vendor/symfony/security-guard/Provider/GuardAuthenticationProvider.php line 32

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Guard\Provider;
  14. use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
  15. use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
  16. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  17. use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
  18. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  19. use Symfony\Component\Security\Core\Exception\AuthenticationExpiredException;
  20. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  21. use Symfony\Component\Security\Core\Exception\UserNotFoundException;
  22. use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
  23. use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
  24. use Symfony\Component\Security\Core\User\UserCheckerInterface;
  25. use Symfony\Component\Security\Core\User\UserInterface;
  26. use Symfony\Component\Security\Core\User\UserProviderInterface;
  27. use Symfony\Component\Security\Guard\AuthenticatorInterface;
  28. use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;
  29. use Symfony\Component\Security\Guard\Token\GuardTokenInterface;
  30. use Symfony\Component\Security\Guard\Token\PreAuthenticationGuardToken;
  32. trigger_deprecation('symfony/security-guard''5.3''The "%s" class is deprecated, use the new authenticator system instead.'GuardAuthenticationProvider::class);
  34. /**
  35.  * Responsible for accepting the PreAuthenticationGuardToken and calling
  36.  * the correct authenticator to retrieve the authenticated token.
  37.  *
  38.  * @author Ryan Weaver <ryan@knpuniversity.com>
  39.  *
  40.  * @deprecated since Symfony 5.3, use the new authenticator system instead
  41.  */
  42. class GuardAuthenticationProvider implements AuthenticationProviderInterface
  43. {
  44.     /**
  45.      * @var AuthenticatorInterface[]
  46.      */
  47.     private $guardAuthenticators;
  48.     private $userProvider;
  49.     private $providerKey;
  50.     private $userChecker;
  51.     private $passwordHasher;
  53.     /**
  54.      * @param iterable|AuthenticatorInterface[] $guardAuthenticators The authenticators, with keys that match what's passed to GuardAuthenticationListener
  55.      * @param string                            $providerKey         The provider (i.e. firewall) key
  56.      * @param UserPasswordHasherInterface       $passwordHasher
  57.      */
  58.     public function __construct(iterable $guardAuthenticatorsUserProviderInterface $userProviderstring $providerKeyUserCheckerInterface $userChecker$passwordHasher null)
  59.     {
  60.         $this->guardAuthenticators $guardAuthenticators;
  61.         $this->userProvider $userProvider;
  62.         $this->providerKey $providerKey;
  63.         $this->userChecker $userChecker;
  64.         $this->passwordHasher $passwordHasher;
  66.         if ($passwordHasher instanceof UserPasswordEncoderInterface) {
  67.             trigger_deprecation('symfony/security-core''5.3'sprintf('Passing a "%s" instance to the "%s" constructor is deprecated, use "%s" instead.'UserPasswordEncoderInterface::class, __CLASS__UserPasswordHasherInterface::class));
  68.         }
  69.     }
  71.     /**
  72.      * Finds the correct authenticator for the token and calls it.
  73.      *
  74.      * @param GuardTokenInterface $token
  75.      *
  76.      * @return TokenInterface
  77.      */
  78.     public function authenticate(TokenInterface $token)
  79.     {
  80.         if (!$token instanceof GuardTokenInterface) {
  81.             throw new \InvalidArgumentException('GuardAuthenticationProvider only supports GuardTokenInterface.');
  82.         }
  84.         if (!$token instanceof PreAuthenticationGuardToken) {
  85.             /*
  86.              * The listener *only* passes PreAuthenticationGuardToken instances.
  87.              * This means that an authenticated token (e.g. PostAuthenticationGuardToken)
  88.              * is being passed here, which happens if that token becomes
  89.              * "not authenticated" (e.g. happens if the user changes between
  90.              * requests). In this case, the user should be logged out, so
  91.              * we will return an AnonymousToken to accomplish that.
