src/Security/Traits/LoginAuthenticatorTrait.php line 215

Open in your IDE?
  1. <?php
  3. namespace App\Security\Traits;
  5. use App\Constants\Platform;
  6. use App\Constants\Setting;
  7. use App\Constants\Modules;
  8. use App\Entity\User;
  9. use App\Services\Common\ModuleSettingService;
  10. use App\Services\Common\SettingService;
  11. use App\Services\ConfigService;
  12. use App\Services\DTV\YamlConfig\YamlReader;
  13. use App\Services\Portal\PortalService;
  14. use DateTime;
  15. use Doctrine\ORM\EntityManagerInterface;
  16. use Exception;
  17. use KnpU\OAuth2ClientBundle\Security\Exception\IdentityProviderAuthenticationException;
  18. use KnpU\OAuth2ClientBundle\Security\Exception\InvalidStateAuthenticationException;
  19. use KnpU\OAuth2ClientBundle\Security\Exception\NoAuthCodeAuthenticationException;
  20. use League\OAuth2\Client\Provider\Exception\IdentityProviderException;
  21. use Psr\Container\ContainerExceptionInterface;
  22. use Psr\Container\NotFoundExceptionInterface;
  23. use Psr\Log\LoggerInterface;
  24. use Symfony\Component\DependencyInjection\ServiceLocator;
  25. use Symfony\Component\HttpFoundation\RedirectResponse;
  26. use Symfony\Component\HttpFoundation\Request;
  27. use Symfony\Component\HttpFoundation\Response;
  28. use Symfony\Component\HttpKernel\KernelInterface;
  29. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  30. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  31. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  32. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  33. use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
  34. use Symfony\Component\Security\Core\Security;
  35. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
  36. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  37. use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
  38. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  39. use Symfony\Component\Security\Http\Util\TargetPathTrait;
  40. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
  42. trait LoginAuthenticatorTrait
  43. {
  44. use TargetPathTrait;
  46. protected EntityManagerInterface $em;
  47. protected UrlGeneratorInterface $urlGenerator;
  48. protected YamlReader $yamlReader;
  49. protected ConfigService $configService;
  50. protected KernelInterface $kernel;
  51. protected ServiceLocator $workflowUserServiceLocator;
  52. protected PortalService $portalService;
  53. protected SettingService $settingService;
  54. protected ModuleSettingService $moduleSettingService;
  55. protected LoggerInterface $logger;
  57. public function __construct(
  58. EntityManagerInterface $em,
  59. UrlGeneratorInterface $urlGenerator,
  60. YamlReader $yamlReader,
  61. ConfigService $configService,
  62. KernelInterface $kernel,
  63. ServiceLocator $workflowUserServiceLocator,
  64. PortalService $portalService,
  65. SettingService $settingService,
  66. ModuleSettingService $moduleSettingService,
  67. LoggerInterface $logger
  68. ) {
  69. $this->em = $em;
  70. $this->urlGenerator = $urlGenerator;
  71. $this->yamlReader = $yamlReader;
  72. $this->configService = $configService;
  73. $this->kernel = $kernel;
  74. $this->workflowUserServiceLocator = $workflowUserServiceLocator;
  75. $this->portalService = $portalService;
  76. $this->settingService = $settingService;
  77. $this->moduleSettingService = $moduleSettingService;
  78. $this->logger = $logger;
  79. }
  81. /**
  82. * @param Request $request
  83. *
  84. * @return Passport
  85. *
  86. * @throws Exception
  87. */
  88. public function authenticate(Request $request): Passport
  89. {
  90. $credentials = $request->request->all('login');
  91. $email = $credentials['email'] ?? '';
  92. $password = $credentials['password'] ?? '';
  94. // TODO PORTAL: vérifier que le module portal est activé et qu'on est bien sur un site parent et non child.
