Introduce Passport & Badges to extend authenticators

Author: wouterj

Authentication/AuthenticatorManager.php

@@ -19,11 +19,13 @@
 use Symfony\Component\Security\Core\AuthenticationEvents;
 use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\Exception\BadCredentialsException;
-use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\InteractiveAuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\AnonymousPassport;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\BadgeInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
 use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
@@ -60,13 +62,16 @@ public function __construct(iterable $authenticators, TokenStorageInterface $tok
         $this->eraseCredentials = $eraseCredentials;
     }
 
-    public function authenticateUser(UserInterface $user, AuthenticatorInterface $authenticator, Request $request): ?Response
+    /**
+     * @param BadgeInterface[] $badges Optionally, pass some Passport badges to use for the manual login
+     */
+    public function authenticateUser(UserInterface $user, AuthenticatorInterface $authenticator, Request $request, array $badges = []): ?Response
     {
         // create an authenticated token for the User
-        $token = $authenticator->createAuthenticatedToken($user, $this->providerKey);
+        $token = $authenticator->createAuthenticatedToken($passport = new SelfValidatingPassport($user, $badges), $this->providerKey);
 
         // authenticate this in the system
-        return $this->handleAuthenticationSuccess($token, $request, $authenticator);
+        return $this->handleAuthenticationSuccess($token, $passport, $request, $authenticator);
     }
 
     public function supports(Request $request): ?bool
@@ -133,7 +138,7 @@ private function executeAuthenticators(array $authenticators, Request $request):
                 continue;
             }
 
-            $response = $this->executeAuthenticator($key, $authenticator, $request);
+            $response = $this->executeAuthenticator($authenticator, $request);
             if (null !== $response) {
                 if (null !== $this->logger) {
                     $this->logger->debug('The "{authenticator}" authenticator set the response. Any later authenticator will not be called', ['authenticator' => \get_class($authenticator)]);
@@ -146,29 +151,35 @@ private function executeAuthenticators(array $authenticators, Request $request):
         return null;
     }
 
-    private function executeAuthenticator(string $uniqueAuthenticatorKey, AuthenticatorInterface $authenticator, Request $request): ?Response
+    private function executeAuthenticator(AuthenticatorInterface $authenticator, Request $request): ?Response
     {
         try {
-            if (null !== $this->logger) {
-                $this->logger->debug('Calling getCredentials() on authenticator.', ['firewall_key' => $this->providerKey, 'authenticator' => \get_class($authenticator)]);
-            }
+            // get the passport from the Authenticator
+            $passport = $authenticator->authenticate($request);
+
+            // check the passport (e.g. password checking)
+            $event = new VerifyAuthenticatorCredentialsEvent($authenticator, $passport);
+            $this->eventDispatcher->dispatch($event);
 
-            // allow the authenticator to fetch authentication info from the request
-            $credentials = $authenticator->getCredentials($request);
+            // check if all badges are resolved
+            $passport->checkIfCompletelyResolved();
 
-            if (null === $credentials) {
-                throw new \UnexpectedValueException(sprintf('The return value of "%1$s::getCredentials()" must not be null. Return false from "%1$s::supports()" instead.', \get_class($authenticator)));
+            // create the authenticated token
+            $authenticatedToken = $authenticator->createAuthenticatedToken($passport, $this->providerKey);
+            if (true === $this->eraseCredentials) {
+                $authenticatedToken->eraseCredentials();
             }
 
-            // authenticate the credentials (e.g. check password)
-            $token = $this->authenticateViaAuthenticator($authenticator, $credentials);
+            if (null !== $this->eventDispatcher) {
+                $this->eventDispatcher->dispatch(new AuthenticationSuccessEvent($authenticatedToken), AuthenticationEvents::AUTHENTICATION_SUCCESS);
+            }
 
             if (null !== $this->logger) {
-                $this->logger->info('Authenticator successful!', ['token' => $token, 'authenticator' => \get_class($authenticator)]);
+                $this->logger->info('Authenticator successful!', ['token' => $authenticatedToken, 'authenticator' => \get_class($authenticator)]);
             }
 
