vendor/hwi/oauth-bundle/src/Security/Http/Authenticator/OAuthAuthenticator.php line 42

  1. <?php
  3. /*
  4.  * This file is part of the HWIOAuthBundle package.
  5.  *
  6.  * (c) Hardware Info <opensource@hardware.info>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace HWI\Bundle\OAuthBundle\Security\Http\Authenticator;
  14. use HWI\Bundle\OAuthBundle\OAuth\ResourceOwnerInterface;
  15. use HWI\Bundle\OAuthBundle\OAuth\State\State;
  16. use HWI\Bundle\OAuthBundle\Security\Core\Authentication\Token\OAuthToken;
  17. use HWI\Bundle\OAuthBundle\Security\Core\Exception\OAuthAwareExceptionInterface;
  18. use HWI\Bundle\OAuthBundle\Security\Core\User\OAuthAwareUserProviderInterface;
  19. use HWI\Bundle\OAuthBundle\Security\Http\Authenticator\Passport\SelfValidatedOAuthPassport;
  20. use HWI\Bundle\OAuthBundle\Security\Http\ResourceOwnerMapInterface;
  21. use Symfony\Component\HttpFoundation\RedirectResponse;
  22. use Symfony\Component\HttpFoundation\Request;
  23. use Symfony\Component\HttpFoundation\Response;
  24. use Symfony\Component\HttpKernel\HttpKernelInterface;
  25. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  26. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  27. use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
  28. use Symfony\Component\Security\Core\Exception\LazyResponseException;
  29. use Symfony\Component\Security\Core\User\UserInterface;
  30. use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
  31. use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
  32. use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
  33. use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
  34. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
  35. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  36. use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
  37. use Symfony\Component\Security\Http\HttpUtils;
  39. /**
  40.  * @author Vadim Borodavko <vadim.borodavko@gmail.com>
  41.  */
  42. final class OAuthAuthenticator implements AuthenticatorInterfaceAuthenticationEntryPointInterfaceInteractiveAuthenticatorInterface
  43. {
  44.     private HttpUtils $httpUtils;
  45.     private OAuthAwareUserProviderInterface $userProvider;
  46.     private ResourceOwnerMapInterface $resourceOwnerMap;
  47.     private AuthenticationSuccessHandlerInterface $successHandler;
  48.     private AuthenticationFailureHandlerInterface $failureHandler;
  49.     private HttpKernelInterface $httpKernel;
  51.     /**
  52.      * @var string[]
  53.      */
  54.     private array $checkPaths;
  56.     private array $options;
  58.     public function __construct(
  59.         HttpUtils $httpUtils,
  60.         OAuthAwareUserProviderInterface $userProvider,
  61.         ResourceOwnerMapInterface $resourceOwnerMap,
  62.         array $checkPaths,
  63.         AuthenticationSuccessHandlerInterface $successHandler,
  64.         AuthenticationFailureHandlerInterface $failureHandler,
  65.         HttpKernelInterface $kernel,
  66.         array $options
  67.     ) {
  68.         $this->failureHandler $failureHandler;
  69.         $this->successHandler $successHandler;
  70.         $this->checkPaths $checkPaths;
  71.         $this->resourceOwnerMap $resourceOwnerMap;
  72.         $this->userProvider $userProvider;
  73.         $this->httpUtils $httpUtils;
  74.         $this->httpKernel $kernel;
  75.         $this->options $options;
  76.     }
  78.     public function supports(Request $request): bool
  79.     {
  80.         foreach ($this->checkPaths as $checkPath) {
  81.             if ($this->httpUtils->checkRequestPath($request$checkPath)) {
  82.                 return true;
  83.             }
  84.         }
  86.         return false;
  87.     }
  89.     public function start(Request $requestAuthenticationException $authException null): Response
  90.     {
  91.         if ($this->options['use_forward'] ?? false) {
  92.             $subRequest $this->httpUtils->createRequest($request$this->options['login_path']);
  94.             $iterator $request->query->getIterator();
  95.             $subRequest->query->add(iterator_to_array($iterator));
  97.             $response $this->httpKernel->handle($subRequestHttpKernelInterface::SUB_REQUEST);
  98.             if (200 === $response->getStatusCode()) {
  99.                 $response->headers->set('X-Status-Code''401');
  100.             }
  102.             return $response;
  103.         }
  105.         return new RedirectResponse($this->httpUtils->generateUri($request$this->options['login_path']));
  106.     }
  108.     /**
  109.      * @throws AuthenticationException
  110.      * @throws LazyResponseException
  111.      */
  112.     public function authenticate(Request $request): Passport
  113.     {
  114.         [$resourceOwner$checkPath] = $this->resourceOwnerMap->getResourceOwnerByRequest($request);
  116.         if (!$resourceOwner instanceof ResourceOwnerInterface) {
  117.             throw new AuthenticationException('No resource owner match the request.');
  118.         }
  120.         if (!$resourceOwner->handles($request)) {
  121.             throw new AuthenticationException('No oauth code in the request.');
  122.         }
  124.         // If resource owner supports only one url authentication, call redirect
  125.         if ($request->query->has('authenticated') && $resourceOwner->getOption('auth_with_one_url')) {
  126.             $request->attributes->set('service'$resourceOwner->getName());
  128.             throw new LazyResponseException(new RedirectResponse(sprintf('%s?code=%s&authenticated=true'$this->httpUtils->generateUri($request'hwi_oauth_connect_service'), $request->query->get('code'))));
  129.         }
  131.         $resourceOwner->isCsrfTokenValid(
  132.             $this->extractCsrfTokenFromState($request->get('state'))
  133.         );
  135.         $accessToken $resourceOwner->getAccessToken(
  136.             $request,
  137.             $this->httpUtils->createRequest($request$checkPath)->getUri()
  138.         );
  140.         $token = new OAuthToken($accessToken);
  141.         $token->setResourceOwnerName($resourceOwner->getName());
  143.         return new SelfValidatedOAuthPassport($this->refreshToken($token), [new RememberMeBadge()]);
  144.     }
  146.     /**
  147.      * This function can be used for refreshing an expired token
  148.      * or for custom "password grant" authenticator, if site owner also owns oauth instance.
