skobkin/magnetico-web
1
1
Fork 0
Code Issues Pull requests 2 Releases Activity

#27 App\Api\V1\Controller\SecurityController upgraded due to changes in ApiTokenAuthenticator. framework.router.utf8 set to true.
All checks were successful
continuous-integration/drone/push Build is passing
Details
continuous-integration/drone/pr Build is passing
Details

Browse source
This commit is contained in:
Alexey Skobkin 2022-07-21 02:05:04 +03:00
parent 0a152bc19b
commit 38bb2530eb
No known key found for this signature in database
GPG key ID: 5D5CEF6F221278E7
4 changed files with 32 additions and 30 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
config/packages/framework.yaml
View file

@ -7,6 +7,9 @@ framework:
# https://symfony.com/doc/5.4/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly # https://symfony.com/doc/5.4/deployment/proxies.html#but-what-if-the-ip-of-my-reverse-proxy-changes-constantly
trusted_proxies: '%env(TRUSTED_PROXIES)%' trusted_proxies: '%env(TRUSTED_PROXIES)%'
router:
utf8: true
# Enables session support. Note that the session will ONLY be started if you read or write from it. # Enables session support. Note that the session will ONLY be started if you read or write from it.
# Remove or comment this section to explicitly disable session support. # Remove or comment this section to explicitly disable session support.
session: session:

2
src/Api/V1/Controller/AbstractApiController.php
View file

@ -11,7 +11,7 @@ abstract class AbstractApiController extends AbstractController
{ {
protected const DEFAULT_SERIALIZER_GROUPS = ['api']; protected const DEFAULT_SERIALIZER_GROUPS = ['api'];
protected function createJsonResponse($data, array $groups = [], int $code = Response::HTTP_OK, string $message = null, string $status = ''): JsonResponse protected function createJsonResponse($data = null, array $groups = [], int $code = Response::HTTP_OK, string $message = null, string $status = ''): JsonResponse
{ {
return $this->json(new ApiResponse($data, $code, $message, $status), $code, [], [ return $this->json(new ApiResponse($data, $code, $message, $status), $code, [], [
'groups' => array_merge(self::DEFAULT_SERIALIZER_GROUPS,$groups), 'groups' => array_merge(self::DEFAULT_SERIALIZER_GROUPS,$groups),

