vendor/symfony/security-http/RememberMe/PersistentTokenBasedRememberMeServices.php line 24

Open in your IDE?
  1. <?php
  3. /*
  4.  * This file is part of the Symfony package.
  5.  *
  6.  * (c) Fabien Potencier <fabien@symfony.com>
  7.  *
  8.  * For the full copyright and license information, please view the LICENSE
  9.  * file that was distributed with this source code.
  10.  */
  12. namespace Symfony\Component\Security\Http\RememberMe;
  14. use Symfony\Component\HttpFoundation\Cookie;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
  18. use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentTokenInterface;
  19. use Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface;
  20. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  21. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  22. use Symfony\Component\Security\Core\Exception\CookieTheftException;
  24. trigger_deprecation('symfony/security-http''5.4''The "%s" class is deprecated, use "%s" instead.'PersistentTokenBasedRememberMeServices::class, PersistentRememberMeHandler::class);
  26. /**
  27.  * Concrete implementation of the RememberMeServicesInterface which needs
  28.  * an implementation of TokenProviderInterface for providing remember-me
  29.  * capabilities.
  30.  *
  31.  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  32.  *
  33.  * @deprecated since Symfony 5.4, use {@see PersistentRememberMeHandler} instead
  34.  */
  35. class PersistentTokenBasedRememberMeServices extends AbstractRememberMeServices
  36. {
  37.     private const HASHED_TOKEN_PREFIX 'sha256_';
  39.     /** @var TokenProviderInterface */
  40.     private $tokenProvider;
  42.     public function setTokenProvider(TokenProviderInterface $tokenProvider)
  43.     {
  44.         $this->tokenProvider $tokenProvider;
  45.     }
  47.     /**
  48.      * {@inheritdoc}
  49.      */
  50.     protected function cancelCookie(Request $request)
  51.     {
  52.         // Delete cookie on the client
  53.         parent::cancelCookie($request);
  55.         // Delete cookie from the tokenProvider
  56.         if (null !== ($cookie $request->cookies->get($this->options['name']))
  57.             && === \count($parts $this->decodeCookie($cookie))
  58.         ) {
  59.             [$series] = $parts;
  60.             $this->tokenProvider->deleteTokenBySeries($series);
  61.         }
  62.     }
  64.     /**
  65.      * {@inheritdoc}
  66.      */
  67.     protected function processAutoLoginCookie(array $cookiePartsRequest $request)
  68.     {
  69.         if (!== \count($cookieParts)) {
  70.             throw new AuthenticationException('The cookie is invalid.');
  71.         }
  73.         [$series$tokenValue] = $cookieParts;
  74.         $persistentToken $this->tokenProvider->loadTokenBySeries($series);
  76.         if (!$this->isTokenValueValid($persistentToken$tokenValue)) {
  77.             throw new CookieTheftException('This token was already used. The account is possibly compromised.');
  78.         }
  80.         if ($persistentToken->getLastUsed()->getTimestamp() + $this->options['lifetime'] < time()) {
  81.             throw new AuthenticationException('The cookie has expired.');
  82.         }
  84.         $tokenValue base64_encode(random_bytes(64));
  85.         $this->tokenProvider->updateToken($series$this->generateHash($tokenValue), new \DateTime());
  86.         $request->attributes->set(self::COOKIE_ATTR_NAME,
  87.             new Cookie(
  88.                 $this->options['name'],
  89.                 $this->encodeCookie([$series$tokenValue]),
  90.                 time() + $this->options['lifetime'],
  91.                 $this->options['path'],
  92.                 $this->options['domain'],
  93.                 $this->options['secure'] ?? $request->isSecure(),
  94.                 $this->options['httponly'],
  95.                 false,
  96.                 $this->options['samesite']
  97.             )
  98.         );
  100.         $userProvider $this->getUserProvider($persistentToken->getClass());
  101.         // @deprecated since Symfony 5.3, change to $persistentToken->getUserIdentifier() in 6.0
  102.         if (method_exists($persistentToken'getUserIdentifier')) {
  103.             $userIdentifier $persistentToken->getUserIdentifier();
  104.         } else {
  105.             trigger_deprecation('symfony/security-core''5.3''Not implementing method "getUserIdentifier()" in persistent token "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.'get_debug_type($persistentToken));
  107.             $userIdentifier $persistentToken->getUsername();
  108.         }
  110.         // @deprecated since Symfony 5.3, change to $userProvider->loadUserByIdentifier() in 6.0
  111.         if (method_exists($userProvider'loadUserByIdentifier')) {
  112.             return $userProvider->loadUserByIdentifier($userIdentifier);
  113.         } else {
  114.             trigger_deprecation('symfony/security-core''5.3''Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.'get_debug_type($userProvider));
  116.             return $userProvider->loadUserByUsername($userIdentifier);
  117.         }
  118.     }
  120.     /**
  121.      * {@inheritdoc}
  122.      */
  123.     protected function onLoginSuccess(Request $requestResponse $responseTokenInterface $token)
  124.     {
  125.         $series base64_encode(random_bytes(64));
  126.         $tokenValue base64_encode(random_bytes(64));
  128.         $this->tokenProvider->createNewToken(
  129.             new PersistentToken(
  130.                 \get_class($user $token->getUser()),
  131.                 // @deprecated since Symfony 5.3, change to $user->getUserIdentifier() in 6.0
  132.                 method_exists($user'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(),
  133.                 $series,
  134.                 $this->generateHash($tokenValue),
  135.                 new \DateTime()
  136.             )
  137.         );
  139.         $response->headers->setCookie(
  140.             new Cookie(
  141.                 $this->options['name'],
  142.                 $this->encodeCookie([$series$tokenValue]),
  143.                 time() + $this->options['lifetime'],
  144.                 $this->options['path'],
  145.                 $this->options['domain'],
  146.                 $this->options['secure'] ?? $request->isSecure(),
  147.                 $this->options['httponly'],
  148.                 false,
  149.                 $this->options['samesite']
  150.             )
  151.         );
  152.     }
  154.     private function generateHash(string $tokenValue): string
  155.     {
  156.         return self::HASHED_TOKEN_PREFIX.hash_hmac('sha256'$tokenValue$this->getSecret());
  157.     }
  159.     private function isTokenValueValid(PersistentTokenInterface $persistentTokenstring $tokenValue): bool
  160.     {
  161.         if (=== strpos($persistentToken->getTokenValue(), self::HASHED_TOKEN_PREFIX)) {
  162.             return hash_equals($persistentToken->getTokenValue(), $this->generateHash($tokenValue));
  163.         }
  165.         return hash_equals($persistentToken->getTokenValue(), $tokenValue);
  166.     }
  167. }