src/Security/Authenticator/TokenAuthenticator.php line 70

Open in your IDE?
  1. <?php
  2. //----------------------------------------------------------------------
  3. // src/Security/Authenticator/TokenAuthenticator.php
  4. //----------------------------------------------------------------------
  5. namespace App\Security\Authenticator;
  7. use Symfony\Component\HttpFoundation\Request;
  8. use Symfony\Component\HttpFoundation\Response;
  9. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  10. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  11. use Symfony\Component\Security\Core\Exception\BadCredentialsException;
  12. use Symfony\Component\Security\Core\Exception\CustomUserMessageAuthenticationException;
  13. use Symfony\Component\Security\Core\User\UserInterface;
  14. use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
  15. use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
  16. use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\CustomCredentials;
  17. use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
  19. use App\Entity\APIRest\AccessAPI;
  20. use App\Services\APIRest\Tools\APIResponseTools;
  21. use App\Services\APIRest\Tools\RouteScopeResolver;
  22. use App\Utils\APIError;
  24. class TokenAuthenticator extends AbstractAuthenticator
  25. {
  26.     public function __construct(APIResponseTools $apiResponseToolsRouteScopeResolver $routeScopeResolver)
  27.     {
  28.         $this->apiResponseTools $apiResponseTools;
  29.         $this->routeScopeResolver $routeScopeResolver;
  30.     }
  32.     /**
  33.      * Called on every request to decide if this authenticator should be
  34.      * used for the request. Returning `false` will cause this authenticator
  35.      * to be skipped.
  36.      */
  37.     public function supports(Request $request): ?bool
  38.     {
  39.         $route $request->attributes->get('_route');
  41.         // Check if it's an API call
  42.         if (preg_match("/api_rest_/"$route) !== 1)
  43.         {
  44.             return false;
  45.         }
  47.         return true;
  48.     }
  50.     /**
  51.      * Try to authenticate user with request param
  52.      */
  53.     public function authenticate(Request $request): Passport
  54.     {
  55.         // Check headers contain 'X-Auth-Token' or 'Authorization' param
  56.         $this->checkHeaders($request);
  58.         // Get token sent
  59.         $token $this->getToken($request);
  60.         if ($token === null)
  61.         {
  62.             // The token header was empty, authentication fails with HTTP Status
  63.             // Code 401 "Unauthorized"
  64.             $errorMessage APIError::AUTHENTICATION_INVALID_TOKEN['errorMessage'];
  65.             throw new CustomUserMessageAuthenticationException($errorMessage);
  66.         }
  68.         // Check User is valid (AcessAPI, token valid, User Active)
  69.         $customCredential = new CustomCredentials(
  70.             function (string $credentialsUserInterface $user): bool
  71.             {
  72.                 if (!($user instanceof AccessAPI))
  73.                 {
  74.                     return false;
  75.                 }
  76.                 if ($credentials !== $user->getAccessToken())
  77.                 {
  78.                     return false;
  79.                 }
  80.                 if ($user->isAccessTokenExpired())
  81.                 {
  82.                     return false;
  83.                 }
  84.                 if (!$user->getIsActive())
  85.                 {
  86.                     return false;
  87.                 }
  89.                 return true;
  90.             },
  91.             // The custom credentials
  92.             $token
  93.         );
  95.         return new Passport(new UserBadge($token), $customCredential);
  96.     }
  98.     public function onAuthenticationSuccess(Request $requestTokenInterface $tokenstring $firewallName): ?Response
  99.     {
  100.         // Scope control is currently in observation mode:
  101.         // - routes are not yet annotated with RequiredScopes
  102.         // - missing scopes must not block access
  103.         $accessAPI $token->getUser();
  105.         if (!($accessAPI instanceof AccessAPI))
  106.         {
  107.             return null;
  108.         }
  110.         // Get required scopes for the current route
  111.         // The required scopes are defined in the controller method using the RequiredScopes attribute
  112.         $requiredScopes $this->routeScopeResolver->getRequiredScopes($request);
  114.         // No route currently uses RequiredScopes; even if it did, we do not block yet.
  115.         // This hook is here to prepare future enforcement once scopes are widely used.
  116.         if (empty($requiredScopes))
  117.         {
  118.             return null;
  119.         }
  121.         // In future we could enforce that at least one required scope is present:
  122.         $hasRequiredScope false;
  123.         foreach ($requiredScopes as $requiredScope)
  124.         {
  125.             if ($accessAPI->hasScope($requiredScope))
  126.             {
  127.                 $hasRequiredScope true;
  128.                 break;
  129.             }
  130.         }
  131.         
  132.         if (!$hasRequiredScope)
  133.         {
  134.             $apiError = new APIError(APIError::AUTHENTICATION_SCOPE_FORBIDDEN);
  135.             return $this->apiResponseTools->unauthorizedResponse($apiError);
  136.         }
  138.         return null;
  139.     }
  141.     public function onAuthenticationFailure(Request $requestAuthenticationException $exception): ?Response
  142.     {
  143.         // Prevent warning for size overload
  144.         ob_get_contents();
  145.         ob_end_clean();
  147.         // Avoid symfony error caused by CustomCredentials return false
  148.         if ($exception instanceof BadCredentialsException)
  149.         {
  150.             $apiError = new APIError(APIError::AUTHENTICATION_FAILED);
  151.         }
  152.         else
  153.         {
  154.             // Classic case
  155.             $apiError = new APIError(APIError::AUTHENTICATION_FAILED$exception->getMessage());
  156.         }
  157.         
  158.         return $this->apiResponseTools->unauthorizedResponse($apiError);
  159.     }
  161.     // ----- Custom methods ----- //
  163.     /**
  164.      * Check headers has 'X-Auth-Token' or 'Authorization' param (Else throw Exception to trigger 'onAuthenticationFailure' method)
  165.      * @throws CustomUserMessageAuthenticationException
  166.      */
  167.     protected function checkHeaders(Request $request)
  168.     {
  169.         if (!($request->headers->has('X-Auth-Token') || $request->headers->has('Authorization')))
  170.         {
  171.             $errorMessage APIError::AUTHENTICATION_REQUIRED['errorMessage'];
  172.             throw new CustomUserMessageAuthenticationException($errorMessage);
  173.         }
  174.     }
  176.     protected function getToken(Request $request): ?string
  177.     {
  178.         if ($request->headers->has('X-Auth-Token'))
  179.         {
  180.             return $request->headers->get('X-Auth-Token');
  181.         }
  183.         if ($request->headers->has('Authorization') && stristr($request->headers->get('Authorization'), 'Bearer ') != false)
  184.         {
  185.             return str_ireplace('Bearer '''$request->headers->get('Authorization'));
  186.         }
  188.         // Should never happen
  189.         return null;
  190.     }
  191. }