Refactor to an event based authentication approach

This allows more flexibility for the authentication manager (to e.g. implement
login throttling, easier remember me, etc). It is also a known design pattern
in Symfony HttpKernel.

Author: wouterj

Authentication/Authenticator/AnonymousAuthenticator.php

@@ -27,7 +27,7 @@
  * @final
  * @experimental in 5.1
  */
-class AnonymousAuthenticator implements AuthenticatorInterface
+class AnonymousAuthenticator implements AuthenticatorInterface, CustomAuthenticatedInterface
 {
     private $secret;
     private $tokenStorage;
@@ -49,14 +49,15 @@ public function getCredentials(Request $request)
         return [];
     }
 
-    public function getUser($credentials): ?UserInterface
+    public function checkCredentials($credentials, UserInterface $user): bool
     {
-        return new User('anon.', null);
+        // anonymous users do not have credentials
+        return true;
     }
 
-    public function checkCredentials($credentials, UserInterface $user): bool
+    public function getUser($credentials): ?UserInterface
     {
-        return true;
+        return new User('anon.', null);
     }
 
     public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface

Authentication/Authenticator/AuthenticatorInterface.php

@@ -70,18 +70,6 @@ public function getCredentials(Request $request);
      */
     public function getUser($credentials): ?UserInterface;
 
-    /**
-     * Returns true if the credentials are valid.
-     *
-     * If false is returned, authentication will fail. You may also throw
-     * an AuthenticationException if you wish to cause authentication to fail.
-     *
-     * @param mixed $credentials the value returned from getCredentials()
-     *
-     * @throws AuthenticationException
-     */
-    public function checkCredentials($credentials, UserInterface $user): bool;
-
     /**
      * Create an authenticated token for the given user.
      *

Authentication/Authenticator/CustomAuthenticatedInterface.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace Symfony\Component\Security\Http\Authentication\Authenticator;
+
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * This interface should be implemented by authenticators that
+ * require custom (not password related) authentication.
+ *
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ */
+interface CustomAuthenticatedInterface
+{
+    /**
+     * Returns true if the credentials are valid.
+     *
+     * If false is returned, authentication will fail. You may also throw
+     * an AuthenticationException if you wish to cause authentication to fail.
+     *
+     * @param mixed $credentials the value returned from getCredentials()
+     *
+     * @throws AuthenticationException
+     */
+    public function checkCredentials($credentials, UserInterface $user): bool;
+}

Authentication/Authenticator/FormLoginAuthenticator.php

@@ -15,6 +15,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
@@ -23,6 +24,7 @@
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
+use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\ParameterBagUtils;
 use Symfony\Component\Security\Http\Util\TargetPathTrait;
@@ -34,23 +36,19 @@
  * @final
  * @experimental in 5.1
  */
-class FormLoginAuthenticator extends AbstractFormLoginAuthenticator
+class FormLoginAuthenticator extends AbstractFormLoginAuthenticator implements PasswordAuthenticatedInterface
 {
-    use TargetPathTrait, UsernamePasswordTrait {
-        UsernamePasswordTrait::checkCredentials as checkPassword;
-    }
+    use TargetPathTrait;
 
     private $options;
     private $httpUtils;
     private $csrfTokenManager;
     private $userProvider;
-    private $encoderFactory;
 
-    public function __construct(HttpUtils $httpUtils, ?CsrfTokenManagerInterface $csrfTokenManager, UserProviderInterface $userProvider, EncoderFactoryInterface $encoderFactory, array $options)
+    public function __construct(HttpUtils $httpUtils, ?CsrfTokenManagerInterface $csrfTokenManager, UserProviderInterface $userProvider, array $options)
     {
         $this->httpUtils = $httpUtils;
         $this->csrfTokenManager = $csrfTokenManager;
-        $this->encoderFactory = $encoderFactory;
         $this->options = array_merge([
             'username_parameter' => '_username',
             'password_parameter' => '_password',
@@ -109,11 +107,17 @@ public function getCredentials(Request $request): array
         return $credentials;
     }
 
+    public function getPassword($credentials): ?string
+    {
+        return $credentials['password'];
+    }
+
     public function getUser($credentials): ?UserInterface
     {
         return $this->userProvider->loadUserByUsername($credentials['username']);
     }
 
+    /* @todo How to do CSRF protection?
     public function checkCredentials($credentials, UserInterface $user): bool
     {
         if (null !== $this->csrfTokenManager) {
@@ -123,6 +127,11 @@ public function checkCredentials($credentials, UserInterface $user): bool
         }
 
         return $this->checkPassword($credentials, $user);
+    }*/
+
+    public function createAuthenticatedToken(UserInterface $user, $providerKey): TokenInterface
+    {
+        return new UsernamePasswordToken($user, null, $providerKey, $user->getRoles());
     }
 
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey): Response

Authentication/Authenticator/HttpBasicAuthenticator.php

@@ -15,10 +15,12 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Guard\PasswordAuthenticatedInterface;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 
 /**
@@ -28,10 +30,8 @@
  * @final
  * @experimental in 5.1
  */
-class HttpBasicAuthenticator implements AuthenticatorInterface, AuthenticationEntryPointInterface
+class HttpBasicAuthenticator implements AuthenticatorInterface, AuthenticationEntryPointInterface, PasswordAuthenticatedInterface
 {
-    use UsernamePasswordTrait;
-
     private $realmName;
     private $userProvider;
     private $encoderFactory;
@@ -67,11 +67,21 @@ public function getCredentials(Request $request)
         ];
     }
 
