src/EventListener/SecurityListener.php line 188

Open in your IDE?
  1. <?php
  2. /**
  3.  * Copyright (c) 2019, MND Next GmbH - www.mndnext.de
  4.  */
  7. namespace App\EventListener;
  10. use App\Entity\User;
  11. use App\Entity\UserActionLog;
  12. use App\Services\MailService;
  13. use Doctrine\ORM\EntityManagerInterface;
  14. use FOS\UserBundle\Event\FilterUserResponseEvent;
  15. use FOS\UserBundle\Event\GetResponseUserEvent;
  16. use FOS\UserBundle\FOSUserEvents;
  17. use FOS\UserBundle\Model\UserManagerInterface;
  18. use Psr\Log\LoggerInterface;
  19. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  20. use Symfony\Component\HttpFoundation\RedirectResponse;
  21. use Symfony\Component\HttpFoundation\Request;
  22. use Symfony\Component\HttpFoundation\RequestStack;
  23. use Symfony\Component\HttpKernel\Event\RequestEvent;
  24. use Symfony\Component\HttpKernel\KernelEvents;
  25. use Symfony\Component\Routing\Router;
  26. use Symfony\Component\Routing\RouterInterface;
  27. use Symfony\Component\Security\Core\AuthenticationEvents;
  28. use Symfony\Component\Security\Core\Event\AuthenticationEvent;
  29. use Symfony\Component\Security\Core\Event\AuthenticationFailureEvent;
  30. use Symfony\Component\Security\Core\Exception\AuthenticationCredentialsNotFoundException;
  31. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  32. use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
  33. use Symfony\Component\Security\Http\SecurityEvents;
  35. class SecurityListener implements EventSubscriberInterface
  36. {
  37.     const MAX_LOGIN_ATTEMPTS 10;
  38.     const ROUTE_LOGIN 'fos_user_security_check';
  39.     const ROUTE_RESET_PASSWORD 'fos_user_resetting_send_email';
  40.     const PERIOD_BLOCK_LOGIN 'PT1H'// \DateInterval period for blocking login after to manx login fails
  41.     const PERIOD_RESET_ATTEMPTS 'PT1H'// \DateInterval period after which time the login attempts counter should be reset
  43.     /** @var RouterInterface */
  44.     private $router;
  46.     /** @var Request */
  47.     private $request;
  49.     /** @var EntityManagerInterface */
  50.     private $em;
  52.     /** @var UserManagerInterface */
  53.     private $userManager;
  55.     /** @var MailService */
  56.     private $mailer;
  58.     public static function getSubscribedEvents()
  59.     {
  60.         return [
  61.             KernelEvents::REQUEST => ['checkHoneyPot'10],
  62.             AuthenticationEvents::AUTHENTICATION_FAILURE => 'onAuthenticationFailure',
  63.             SecurityEvents::INTERACTIVE_LOGIN => 'onLogin',
  64.             FOSUserEvents::CHANGE_PASSWORD_COMPLETED => 'onChangePassword',
  65.             FOSUserEvents::RESETTING_RESET_COMPLETED => 'onResetPasswordFinish',
  66.             FOSUserEvents::RESETTING_SEND_EMAIL_COMPLETED => 'onResetPasswordStart'
  67.         ];
  68.     }
  70.     public function __construct(RouterInterface $routerRequestStack $requestUserManagerInterface $userManagerEntityManagerInterface $emMailService $mailer)
  71.     {
  72.         $this->router $router;
  73.         $this->request $request->getCurrentRequest();
  74.         $this->userManager $userManager;
  75.         $this->em $em;
  76.         $this->mailer $mailer;
  77.     }
  79.     public function checkHoneyPot(RequestEvent $event)
  80.     {
  81.         // Only post routes, first check is for typehint on $this->router
  82.         $request $event->getRequest();
  83.         if (!$this->router instanceof Router || !$request->isMethod(Request::METHOD_POST)) {
  84.             return;
  85.         }
  87.         // Only for the login check route
  88.         $route $this->router->matchRequest($request)['_route'] ?? '';
  89.         if (self::ROUTE_LOGIN == $route) {
  90.             $honeyPot $this->request->get('_password_repeat');
  91.             if ($honeyPot) {