  95. if ($this->yamlReader->getType() === Platform::PORTAIL) {
  96. $user = $this->portalService->fetchUserFromApi($email, $password);
  97. if ($user instanceof User) {
  98. return new Passport(new UserBadge($email, function () use ($user) {
  99. return $user;
  100. }), new PasswordCredentials($password), [
  101. new CsrfTokenBadge('authenticate', $request->request->get('_csrf_token')),
  102. new RememberMeBadge()
  103. ]);
  104. }
  105. }
  107. $session = $request->getSession();
  108. $session->set(Security::LAST_USERNAME, $email);
  110. // Récupère l'utilisateur en fonction de l'e-mail
  111. $userRepo = $this->em->getRepository(User::class);
  112. $user = $userRepo->findOneByEmail($email);
  114. $loginSecurity = $this->yamlReader->getGlobal()['login_security'] ?? [];
  115. $activeDelayBeforeNewAttempt = $loginSecurity['active_delay_before_new_attempt'] ?? true;
  116. $failedAttempts = $loginSecurity['failed_attempts'] ?? 2; // !! attention !! le +1 au failedAttempts() s'ajoute après le test
  117. $delayBeforeNewAttempt = $loginSecurity['delay_before_new_attempt'] ?? 24;
  118. $passwordValidationDays = $loginSecurity['password_validation_days'] ?? 365;
  120. $env = $this->kernel->getEnvironment();
  122. if ($env !== 'test' && $user instanceof User) {
  123. // Vérifie si l'utilisateur échoue à la connexion plus de x fois et que l'option "delay" est désactivé
  124. // !! attention !! le +1 au failedAttempts() s'ajoute après le test
  125. if ($user->getFailedAttempts() > $failedAttempts && !$activeDelayBeforeNewAttempt) {
  126. throw new CustomUserMessageAuthenticationException(
  127. 'Vous avez été bloqué en raison de trop nombreuses tentatives ' . 'de connexion échouées. Veuillez cliquer sur "Mot de passe oublié ?" afin de le débloquer.',
  128. );
  129. } elseif ($user->getFailedAttempts() > $failedAttempts) {
  130. // Vérifie si l'utilisateur échoue à la connexion plus de x fois
  132. $lastFailed = $user->getLastFailedAttempt();
  133. $interval = (new DateTime())->diff($lastFailed);
  134. if ($interval->days == 0 && $interval->h < $delayBeforeNewAttempt) {
  135. throw new CustomUserMessageAuthenticationException(
  136. 'Vous avez été bloqué pendant ' . $delayBeforeNewAttempt . ' heure(s) en raison de trop nombreuses tentatives ' . 'de connexion échouées.',
  137. );
  138. } else {
  139. // Réinitialiser les tentatives après x heures
  140. $user->setFailedAttempts(0);
  141. $this->em->flush();
  142. }
  143. }
  145. $isSSO = $this->moduleSettingService->isModuleActive(Modules::SSO_CONNECTION) && $this->settingService->isExist(Setting::SSO_SETTINGS);
  147. // Vérification de la durée de validité du mot de passe
  148. if (!$user->isDeveloper() && !$isSSO) {
  149. $passwordUpdated = $user->getPasswordUpdatedAt();
  150. if (is_null($passwordUpdated)) {
  151. $passwordUpdated = (new DateTime())->modify('-' . $passwordValidationDays . ' days');
  152. $user->setPasswordUpdatedAt($passwordUpdated);
  153. $this->em->flush();
  154. }
  155. $interval = (new DateTime())->diff($passwordUpdated);
  156. if ($interval->days >= $passwordValidationDays) {
  157. // On injecte le service de workflowUser (pour éviter une dépendance circulaire dans le constructor)
  158. // On envoie un mail à l'utilisateur pour qu'il puisse changer son mot de passe et revalider les CGU
  159. try {
  160. $workflowUser = $this->workflowUserServiceLocator->get('workflowUser');
  161. $workflowUser->resendCGU($user);
  162. } catch (NotFoundExceptionInterface|ContainerExceptionInterface $e) {
  163. throw new Exception($e->getMessage());
  164. }
  166. throw new CustomUserMessageAuthenticationException(