             // success! (sets the token on the token storage, etc)
-            $response = $this->handleAuthenticationSuccess($token, $request, $authenticator);
+            $response = $this->handleAuthenticationSuccess($authenticatedToken, $passport, $request, $authenticator);
             if ($response instanceof Response) {
                 return $response;
             }
@@ -189,35 +200,7 @@ private function executeAuthenticator(string $uniqueAuthenticatorKey, Authentica
         }
     }
 
-    private function authenticateViaAuthenticator(AuthenticatorInterface $authenticator, $credentials): TokenInterface
-    {
-        // get the user from the Authenticator
-        $user = $authenticator->getUser($credentials);
-        if (null === $user) {
-            throw new UsernameNotFoundException(sprintf('Null returned from "%s::getUser()".', \get_class($authenticator)));
-        }
-
-        $event = new VerifyAuthenticatorCredentialsEvent($authenticator, $credentials, $user);
-        $this->eventDispatcher->dispatch($event);
-        if (true !== $event->areCredentialsValid()) {
-            throw new BadCredentialsException(sprintf('Authentication failed because "%s" did not approve the credentials.', \get_class($authenticator)));
-        }
-
-        // turn the UserInterface into a TokenInterface
-        $authenticatedToken = $authenticator->createAuthenticatedToken($user, $this->providerKey);
-
-        if (true === $this->eraseCredentials) {
-            $authenticatedToken->eraseCredentials();
-        }
-
-        if (null !== $this->eventDispatcher) {
-            $this->eventDispatcher->dispatch(new AuthenticationSuccessEvent($authenticatedToken), AuthenticationEvents::AUTHENTICATION_SUCCESS);
-        }
-
-        return $authenticatedToken;
-    }
-
-    private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, Request $request, AuthenticatorInterface $authenticator): ?Response
+    private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator): ?Response
     {
         $this->tokenStorage->setToken($authenticatedToken);
 
@@ -227,7 +210,11 @@ private function handleAuthenticationSuccess(TokenInterface $authenticatedToken,
             $this->eventDispatcher->dispatch($loginEvent, SecurityEvents::INTERACTIVE_LOGIN);
         }
 
-        $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $authenticatedToken, $request, $response, $this->providerKey));
+        if ($passport instanceof AnonymousPassport) {
+            return $response;
+        }
+
+        $this->eventDispatcher->dispatch($loginSuccessEvent = new LoginSuccessEvent($authenticator, $passport, $authenticatedToken, $request, $response, $this->firewallName));
 
         return $loginSuccessEvent->getResponse();
     }

Authenticator/AbstractAuthenticator.php

@@ -12,7 +12,9 @@
 namespace Symfony\Component\Security\Http\Authenticator;
 
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
-use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\Exception\LogicException;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\UserPassportInterface;
 use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken;
 
 /**
@@ -30,8 +32,12 @@ abstract class AbstractAuthenticator implements AuthenticatorInterface
      *
      * @return PostAuthenticationToken
      */
-    public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface
+    public function createAuthenticatedToken(PassportInterface $passport, string $providerKey): TokenInterface
     {
-        return new PostAuthenticationToken($user, $providerKey, $user->getRoles());
+        if (!$passport instanceof UserPassportInterface) {
+            throw new LogicException(sprintf('Passport does not contain a user, overwrite "createAuthenticatedToken()" in "%s" to create a custom authenticated token.', \get_class($this)));
+        }
+
+        return new PostAuthenticationToken($passport->getUser(), $providerKey, $passport->getUser()->getRoles());
     }
 }

Authenticator/AbstractLoginFormAuthenticator.php

@@ -25,7 +25,7 @@
  *
  * @experimental in 5.1
  */
-abstract class AbstractLoginFormAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface, RememberMeAuthenticatorInterface, InteractiveAuthenticatorInterface
+abstract class AbstractLoginFormAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface, InteractiveAuthenticatorInterface
 {
     /**
      * Return the URL to the login page.
@@ -57,11 +57,6 @@ public function start(Request $request, AuthenticationException $authException =
         return new RedirectResponse($url);
     }
 