  92.              */
  94.             // this should never happen - but technically, the token is
  95.             // authenticated... so it could just be returned
  96.             if ($token->isAuthenticated()) {
  97.                 return $token;
  98.             }
  100.             // this causes the user to be logged out
  101.             throw new AuthenticationExpiredException();
  102.         }
  104.         $guardAuthenticator $this->findOriginatingAuthenticator($token);
  106.         if (null === $guardAuthenticator) {
  107.             throw new AuthenticationException(sprintf('Token with provider key "%s" did not originate from any of the guard authenticators of provider "%s".'$token->getGuardProviderKey(), $this->providerKey));
  108.         }
  110.         return $this->authenticateViaGuard($guardAuthenticator$token);
  111.     }
  113.     private function authenticateViaGuard(AuthenticatorInterface $guardAuthenticatorPreAuthenticationGuardToken $token): GuardTokenInterface
  114.     {
  115.         // get the user from the GuardAuthenticator
  116.         $user $guardAuthenticator->getUser($token->getCredentials(), $this->userProvider);
  118.         if (null === $user) {
  119.             $e = new UserNotFoundException(sprintf('Null returned from "%s::getUser()".'get_debug_type($guardAuthenticator)));
  120.             // @deprecated since Symfony 5.3, change to $token->getUserIdentifier() in 6.0
  121.             $e->setUserIdentifier(method_exists($token'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername());
  123.             throw $e;
  124.         }
  126.         if (!$user instanceof UserInterface) {
  127.             throw new \UnexpectedValueException(sprintf('The "%s::getUser()" method must return a UserInterface. You returned "%s".'get_debug_type($guardAuthenticator), get_debug_type($user)));
  128.         }
  130.         if ($guardAuthenticator instanceof PasswordAuthenticatedInterface && !$user instanceof PasswordAuthenticatedUserInterface) {
  131.             trigger_deprecation('symfony/security-guard''5.3''Not implementing the "%s" interface in class "%s" while using password-based guard authenticators is deprecated.'PasswordAuthenticatedUserInterface::class, get_debug_type($user));
  132.         }
  134.         $this->userChecker->checkPreAuth($user);
  135.         if (true !== $checkCredentialsResult $guardAuthenticator->checkCredentials($token->getCredentials(), $user)) {
  136.             if (false !== $checkCredentialsResult) {
  137.                 throw new \TypeError(sprintf('"%s::checkCredentials()" must return a boolean value.'get_debug_type($guardAuthenticator)));
  138.             }
  140.             throw new BadCredentialsException(sprintf('Authentication failed because "%s::checkCredentials()" did not return true.'get_debug_type($guardAuthenticator)));
  141.         }
  142.         if ($this->userProvider instanceof PasswordUpgraderInterface && $guardAuthenticator instanceof PasswordAuthenticatedInterface && null !== $this->passwordHasher && (null !== $password $guardAuthenticator->getPassword($token->getCredentials())) && $this->passwordHasher->needsRehash($user)) {
  143.             if ($this->passwordHasher instanceof UserPasswordEncoderInterface) {
  144.                 // @deprecated since Symfony 5.3
  145.                 $this->userProvider->upgradePassword($user$this->passwordHasher->encodePassword($user$password));
  146.             } else {
  147.                 $this->userProvider->upgradePassword($user$this->passwordHasher->hashPassword($user$password));
  148.             }
  149.         }
  150.         $this->userChecker->checkPostAuth($user);
  152.         // turn the UserInterface into a TokenInterface
  153.         $authenticatedToken $guardAuthenticator->createAuthenticatedToken($user$this->providerKey);
  154.         if (!$authenticatedToken instanceof TokenInterface) {
  155.             throw new \UnexpectedValueException(sprintf('The "%s::createAuthenticatedToken()" method must return a TokenInterface. You returned "%s".'get_debug_type($guardAuthenticator), get_debug_type($authenticatedToken)));
  156.         }
  158.         return $authenticatedToken;
  159.     }
  161.     private function findOriginatingAuthenticator(PreAuthenticationGuardToken $token): ?AuthenticatorInterface
  162.     {
  163.         // find the *one* GuardAuthenticator that this token originated from
  164.         foreach ($this->guardAuthenticators as $key => $guardAuthenticator) {
  165.             // get a key that's unique to *this* guard authenticator
  166.             // this MUST be the same as GuardAuthenticationListener
  167.             $uniqueGuardKey $this->providerKey.'_'.$key;
  169.             if ($uniqueGuardKey === $token->getGuardProviderKey()) {
  170.                 return $guardAuthenticator;
  171.             }
  172.         }
  174.         // no matching authenticator found - but there will be multiple GuardAuthenticationProvider
  175.         // instances that will be checked if you have multiple firewalls.
  177.         return null;
  178.     }
  180.     public function supports(TokenInterface $token)
  181.     {
  182.         if ($token instanceof PreAuthenticationGuardToken) {
  183.             return null !== $this->findOriginatingAuthenticator($token);
  184.         }
  186.         return $token instanceof GuardTokenInterface;
  187.     }
  188. }