32
src/Api/V1/Controller/SecurityController.php
View file

@ -5,11 +5,10 @@ namespace App\Api\V1\Controller;
use App\Entity\{ApiToken, User}; use App\Entity\{ApiToken, User};
use App\Repository\{ApiTokenRepository, UserRepository}; use App\Repository\{ApiTokenRepository, UserRepository};
use App\Security\Token\AuthenticatedApiToken; use App\Security\ApiTokenAuthenticator;
use Doctrine\ORM\EntityManagerInterface; use Doctrine\ORM\EntityManagerInterface;
use Symfony\Component\HttpFoundation\{JsonResponse, Request}; use Symfony\Component\HttpFoundation\{JsonResponse, Request};
use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface; use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
class SecurityController extends AbstractApiController class SecurityController extends AbstractApiController
{ {
@ -18,18 +17,18 @@ class SecurityController extends AbstractApiController
EntityManagerInterface $em, EntityManagerInterface $em,
UserRepository $userRepo, UserRepository $userRepo,
ApiTokenRepository $tokenRepo, ApiTokenRepository $tokenRepo,
UserPasswordEncoderInterface $passwordEncoder UserPasswordHasherInterface $passwordHasher,
): JsonResponse { ): JsonResponse {
$username = $request->request->get('username'); $username = $request->request->get('username');
$password = $request->request->get('password'); $password = $request->request->get('password');
/** @var User $user */ /** @var User $user */
if (null === $user = $userRepo->findOneBy(['username' => $username])) { if (null === $user = $userRepo->findOneBy(['username' => $username])) {
return $this->createJsonResponse(null, [], JsonResponse::HTTP_UNAUTHORIZED, 'User not found'); return $this->createJsonResponse(code: JsonResponse::HTTP_UNAUTHORIZED, message: 'User not found');
} }
if (!$passwordEncoder->isPasswordValid($user, $password)) { if (!$passwordHasher->isPasswordValid($user, $password)) {
return $this->createJsonResponse(null, [], JsonResponse::HTTP_UNAUTHORIZED, 'Invalid password'); return $this->createJsonResponse(code: JsonResponse::HTTP_UNAUTHORIZED, message: 'Invalid password');
} }
$apiToken = new ApiToken($user); $apiToken = new ApiToken($user);
@ -38,28 +37,19 @@ class SecurityController extends AbstractApiController
try { try {
$em->flush(); $em->flush();
} catch (\Exception $ex) { } catch (\Exception $ex) {
return $this->createJsonResponse(null, [], JsonResponse::HTTP_INTERNAL_SERVER_ERROR, 'Token persisting error'); return $this->createJsonResponse(code: JsonResponse::HTTP_INTERNAL_SERVER_ERROR, message: 'Token persisting error');
} }
return $this->createJsonResponse($apiToken->getKey()); return $this->createJsonResponse($apiToken->getKey());
} }
public function logout(TokenStorageInterface $tokenStorage, ApiTokenRepository $apiTokenRepo, EntityManagerInterface $em): JsonResponse public function logout(Request $request, ApiTokenRepository $apiTokenRepo, EntityManagerInterface $em): JsonResponse {
{ if (null === $tokenKey = ApiTokenAuthenticator::getTokenKeyFromRequest($request)) {
if (null === $token = $tokenStorage->getToken()) { return $this->createJsonResponse(null, code:JsonResponse::HTTP_INTERNAL_SERVER_ERROR, message: 'No API token provided.');
return $this->createJsonResponse(null,[],JsonResponse::HTTP_INTERNAL_SERVER_ERROR, 'Can\'t retrieve user token.');
}
if (!$token instanceof AuthenticatedApiToken) {
return $this->createJsonResponse(null, [], JsonResponse::HTTP_INTERNAL_SERVER_ERROR, 'Invalid session token type retrieved.');
}
if (null === $tokenKey = $token->getTokenKey()) {
return $this->createJsonResponse(null,[],JsonResponse::HTTP_INTERNAL_SERVER_ERROR, 'Can\'t retrieve token key from the session.');
} }
if (null === $apiToken = $apiTokenRepo->findOneBy(['key' => $tokenKey])) { if (null === $apiToken = $apiTokenRepo->findOneBy(['key' => $tokenKey])) {
return $this->createJsonResponse(null,[],JsonResponse::HTTP_INTERNAL_SERVER_ERROR, 'API token with such key not found in the database.'); return $this->createJsonResponse(null, code:JsonResponse::HTTP_INTERNAL_SERVER_ERROR, message: 'API token with such key not found in the database.');
} }
$em->remove($apiToken); $em->remove($apiToken);

25
src/Security/ApiTokenAuthenticator.php
View file

@ -32,18 +32,12 @@ class ApiTokenAuthenticator extends AbstractAuthenticator
*/ */
public function supports(Request $request): bool public function supports(Request $request): bool
{ {
// Let's also support cookies and query params for some cases like torrent clients. return static::requestHasToken($request);
return $request->headers->has(self::TOKEN_HEADER) ||
$request->cookies->has(self::TOKEN_HEADER) ||
$request->query->has(self::TOKEN_HEADER);
} }
public function authenticate(Request $request): Passport public function authenticate(Request $request): Passport
{ {
$tokenKey = $request?->headers?->get(self::TOKEN_HEADER) ?: $tokenKey = static::getTokenKeyFromRequest($request);
$request?->cookies?->get(self::TOKEN_HEADER) ?:
$request?->query?->get(self::TOKEN_HEADER)
;
if (null === $tokenKey) { if (null === $tokenKey) {
throw new CustomUserMessageAuthenticationException('No API token provided'); throw new CustomUserMessageAuthenticationException('No API token provided');
@ -73,4 +67,19 @@ class ApiTokenAuthenticator extends AbstractAuthenticator
return new JsonResponse($json, JsonResponse::HTTP_UNAUTHORIZED, json: true); return new JsonResponse($json, JsonResponse::HTTP_UNAUTHORIZED, json: true);
} }
public static function getTokenKeyFromRequest(Request $request): ?string
{
$request?->headers?->get(self::TOKEN_HEADER) ?:
$request?->cookies?->get(self::TOKEN_HEADER) ?:
$request?->query?->get(self::TOKEN_HEADER);
}
public static function requestHasToken(Request $request): bool
{
// Let's also support cookies and query params for some cases like torrent clients.
return $request->headers->has(self::TOKEN_HEADER) ||
$request->cookies->has(self::TOKEN_HEADER) ||
$request->query->has(self::TOKEN_HEADER);
}
} }