-    public function supportsRememberMe(): bool
-    {
-        return true;
-    }
-
     public function isInteractive(): bool
     {
         return true;

Authenticator/AbstractPreAuthenticatedAuthenticator.php

@@ -19,8 +19,10 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
-use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PreAuthenticatedUserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 
 /**
  * The base authenticator for authenticators to use pre-authenticated
@@ -32,7 +34,7 @@
  * @internal
  * @experimental in Symfony 5.1
  */
-abstract class AbstractPreAuthenticatedAuthenticator implements InteractiveAuthenticatorInterface, CustomAuthenticatedInterface
+abstract class AbstractPreAuthenticatedAuthenticator implements InteractiveAuthenticatorInterface
 {
     private $userProvider;
     private $tokenStorage;
@@ -63,15 +65,15 @@ public function supports(Request $request): ?bool
             $this->clearToken($e);
 
             if (null !== $this->logger) {
-                $this->logger->debug('Skipping pre-authenticated authenticator as a BadCredentialsException is thrown.', ['exception' => $e, 'authenticator' => \get_class($this)]);
+                $this->logger->debug('Skipping pre-authenticated authenticator as a BadCredentialsException is thrown.', ['exception' => $e, 'authenticator' => static::class]);
             }
 
             return false;
         }
 
         if (null === $username) {
             if (null !== $this->logger) {
-                $this->logger->debug('Skipping pre-authenticated authenticator no username could be extracted.', ['authenticator' => \get_class($this)]);
+                $this->logger->debug('Skipping pre-authenticated authenticator no username could be extracted.', ['authenticator' => static::class]);
             }
 
             return false;
@@ -82,27 +84,17 @@ public function supports(Request $request): ?bool
         return true;
     }
 
-    public function getCredentials(Request $request)
+    public function authenticate(Request $request): PassportInterface
     {
-        return [
-            'username' => $request->attributes->get('_pre_authenticated_username'),
-        ];
-    }
-
-    public function getUser($credentials): ?UserInterface
-    {
-        return $this->userProvider->loadUserByUsername($credentials['username']);
-    }
+        $username = $request->attributes->get('_pre_authenticated_username');
+        $user = $this->userProvider->loadUserByUsername($username);
 
-    public function checkCredentials($credentials, UserInterface $user): bool
-    {
-        // the user is already authenticated before it entered Symfony
-        return true;
+        return new SelfValidatingPassport($user, [new PreAuthenticatedUserBadge()]);
     }
 
-    public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface
+    public function createAuthenticatedToken(PassportInterface $passport, string $providerKey): TokenInterface
     {
-        return new PreAuthenticatedToken($user, null, $providerKey);
+        return new PreAuthenticatedToken($passport->getUser(), null, $providerKey, $passport->getUser()->getRoles());
     }
 
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey): ?Response

Authenticator/AnonymousAuthenticator.php

@@ -17,8 +17,8 @@
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
-use Symfony\Component\Security\Core\User\User;
-use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\AnonymousPassport;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
 
 /**
  * @author Wouter de Jong <wouter@wouterj.nl>
@@ -27,7 +27,7 @@
  * @final
  * @experimental in 5.1
  */
-class AnonymousAuthenticator implements AuthenticatorInterface, CustomAuthenticatedInterface
+class AnonymousAuthenticator implements AuthenticatorInterface
 {
     private $secret;
     private $tokenStorage;
@@ -45,23 +45,12 @@ public function supports(Request $request): ?bool
         return null === $this->tokenStorage->getToken() ? null : false;
     }
 
-    public function getCredentials(Request $request)
+    public function authenticate(Request $request): PassportInterface
     {
-        return [];
+        return new AnonymousPassport();
     }
 
-    public function checkCredentials($credentials, UserInterface $user): bool
-    {
-        // anonymous users do not have credentials
-        return true;
-    }
-
-    public function getUser($credentials): ?UserInterface
-    {
-        return new User('anon.', null);
-    }
-
-    public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface
+    public function createAuthenticatedToken(PassportInterface $passport, string $providerKey): TokenInterface
     {
         return new AnonymousToken($this->secret, 'anon.', []);
     }