthenticators as $key => $guardAuthenticator) {
  162. // get a key that's unique to *this* guard authenticator
  163. // this MUST be the same as GuardAuthenticationListener
  164. $uniqueGuardKey = $this->providerKey.'_'.$key;
  166. if ($uniqueGuardKey === $token->getGuardProviderKey()) {
  167. return $guardAuthenticator;
  168. }
  169. }
  171. // no matching authenticator found - but there will be multiple GuardAuthenticationProvider
  172. // instances that will be checked if you have multiple firewalls.
  174. return null;
  175. }
  177. public function supports(TokenInterface $token)
  178. {
  179. if ($token instanceof PreAuthenticationGuardToken) {
  180. return null !== $this->findOriginatingAuthenticator($token);
  181. }
  183. return $token instanceof GuardTokenInterface;
  184. }
  185. }