  167. 'Votre mot de passe a été créé il y a plus de ' . $passwordValidationDays . ' jours, pour des raisons de sécurités, ' . 'un email vous a été envoyé afin que vous puissiez en changer. <br>' . 'Veuillez vérifier votre boite mail et suivre les instructions.',
  168. );
  169. }
  170. }
  171. }
  173. return new Passport(new UserBadge($email), new PasswordCredentials($password), [
  174. new CsrfTokenBadge('authenticate', $request->request->get('_csrf_token')),
  175. new RememberMeBadge()
  176. ]);
  177. }
  179. /**
  180. * @param Request $request
  181. * @param TokenInterface $token
  182. * @param string $firewallName
  183. *
  184. * @return Response|null
  185. */
  186. public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
  187. {
  188. //remise à 0 des tentatives de connexion après la connexion
  189. /** @var User $user */
  190. $user = $token->getUser();
  192. if ($user) {
  193. $user->setFailedAttempts(0);
  194. $user->setLastFailedAttempt(null);
  195. $this->em->flush();
  196. }
  198. if ($this->yamlReader->getType() === 'api') {
  199. return new RedirectResponse($this->urlGenerator->generate('back_dashboard'));
  200. }
  202. if ($targetPath = $this->getTargetPath($request->getSession(), $firewallName)) {
  203. return new RedirectResponse($targetPath);
  204. }
  206. return new RedirectResponse($this->urlGenerator->generate('front_homepage'));
  207. }
  209. /**
  210. * @param Request $request
  211. * @param AuthenticationException $exception
  212. *
  213. * @return Response
  214. */
  215. public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
  216. {
  217. $credentials = $request->request->get('login');
  218. $email = $credentials['email'] ?? '';
  220. $userRepo = $this->em->getRepository(User::class);
  221. $user = $userRepo->findOneByEmail($email);
  223. if ($user && $exception instanceof BadCredentialsException) {
  224. $user->setFailedAttempts($user->getFailedAttempts() + 1);
  225. $user->setLastFailedAttempt(new DateTime());
  226. $this->em->flush();
  227. }
  229. if ($this->isSsoAuthenticationFailure($exception)) {
  230. $this->logger->error('Erreur lors de la connexion SSO', [
  231. 'exception_class' => $exception::class,
  232. 'exception_message' => $exception->getMessage(),
  233. 'previous_exception_class' => $exception->getPrevious() ? $exception->getPrevious()::class : null,
  234. 'previous_exception_message' => $exception->getPrevious()?->getMessage(),
  235. ]);
  237. $request->getSession()->getFlashBag()->add(
  238. 'danger',
  239. 'Une erreur est survenue lors de la connexion (SSO)'
  240. );
  241. $request->getSession()->remove(Security::AUTHENTICATION_ERROR);
  243. return new RedirectResponse($this->getLoginUrlWithQuery($request));
  244. }
  246. $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
  248. return new RedirectResponse($this->getLoginUrlWithQuery($request));
  249. }
  251. /**
  252. * @return string
  253. */
  254. protected function getLoginUrl(Request $request): string
  255. {
  256. return $this->urlGenerator->generate('app_login');
  257. }
  259. /**
  260. * @return string
  261. */
  262. protected function getLoginUrlWithQuery(Request $request): string
  263. {
  264. return $this->urlGenerator->generate('app_login', $request->query->all());
  265. }
  267. private function isSsoAuthenticationFailure(AuthenticationException $exception): bool
  268. {
  269. return $exception instanceof IdentityProviderAuthenticationException
  270. || $exception instanceof InvalidStateAuthenticationException
  271. || $exception instanceof NoAuthCodeAuthenticationException
  272. || $exception->getPrevious() instanceof IdentityProviderException;
  273. }
  274. }