vendor/symfony/security-http/RememberMe/TokenBasedRememberMeServices.php line 21

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Http\RememberMe;
  14. use Symfony\Component\HttpFoundation\Cookie;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  18. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  19. use Symfony\Component\Security\Core\User\UserInterface;
  21. trigger_deprecation('symfony/security-http', '5.4', 'The "%s" class is deprecated, use "%s" instead.', TokenBasedRememberMeServices::class, SignatureRememberMeHandler::class);
  23. /**
  24. * Concrete implementation of the RememberMeServicesInterface providing
  25. * remember-me capabilities without requiring a TokenProvider.
  26. *
  27. * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  28. *
  29. * @deprecated since Symfony 5.4, use {@see SignatureRememberMeHandler} instead
  30. */
  31. class TokenBasedRememberMeServices extends AbstractRememberMeServices
  32. {
  33. /**
  34. * {@inheritdoc}
  35. */
  36. protected function processAutoLoginCookie(array $cookieParts, Request $request)
  37. {
  38. if (4 !== \count($cookieParts)) {
  39. throw new AuthenticationException('The cookie is invalid.');
  40. }
  42. [$class, $userIdentifier, $expires, $hash] = $cookieParts;
  43. if (false === $userIdentifier = base64_decode($userIdentifier, true)) {
  44. throw new AuthenticationException('$userIdentifier contains a character from outside the base64 alphabet.');
  45. }
  46. try {
  47. $userProvider = $this->getUserProvider($class);
  48. // @deprecated since Symfony 5.3, change to $userProvider->loadUserByIdentifier() in 6.0
  49. if (method_exists($userProvider, 'loadUserByIdentifier')) {
  50. $user = $userProvider->loadUserByIdentifier($userIdentifier);
  51. } else {
  52. trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($userProvider));
  54. $user = $userProvider->loadUserByUsername($userIdentifier);
  55. }
  56. } catch (\Exception $e) {
  57. if (!$e instanceof AuthenticationException) {
  58. $e = new AuthenticationException($e->getMessage(), $e->getCode(), $e);
  59. }
  61. throw $e;
  62. }
  64. if (!$user instanceof UserInterface) {
  65. throw new \RuntimeException(sprintf('The UserProviderInterface implementation must return an instance of UserInterface, but returned "%s".', get_debug_type($user)));
  66. }
  68. if (true !== hash_equals($this->generateCookieHash($class, $userIdentifier, $expires, $user->getPassword()), $hash)) {
  69. throw new AuthenticationException('The cookie\'s hash is invalid.');
  70. }
  72. if ($expires < time()) {
  73. throw new AuthenticationException('The cookie has expired.');
  74. }
  76. return $user;
  77. }
  79. /**
  80. * {@inheritdoc}
  81. */
  82. protected function onLoginSuccess(Request $request, Response $response, TokenInterface $token)
  83. {
  84. $user = $token->getUser();
  85. $expires = time() + $this->options['lifetime'];
  86. // @deprecated since Symfony 5.3, change to $user->getUserIdentifier() in 6.0
  87. $value = $this->generateCookieValue(\get_class($user), method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(), $expires, $user->getPassword());
  89. $response->headers->setCookie(
  90. new Cookie(
  91. $this->options['name'],
  92. $value,
  93. $expires,
  94. $this->options['path'],
  95. $this->options['domain'],
  96. $this->options['secure'] ?? $request->isSecure(),
  97. $this->options['httponly'],
  98. false,
  99. $this->options['samesite']
  100. )
  101. );
  102. }
  104. /**
  105. * Generates the cookie value.
  106. *
  107. * @param int $expires The Unix timestamp when the cookie expires
  108. * @param string|null $password The encoded password
  109. *
  110. * @return string
  111. */
  112. protected function generateCookieValue(string $class, string $userIdentifier, int $expires, ?string $password)
  113. {
  114. // $userIdentifier is encoded because it might contain COOKIE_DELIMITER,
  115. // we assume other values don't
  116. return $this->encodeCookie([
  117. $class,
  118. base64_encode($userIdentifier),
  119. $expires,
  120. $this->generateCookieHash($class, $userIdentifier, $expires, $password),
  121. ]);
  122. }
  124. /**
  125. * Generates a hash for the cookie to ensure it is not being tampered with.
  126. *
  127. * @param int $expires The Unix timestamp when the cookie expires
  128. * @param string|null $password The encoded password
  129. *
  130. * @return string
  131. */
  132. protected function generateCookieHash(string $class, string $userIdentifier, int $expires, ?string $password)
  133. {
  134. return hash_hmac('sha256', $class.self::COOKIE_DELIMITER.$userIdentifier.self::COOKIE_DELIMITER.$expires.self::COOKIE_DELIMITER.$password, $this->getSecret());
  135. }
  136. }