Added remember me functionality

Author: wouterj

Authenticator/AbstractLoginFormAuthenticator.php

@@ -25,7 +25,7 @@
  *
  * @experimental in 5.1
  */
-abstract class AbstractLoginFormAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface
+abstract class AbstractLoginFormAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface, RememberMeAuthenticatorInterface
 {
     /**
      * Return the URL to the login page.
@@ -46,11 +46,6 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
         return new RedirectResponse($url);
     }
 
-    public function supportsRememberMe(): bool
-    {
-        return true;
-    }
-
     /**
      * Override to control what happens when the user hits a secure page
      * but isn't logged in yet.
@@ -61,4 +56,9 @@ public function start(Request $request, AuthenticationException $authException =
 
         return new RedirectResponse($url);
     }
+
+    public function supportsRememberMe(): bool
+    {
+        return true;
+    }
 }

Authenticator/AnonymousAuthenticator.php

@@ -75,9 +75,4 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
     {
         return null;
     }
-
-    public function supportsRememberMe(): bool
-    {
-        return false;
-    }
 }

Authenticator/AuthenticatorInterface.php

@@ -102,18 +102,4 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
      * will be authenticated. This makes sense, for example, with an API.
      */
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey): ?Response;
-
-    /**
-     * Does this method support remember me cookies?
-     *
-     * Remember me cookie will be set if *all* of the following are met:
-     *  A) This method returns true
-     *  B) The remember_me key under your firewall is configured
-     *  C) The "remember me" functionality is activated. This is usually
-     *      done by having a _remember_me checkbox in your form, but
-     *      can be configured by the "always_remember_me" and "remember_me_parameter"
-     *      parameters under the "remember_me" firewall key
-     *  D) The onAuthenticationSuccess method returns a Response object
-     */
-    public function supportsRememberMe(): bool;
 }

Authenticator/HttpBasicAuthenticator.php

@@ -94,9 +94,4 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
 
         return $this->start($request, $exception);
     }
-
-    public function supportsRememberMe(): bool
-    {
-        return false;
-    }
 }

Authenticator/RememberMeAuthenticator.php

@@ -0,0 +1,110 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authenticator\Token;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices;
+use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
+
+/**
+ * The RememberMe *Authenticator* performs remember me authentication.
+ *
+ * This authenticator is executed whenever a user's session
+ * expired and a remember me cookie was found. This authenticator
+ * then "re-authenticates" the user using the information in the
+ * cookie.
+ *
+ * @author Johannes M. Schmitt <schmittjoh@gmail.com>
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ *
+ * @final
+ */
+class RememberMeAuthenticator implements AuthenticatorInterface
+{
+    private $rememberMeServices;
+    private $secret;
+    private $tokenStorage;
+    private $options;
+    private $sessionStrategy;
+
+    public function __construct(AbstractRememberMeServices $rememberMeServices, string $secret, TokenStorageInterface $tokenStorage, array $options, ?SessionAuthenticationStrategy $sessionStrategy = null)
+    {
+        $this->rememberMeServices = $rememberMeServices;
+        $this->secret = $secret;
+        $this->tokenStorage = $tokenStorage;
+        $this->options = $options;
+        $this->sessionStrategy = $sessionStrategy;
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        // do not overwrite already stored tokens (i.e. from the session)
+        if (null !== $this->tokenStorage->getToken()) {
+            return false;
+        }
+
+        if (($cookie = $request->attributes->get(AbstractRememberMeServices::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
+            return false;
+        }
+
+        if (!$request->cookies->has($this->options['name'])) {
+            return false;
+        }
+
+        // the `null` return value indicates that this authenticator supports lazy firewalls
+        return null;
+    }
+
+    public function getCredentials(Request $request)
+    {
+        return [
+            'cookie_parts' => explode(AbstractRememberMeServices::COOKIE_DELIMITER, base64_decode($request->cookies->get($this->options['name']))),
+            'request' => $request,
+        ];
+    }
+
+    /**
+     * @param array $credentials
+     */
+    public function getUser($credentials): ?UserInterface
+    {
+        return $this->rememberMeServices->performLogin($credentials['cookie_parts'], $credentials['request']);
+    }
+
+    public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface
+    {
+        return new RememberMeToken($user, $providerKey, $this->secret);
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        $this->rememberMeServices->loginFail($request, $exception);
+
+        return null;
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey): ?Response
+    {
+        if ($request->hasSession() && $request->getSession()->isStarted()) {
+            $this->sessionStrategy->onAuthentication($request, $token);
+        }
+
+        return null;
+    }
+}