+    public function getPassword($credentials): ?string
+    {
+        return $credentials['password'];
+    }
+
     public function getUser($credentials): ?UserInterface
     {
         return $this->userProvider->loadUserByUsername($credentials['username']);
     }
 
+    public function createAuthenticatedToken(UserInterface $user, $providerKey): TokenInterface
+    {
+        return new UsernamePasswordToken($user, null, $providerKey, $user->getRoles());
+    }
+
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey): ?Response
     {
         return null;

Authentication/Authenticator/TokenAuthenticatedInterface.php

@@ -0,0 +1,24 @@
+<?php
+
+namespace Symfony\Component\Security\Http\Authentication\Authenticator;
+
+/**
+ * This interface should be implemented when the authenticator
+ * doesn't need to check credentials (e.g. when using API tokens)
+ *
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ */
+interface TokenAuthenticatedInterface
+{
+    /**
+     * Extracts the token from the credentials.
+     *
+     * If you return null, the credentials will not be marked as
+     * valid and a BadCredentialsException is thrown.
+     *
+     * @param mixed $credentials The user credentials
+     *
+     * @return mixed|null the token - if any - or null otherwise
+     */
+    public function getToken($credentials);
+}

Authentication/Authenticator/UsernamePasswordTrait.php

@@ -12,6 +12,9 @@
 namespace Symfony\Component\Security\Http\Authentication;
 
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Authentication\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Core\Authentication\Token\PreAuthenticationGuardToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
@@ -21,7 +24,7 @@
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\AuthenticationExpiredException;
 use Symfony\Component\Security\Core\Exception\ProviderNotFoundException;
-use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Http\Event\VerifyAuthenticatorCredentialsEvent;
 use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
 
 /**
@@ -35,18 +38,16 @@ class GuardAuthenticationManager implements AuthenticationManagerInterface
     use GuardAuthenticationManagerTrait;
 
     private $guardAuthenticators;
-    private $userChecker;
-    private $eraseCredentials;
-    /** @var EventDispatcherInterface */
     private $eventDispatcher;
+    private $eraseCredentials;
 
     /**
      * @param iterable|AuthenticatorInterface[] $guardAuthenticators The authenticators, with keys that match what's passed to GuardAuthenticationListener
      */
-    public function __construct($guardAuthenticators, UserCheckerInterface $userChecker, bool $eraseCredentials = true)
+    public function __construct(iterable $guardAuthenticators, EventDispatcherInterface $eventDispatcher, bool $eraseCredentials = true)
     {
         $this->guardAuthenticators = $guardAuthenticators;
-        $this->userChecker = $userChecker;
+        $this->eventDispatcher = $eventDispatcher;
         $this->eraseCredentials = $eraseCredentials;
     }
 
@@ -100,6 +101,40 @@ public function authenticate(TokenInterface $token)
         return $result;
     }
 
+    protected function getGuardKey(string $key): string
+    {
+        // Guard authenticators in the GuardAuthenticationManager are already indexed
+        // by an unique key
+        return $key;
+    }
+
+    private function authenticateViaGuard(AuthenticatorInterface $authenticator, PreAuthenticationGuardToken $token, string $providerKey): TokenInterface
+    {
+        // get the user from the Authenticator
+        $user = $authenticator->getUser($token->getCredentials());
+        if (null === $user) {
+            throw new UsernameNotFoundException(sprintf('Null returned from "%s::getUser()".', \get_class($authenticator)));
+        }
+
+        if (!$user instanceof UserInterface) {
+            throw new \UnexpectedValueException(sprintf('The %s::getUser() method must return a UserInterface. You returned %s.', \get_class($authenticator), \is_object($user) ? \get_class($user) : \gettype($user)));
+        }
+
+        $event = new VerifyAuthenticatorCredentialsEvent($authenticator, $token, $user);
+        $this->eventDispatcher->dispatch($event);
+        if (true !== $event->areCredentialsValid()) {
+            throw new BadCredentialsException(sprintf('Authentication failed because %s did not approve the credentials.', \get_class($authenticator)));
+        }
+
+        // turn the UserInterface into a TokenInterface
+        $authenticatedToken = $authenticator->createAuthenticatedToken($user, $providerKey);
+        if (!$authenticatedToken instanceof TokenInterface) {
+            throw new \UnexpectedValueException(sprintf('The %s::createAuthenticatedToken() method must return a TokenInterface. You returned %s.', \get_class($authenticator), \is_object($authenticatedToken) ? \get_class($authenticatedToken) : \gettype($authenticatedToken)));
+        }
+
+        return $authenticatedToken;
+    }
+
     private function handleFailure(AuthenticationException $exception, TokenInterface $token)
     {
         if (null !== $this->eventDispatcher) {
@@ -110,11 +145,4 @@ private function handleFailure(AuthenticationException $exception, TokenInterfac
 
         throw $exception;
     }
-
-    protected function getGuardKey(string $key): string
-    {
-        // Guard authenticators in the GuardAuthenticationManager are already indexed
-        // by an unique key
-        return $key;
-    }
 }