  92.                 $this->request->request->set('_username''');
  93.                 $this->request->request->set('_password''');
  94.                 $event->setResponse(new RedirectResponse('/'));
  95.             }
  96.         }
  98.         if (self::ROUTE_RESET_PASSWORD == $route) {
  99.             $honeyPot $this->request->get('username_repeat');
  100.             if ($honeyPot) {
  101.                 $this->request->request->set('username''');
  102.                 $event->setResponse(new RedirectResponse('/'));
  103.             }
  104.         }
  106.         /* check not needed as isAccountNonLocked() is automatically checked
  107.         $user = $this->userManager->findUserByEmail($this->request->get('_username'));
  108.         if ($user) {
  109.             if ($user->isAccountNonLocked()) {
  110.                 throw new AuthenticationException('to many login fails, login blocked for 2 hours' );
  111.             }
  112.         }
  113.         */
  114.     }
  116.     public function onAuthenticationFailure(AuthenticationFailureEvent $event)
  117.     {
  118.         $email $this->request->get('_username');
  120.         $log = new UserActionLog();
  121.         $log->setAction(UserActionLog::ACTION_FAILED_LOGIN);
  122.         $log->setEmail($email);
  123.         $log->setIp($this->request->getClientIp());
  124.         $this->em->persist($log);
  125.         $this->em->flush();
  127.         if (!$email) {
  128.             return;
  129.         }
  131.         /** @var User $user */
  132.         $user $this->userManager->findUserByEmail($email);
  133.         if (!$user) {
  134.             return;
  135.         }
  137.         $date $user->getLastFailedLogin();
  138.         if ($date instanceof \DateTime) {
  139.             $date->add(new \DateInterval(self::PERIOD_RESET_ATTEMPTS));
  140.             $now = new \DateTime();
  141.             if ($date <= $now) {
  142.                 $user->resetLoginAttempts();
  143.             }
  144.         }
  146.         $user->addFailedLoginAttempt();
  147.         if ($user->getLoginAttempts() >= self::MAX_LOGIN_ATTEMPTS) {
  148.             $user->bockTemporary(new \DateInterval(self::PERIOD_BLOCK_LOGIN));
  149.         }
  150.         $this->em->persist($user);
  151.         $this->em->flush();
  152.     }
  154.     public function onLogin(InteractiveLoginEvent $event)
  155.     {
  156.         $user $event->getAuthenticationToken()->getUser();
  157.         $user->resetLoginAttempts();
  158.         $this->em->persist($user);
  159.         $this->em->flush();
  160.     }
  162.     public function onChangePassword(FilterUserResponseEvent $event)
  163.     {
  164.         $user $event->getUser();
  166.         $log = new UserActionLog();
  167.         $log->setEmail($user->getEmail());
  168.         $log->setIp($this->request->getClientIp());
  169.         $log->setAction(UserActionLog::ACTION_PWD_CHANGED);
  170.         $this->em->persist($log);
  171.         $this->em->flush();
  173.         $this->mailer->sendPasswordChanged($user);
  174.     }
  176.     public function onResetPasswordStart(GetResponseUserEvent $event)
  177.     {
  178.         $user $event->getUser();
  180.         $log = new UserActionLog();
  181.         $log->setEmail($user->getEmail());
  182.         $log->setIp($this->request->getClientIp());
  183.         $log->setAction(UserActionLog::ACTION_PWD_CHANGED);
  184.         $this->em->persist($log);
  185.         $this->em->flush();
  186.     }
  188.     public function onResetPasswordFinish(FilterUserResponseEvent $event)
  189.     {
  190.         $user $event->getUser();
  191.         if ($user->getRegisterState() == User::REGISTERED_RESET) {
  192.             $user->setRegisterState(User::REGISTERED_CONFIRMED);
  193.             $this->userManager->updateUser($user);
  194.         }
  195.     }
  196. }