Authenticator/RememberMeAuthenticatorInterface.php

@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authenticator;
+
+/**
+ * This interface must be extended if the authenticator supports remember me functionality.
+ *
+ * Remember me cookie will be set if *all* of the following are met:
+ *  A) SupportsRememberMe() returns true in the successful authenticator
+ *  B) The remember_me key under your firewall is configured
+ *  C) The "remember me" functionality is activated. This is usually
+ *      done by having a _remember_me checkbox in your form, but
+ *      can be configured by the "always_remember_me" and "remember_me_parameter"
+ *      parameters under the "remember_me" firewall key
+ *  D) The onAuthenticationSuccess method returns a Response object
+ *
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ */
+interface RememberMeAuthenticatorInterface
+{
+    public function supportsRememberMe(): bool;
+}

EventListener/RememberMeListener.php

@@ -5,35 +5,38 @@
 use Psr\Log\LoggerInterface;
 use Symfony\Component\EventDispatcher\EventSubscriberInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\RememberMeAuthenticatorInterface;
 use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
 
 /**
+ * The RememberMe *listener* creates and deletes remember me cookies.
+ *
+ * Upon login success or failure and support for remember me
+ * in the firewall and authenticator, this listener will create
+ * a remember me cookie.
+ * Upon login failure, all remember me cookies are removed.
+ *
  * @author Wouter de Jong <wouter@wouterj.nl>
  *
  * @final
  * @experimental in 5.1
  */
 class RememberMeListener implements EventSubscriberInterface
 {
+    private $rememberMeServices;
     private $providerKey;
     private $logger;
-    /** @var RememberMeServicesInterface|null */
-    private $rememberMeServices;
 
-    public function __construct(string $providerKey, ?LoggerInterface $logger = null)
+    public function __construct(RememberMeServicesInterface $rememberMeServices, string $providerKey, ?LoggerInterface $logger = null)
     {
+        $this->rememberMeServices = $rememberMeServices;
         $this->providerKey = $providerKey;
         $this->logger = $logger;
     }
 
 
-    public function setRememberMeServices(RememberMeServicesInterface $rememberMeServices): void
-    {
-        $this->rememberMeServices = $rememberMeServices;
-    }
-
     public function onSuccessfulLogin(LoginSuccessEvent $event): void
     {
         if (!$this->isRememberMeEnabled($event->getAuthenticator(), $event->getProviderKey())) {
@@ -59,15 +62,7 @@ private function isRememberMeEnabled(AuthenticatorInterface $authenticator, stri
             return false;
         }
 
-        if (null === $this->rememberMeServices) {
-            if (null !== $this->logger) {
-                $this->logger->debug('Remember me skipped: it is not configured for the firewall.', ['authenticator' => \get_class($authenticator)]);
-            }
-
-            return false;
-        }
-
-        if (!$authenticator->supportsRememberMe()) {
+        if (!$authenticator instanceof RememberMeAuthenticatorInterface || !$authenticator->supportsRememberMe()) {
             if (null !== $this->logger) {
                 $this->logger->debug('Remember me skipped: your authenticator does not support it.', ['authenticator' => \get_class($authenticator)]);
             }

RememberMe/AbstractRememberMeServices.php

@@ -89,6 +89,11 @@ public function getSecret()
         return $this->secret;
     }
 
+    public function performLogin(array $cookieParts, Request $request): UserInterface
+    {
+        return $this->processAutoLoginCookie($cookieParts, $request);
+    }
+
     /**
      * Implementation of RememberMeServicesInterface. Detects whether a remember-me
      * cookie was set, decodes it, and hands it to subclasses for further processing.