-
Notifications
You must be signed in to change notification settings - Fork 7
Expand file tree
/
Copy pathAdminTokenAuthenticator.php
More file actions
109 lines (94 loc) · 3.55 KB
/
AdminTokenAuthenticator.php
File metadata and controls
109 lines (94 loc) · 3.55 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
<?php
declare(strict_types=1);
/**
* This source file is available under the terms of the
* Pimcore Open Core License (POCL)
* Full copyright and license information is available in
* LICENSE.md which is distributed with this source code.
*
* @copyright Copyright (c) Pimcore GmbH (https://www.pimcore.com)
* @license Pimcore Open Core License (POCL)
*/
namespace Pimcore\Bundle\StudioBackendBundle\Security\Authenticator;
use JsonException;
use Pimcore\Bundle\StudioBackendBundle\Authorization\Controller\TokenLoginController;
use Pimcore\Bundle\StudioBackendBundle\Exception\Api\AccessDeniedException;
use Pimcore\Bundle\StudioBackendBundle\Exception\Api\InvalidArgumentException;
use Pimcore\Security\User\User;
use Pimcore\Tool\Authentication;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
use function sprintf;
/**
* @internal
*/
class AdminTokenAuthenticator extends AbstractAuthenticator
{
/**
* @throws InvalidArgumentException
*/
public function supports(Request $request): ?bool
{
return ($request->attributes->get('_route') === TokenLoginController::ROUTE_NAME) &&
$this->getTokenFromRequest($request) !== null;
}
/**
* @throws AccessDeniedException|InvalidArgumentException
*/
public function authenticate(Request $request): Passport
{
$pimcoreUser = Authentication::authenticateToken(
$this->getTokenFromRequest($request),
);
if ($pimcoreUser === null) {
throw new AccessDeniedException('Failed to authenticate with the given token');
}
$pimcoreUser->setTwoFactorAuthentication('required', false);
$userBadge = new UserBadge($pimcoreUser->getUsername(), function () use ($pimcoreUser) {
return new User($pimcoreUser);
});
return new SelfValidatingPassport($userBadge);
}
/**
* @throws AccessDeniedException
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
{
throw new AccessDeniedException('Failed to authenticate with the given token');
}
/**
* @throws AccessDeniedException
*/
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
$securityUser = $token->getUser();
if (!$securityUser instanceof UserInterface) {
throw new AccessDeniedException(
sprintf(
'Invalid user object. User has to be instance of %s',
UserInterface::class
)
);
}
return null;
}
/**
* @throws InvalidArgumentException
*/
private function getTokenFromRequest(Request $request): ?string
{
try {
$data = json_decode($request->getContent(), true, 512, JSON_THROW_ON_ERROR);
} catch (JsonException) {
throw new InvalidArgumentException('Invalid data string provided');
}
return $data['token'] ?? null;
}
}