[Security] [RememberMe] Add support for parallel requests doing remember-me re-authentication

Author: Seldaek

Authentication/RememberMe/CacheTokenVerifier.php

@@ -0,0 +1,68 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\RememberMe;
+
+use Psr\Cache\CacheItemPoolInterface;
+
+/**
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ */
+class CacheTokenVerifier implements TokenVerifierInterface
+{
+    private $cache;
+    private $outdatedTokenTtl;
+    private $cacheKeyPrefix;
+
+    /**
+     * @param int $outdatedTokenTtl How long the outdated token should still be considered valid. Defaults
+     *                              to 60, which matches how often the PersistentRememberMeHandler will at
+     *                              most refresh tokens. Increasing to more than that is not recommended,
+     *                              but you may use a lower value.
+     */
+    public function __construct(CacheItemPoolInterface $cache, int $outdatedTokenTtl = 60, string $cacheKeyPrefix = 'rememberme-stale-')
+    {
+        $this->cache = $cache;
+        $this->outdatedTokenTtl = $outdatedTokenTtl;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool
+    {
+        if (hash_equals($token->getTokenValue(), $tokenValue)) {
+            return true;
+        }
+
+        if (!$this->cache->hasItem($this->cacheKeyPrefix.$token->getSeries())) {
+            return false;
+        }
+
+        $item = $this->cache->getItem($this->cacheKeyPrefix.$token->getSeries());
+        $outdatedToken = $item->get();
+
+        return hash_equals($outdatedToken, $tokenValue);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void
+    {
+        // When a token gets updated, persist the outdated token for $outdatedTokenTtl seconds so we can
+        // still accept it as valid in verifyToken
+        $item = $this->cache->getItem($this->cacheKeyPrefix.$token->getSeries());
+        $item->set($token->getTokenValue());
+        $item->expiresAfter($this->outdatedTokenTtl);
+        $this->cache->save($item);
+    }
+}

Authentication/RememberMe/TokenVerifierInterface.php

@@ -0,0 +1,32 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\RememberMe;
+
+/**
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ */
+interface TokenVerifierInterface
+{
+    /**
+     * Verifies that the given $token is valid.
+     *
+     * This lets you override the token check logic to for example accept slightly outdated tokens.
+     *
+     * Do not forget to implement token comparisons using hash_equals for a secure implementation.
+     */
+    public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool;
+
+    /**
+     * Updates an existing token with a new token value and lastUsed time.
+     */
+    public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void;
+}

Tests/Authentication/RememberMe/CacheTokenVerifierTest.php

@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Tests\Authentication\RememberMe;
+
+use PHPUnit\Framework\TestCase;
+use Symfony\Component\Cache\Adapter\ArrayAdapter;
+use Symfony\Component\Security\Core\Authentication\RememberMe\CacheTokenVerifier;
+use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
+
+class CacheTokenVerifierTest extends TestCase
+{
+    public function testVerifyCurrentToken()
+    {
+        $verifier = new CacheTokenVerifier(new ArrayAdapter());
+        $token = new PersistentToken('class', 'user', 'series1', 'value', new \DateTime());
+        $this->assertTrue($verifier->verifyToken($token, 'value'));
+    }
+
+    public function testVerifyFailsInvalidToken()
+    {
+        $verifier = new CacheTokenVerifier(new ArrayAdapter());
+        $token = new PersistentToken('class', 'user', 'series1', 'value', new \DateTime());
+        $this->assertFalse($verifier->verifyToken($token, 'wrong-value'));
+    }
+
+    public function testVerifyOutdatedToken()
+    {
+        $verifier = new CacheTokenVerifier(new ArrayAdapter());
+        $outdatedToken = new PersistentToken('class', 'user', 'series1', 'value', new \DateTime());
+        $newToken = new PersistentToken('class', 'user', 'series1', 'newvalue', new \DateTime());
+        $verifier->updateExistingToken($outdatedToken, 'newvalue', new \DateTime());
+        $this->assertTrue($verifier->verifyToken($newToken, 'value'));
+    }
+}

composer.json

@@ -25,6 +25,8 @@
     },
     "require-dev": {
         "psr/container": "^1.0|^2.0",
+        "psr/cache": "^1.0|^2.0|^3.0",
+        "symfony/cache": "^4.4|^5.0",
         "symfony/event-dispatcher": "^4.4|^5.0",
         "symfony/expression-language": "^4.4|^5.0",
         "symfony/http-foundation": "^5.3",