vendor/symfony/security-http/RememberMe/PersistentTokenBasedRememberMeServices.php line 24

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Http\RememberMe;
  14. use Symfony\Component\HttpFoundation\Cookie;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
  18. use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentTokenInterface;
  19. use Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface;
  20. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  21. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  22. use Symfony\Component\Security\Core\Exception\CookieTheftException;
  24. trigger_deprecation('symfony/security-http', '5.4', 'The "%s" class is deprecated, use "%s" instead.', PersistentTokenBasedRememberMeServices::class, PersistentRememberMeHandler::class);
  26. /**
  27. * Concrete implementation of the RememberMeServicesInterface which needs
  28. * an implementation of TokenProviderInterface for providing remember-me
  29. * capabilities.
  30. *
  31. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  32. *
  33. * @deprecated since Symfony 5.4, use {@see PersistentRememberMeHandler} instead
  34. */
  35. class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
  36. {
  37. private const HASHED_TOKEN_PREFIX = 'sha256_';
  39. /** @var TokenProviderInterface */
  40. private $tokenProvider;
  42. public function setTokenProvider(TokenProviderInterface $tokenProvider)
  43. {
  44. $this->tokenProvider = $tokenProvider;
  45. }
  47. /**
  48. * {@inheritdoc}
  49. */
  50. protected function cancelCookie(Request $request)
  51. {
  52. // Delete cookie on the client
  53. parent::cancelCookie($request);
  55. // Delete cookie from the tokenProvider
  56. if (null !== ($cookie = $request->cookies->get($this->options['name']))
  57. && 2 === \count($parts = $this->decodeCookie($cookie))
  58. ) {
  59. [$series] = $parts;
  60. $this->tokenProvider->deleteTokenBySeries($series);
  61. }
  62. }
  64. /**
  65. * {@inheritdoc}
  66. */
  67. protected function processAutoLoginCookie(array $cookieParts, Request $request)
  68. {
  69. if (2 !== \count($cookieParts)) {
  70. throw new AuthenticationException('The cookie is invalid.');
  71. }
  73. [$series, $tokenValue] = $cookieParts;
  74. $persistentToken = $this->tokenProvider->loadTokenBySeries($series);
  76. if (!$this->isTokenValueValid($persistentToken, $tokenValue)) {
  77. throw new CookieTheftException('This token was already used. The account is possibly compromised.');
  78. }
  80. if ($persistentToken->getLastUsed()->getTimestamp() + $this->options['lifetime'] < time()) {
  81. throw new AuthenticationException('The cookie has expired.');
  82. }
  84. $tokenValue = base64_encode(random_bytes(64));
  85. $this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());
  86. $request->attributes->set(self::COOKIE_ATTR_NAME,
  87. new Cookie(
  88. $this->options['name'],
  89. $this->encodeCookie([$series, $tokenValue]),
  90. time() + $this->options['lifetime'],
  91. $this->options['path'],
  92. $this->options['domain'],
  93. $this->options['secure'] ?? $request->isSecure(),
  94. $this->options['httponly'],
  95. false,
  96. $this->options['samesite']
  97. )
  98. );
  100. $userProvider = $this->getUserProvider($persistentToken->getClass());
  101. // @deprecated since Symfony 5.3, change to $persistentToken->getUserIdentifier() in 6.0
  102. if (method_exists($persistentToken, 'getUserIdentifier')) {
  103. $userIdentifier = $persistentToken->getUserIdentifier();
  104. } else {
  105. trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "getUserIdentifier()" in persistent token "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($persistentToken));
  107. $userIdentifier = $persistentToken->getUsername();
  108. }
  110. // @deprecated since Symfony 5.3, change to $userProvider->loadUserByIdentifier() in 6.0
  111. if (method_exists($userProvider, 'loadUserByIdentifier')) {
  112. return $userProvider->loadUserByIdentifier($userIdentifier);
  113. } else {
  114. trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($userProvider));
  116. return $userProvider->loadUserByUsername($userIdentifier);
  117. }
  118. }
  120. /**
  121. * {@inheritdoc}
  122. */
  123. protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
  124. {
  125. $series = base64_encode(random_bytes(64));
  126. $tokenValue = base64_encode(random_bytes(64));
  128. $this->tokenProvider->createNewToken(
  129. new PersistentToken(
  130. \get_class($user = $token->getUser()),
  131. // @deprecated since Symfony 5.3, change to $user->getUserIdentifier() in 6.0
  132. method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(),
  133. $series,
  134. $this->generateHash($tokenValue),
  135. new \DateTime()
  136. )
  137. );
  139. $response->headers->setCookie(
  140. new Cookie(
  141. $this->options['name'],
  142. $this->encodeCookie([$series, $tokenValue]),
  143. time() + $this->options['lifetime'],
  144. $this->options['path'],
  145. $this->options['domain'],
  146. $this->options['secure'] ?? $request->isSecure(),
  147. $this->options['httponly'],
  148. false,
  149. $this->options['samesite']
  150. )
  151. );
  152. }
  154. private function generateHash(string $tokenValue): string
  155. {
  156. return self::HASHED_TOKEN_PREFIX.hash_hmac('sha256', $tokenValue, $this->getSecret());
  157. }
  159. private function isTokenValueValid(PersistentTokenInterface $persistentToken, string $tokenValue): bool
  160. {
  161. if (0 === strpos($persistentToken->getTokenValue(), self::HASHED_TOKEN_PREFIX)) {
  162. return hash_equals($persistentToken->getTokenValue(), $this->generateHash($tokenValue));
  163. }
  165. return hash_equals($persistentToken->getTokenValue(), $tokenValue);
  166. }
  167. }