  149.      *
  150.      * @template T of OAuthToken
  151.      *
  152.      * @param T $token
  153.      *
  154.      * @return T
  155.      */
  156.     public function refreshToken(OAuthToken $token): OAuthToken
  157.     {
  158.         $resourceOwner $this->resourceOwnerMap->getResourceOwnerByName($token->getResourceOwnerName());
  159.         if (!$resourceOwner) {
  160.             throw new AuthenticationServiceException('Unknown resource owner set on token: '.$token->getResourceOwnerName());
  161.         }
  163.         if ($token->isExpired()) {
  164.             $expiredToken $token;
  165.             if ($refreshToken $expiredToken->getRefreshToken()) {
  166.                 $tokenClass \get_class($expiredToken);
  167.                 $token = new $tokenClass($resourceOwner->refreshAccessToken($refreshToken));
  168.                 $token->setResourceOwnerName($expiredToken->getResourceOwnerName());
  169.                 if (!$token->getRefreshToken()) {
  170.                     $token->setRefreshToken($expiredToken->getRefreshToken());
  171.                 }
  172.                 $token->copyPersistentDataFrom($expiredToken);
  173.             } else {
  174.                 // if you cannot refresh token, you do not need to make user_info request to oauth-resource
  175.                 if (null !== $expiredToken->getUser()) {
  176.                     return $expiredToken;
  177.                 }
  178.             }
  179.             unset($expiredToken);
  180.         }
  182.         $userResponse $resourceOwner->getUserInformation($token->getRawToken());
  184.         try {
  185.             $user $this->userProvider->loadUserByOAuthUserResponse($userResponse);
  186.         } catch (OAuthAwareExceptionInterface $e) {
  187.             $e->setToken($token);
  188.             $e->setResourceOwnerName($token->getResourceOwnerName());
  190.             throw $e;
  191.         }
  193.         if (!$user instanceof UserInterface) {
  194.             throw new AuthenticationServiceException('loadUserByOAuthUserResponse() must return a UserInterface.');
  195.         }
  197.         return $this->recreateToken($token$user);
  198.     }
  200.     /**
  201.      * @template T of OAuthToken
  202.      *
  203.      * @param T              $token
  204.      * @param ?UserInterface $user
  205.      *
  206.      * @return T
  207.      */
  208.     public function recreateToken(OAuthToken $tokenUserInterface $user null): OAuthToken
  209.     {
  210.         $user $user instanceof UserInterface $user $token->getUser();
  212.         $tokenClass \get_class($token);
  213.         if ($user) {
  214.             $newToken = new $tokenClass(
  215.                 $token->getRawToken(),
  216.                 method_exists($user'getRoles') ? $user->getRoles() : []
  217.             );
  218.             $newToken->setUser($user);
  219.         } else {
  220.             $newToken = new $tokenClass($token->getRawToken());
  221.         }
  223.         $newToken->setResourceOwnerName($token->getResourceOwnerName());
  224.         $newToken->setRefreshToken($token->getRefreshToken());
  225.         $newToken->setCreatedAt($token->getCreatedAt());
  226.         $newToken->setTokenSecret($token->getTokenSecret());
  227.         $newToken->setAttributes($token->getAttributes());
  229.         // required for compatibility with Symfony 5.4
  230.         if (method_exists($newToken'setAuthenticated')) {
  231.             $newToken->setAuthenticated((bool) $userfalse);
  232.         }
  234.         $newToken->copyPersistentDataFrom($token);
  236.         return $newToken;
  237.     }
  239.     public function createToken(Passport $passportstring $firewallName): TokenInterface
  240.     {
  241.         return $this->createAuthenticatedToken($passport$firewallName);
  242.     }
  244.     /**
  245.      * @param Passport|SelfValidatedOAuthPassport $passport
  246.      */
  247.     public function createAuthenticatedToken($passportstring $firewallName): TokenInterface
  248.     {
  249.         if ($passport instanceof SelfValidatedOAuthPassport) {
  250.             return $passport->getToken();
  251.         }
  253.         throw new \LogicException(sprintf('The first argument of "%s" must be instance of "%s", "%s" provided.'__METHOD__SelfValidatedOAuthPassport::class, \get_class($passport)));
  254.     }
  256.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $firewallName): ?Response
  257.     {
  258.         return $this->successHandler->onAuthenticationSuccess($request$token);
  259.     }
  261.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): Response
  262.     {
  263.         return $this->failureHandler->onAuthenticationFailure($request$exception);
  264.     }
  266.     public function isInteractive(): bool
  267.     {
  268.         return true;
  269.     }
  271.     private function extractCsrfTokenFromState(?string $stateParameter): ?string
  272.     {
  273.         $state = new State($stateParameter);
  275.         return $state->getCsrfToken() ?: $stateParameter;
  276.     }
  277. }