Symfony security (#205)

* symfony security

actions-web.php

@@ -516,38 +516,6 @@ function changecity($userid, $city)
 }
 
 
-function resetpassword($number)
-{
-    global $db, $mailer;
-
-    $number = $db->escape(trim($number));
-
-   $result = $db->query("SELECT mail,userName FROM users WHERE number='$number'");
-    if (!$result->num_rows) {
-        response(_('No such user found.'), 1);
-    }
-
-    $row = $result->fetch_assoc();
-    $email = $row['mail'];
-    $username = $row['userName'];
-
-    $subject = _('Password reset');
-
-    mt_srand(crc32(microtime()));
-    $password = substr(md5(mt_rand() . microtime() . $email), 0, 8);
-
-    $result = $db->query("UPDATE users SET password=SHA2('$password',512) WHERE number='" . $number . "'");
-
-    $names = preg_split("/[\s,]+/", $username);
-    $firstname = $names[0];
-    $message = _('Hello') . ' ' . $firstname . ",\n\n" .
-    _('Your password has been reset successfully.') . "\n\n" .
-    _('Your new password is:') . "\n" . $password;
-
-    $mailer->sendMail($email, $subject, $message);
-    response(_('Your password has been reset successfully.') . ' ' . _('Check your email.'));
-}
-
 function mapgetmarkers($userId)
 {
     global $db, $configuration, $user;

admin.php

@@ -63,7 +63,7 @@
             <li><a href="<?= $configuration->get('systemURL'); ?>"><?= _('Map'); ?></a></li>
             <li class="active"><a href="<?= $configuration->get('systemURL'); ?>admin.php"><?= _('Admin'); ?></a></li>
 <?php if ($auth->isLoggedIn()): ?>
-            <li><a href="command.php?action=logout" id="logout"><?= _('Log out'); ?></a></li>
+            <li><a href="/logout" id="logout"><?= _('Log out'); ?></a></li>
 <?php endif; ?>
           </ul>
         </div><!--/.nav-collapse -->

command.php

@@ -6,7 +6,6 @@
 require_once 'actions-web.php';
 
 $userid = $auth->getUserId();
-$session = $auth->getSessionId();
 
 /**
  * @var RentSystemInterface $rentSystem
@@ -33,18 +32,6 @@
       $existing=trim($_GET["existing"]);
       register($number,$smscode,$checkcode,$fullname,$useremail,$password,$password2,$existing);
       break;
-   case "login":
-      $number=trim($_POST["number"]);
-      $number = $phonePurifier->purify($number);
-      $password=trim($_POST["password"]);
-      $auth->login($number,$password);
-      break;
-   case "logout":
-      $auth->logout();
-      break;
-   case "resetpassword":
-      resetpassword($_GET["number"]);
-      break;
    case "list":
       $stand=trim($_GET["stand"]);
       listbikes($stand);

composer.json

@@ -40,7 +40,8 @@
     "symfony/twig-bundle": "^5.4",
     "symfony/dotenv": "^5.4",
     "symfony/translation": "^5.4",
-    "symfony/asset": "^5.4"
+    "symfony/asset": "^5.4",
+    "symfony/security-bundle": "^5.4"
   },
   "require-dev": {
     "squizlabs/php_codesniffer": "^3.10|^4.0",

config/bundles.php

@@ -3,7 +3,8 @@
 declare(strict_types=1);
 
 return [
-    Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true],
-    Symfony\Bundle\MonologBundle\MonologBundle::class => ['all' => true],
+    \Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true],
+    \Symfony\Bundle\MonologBundle\MonologBundle::class => ['all' => true],
     \Symfony\Bundle\TwigBundle\TwigBundle::class  => ['all' => true],
+    \Symfony\Bundle\SecurityBundle\SecurityBundle::class => ['all' => true],
 ];

config/packages/framework.php

@@ -2,15 +2,20 @@
 
 declare(strict_types=1);
 
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Config\FrameworkConfig;
 
 return static function (FrameworkConfig $framework): void {
     $framework->phpErrors()
         ->throw(false);
 
     $framework->session()
-        ->storageFactoryId('session.storage.factory.php_bridge')
-        ->handlerId(null);
+        ->enabled(true)
+        ->handlerId(null)
+        ->cookieSecure('auto')
+        ->cookieSamesite(Cookie::SAMESITE_LAX)
+        ->storageFactoryId('session.storage.factory.native')
+    ;
 
     $framework->secret('%env(APP_SECRET)%');
 

config/packages/security.php

@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+use BikeShare\App\Security\TokenProvider;
+use BikeShare\App\Security\UserProvider;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
+use Symfony\Config\SecurityConfig;
+
+return function (SecurityConfig $security) {
+    $security
+        ->passwordHasher(PasswordAuthenticatedUserInterface::class)
+        ->algorithm('sha512')
+        ->encodeAsBase64(false)
+        ->iterations(1);
+
+    $security
+        ->provider('app_user_provider')
+        ->id(UserProvider::class);
+
+    $security
+        ->firewall('dev')
+        ->pattern('^/(_(profiler|wdt)|css|images|js)/')
+        ->security(false);
+
+    $mainFirewall = $security->firewall('main');
+    $mainFirewall->anonymous();
+    $mainFirewall
+        ->formLogin()
+        ->loginPath('login')
+        ->checkPath('login');
+    $mainFirewall
+        ->logout()
+        ->path('logout')
+        ->target('/');
+    $mainFirewall
+        ->rememberMe()
+        ->secret('%kernel.secret%')
+        ->lifetime(604800) // 1 week in seconds
+        ->tokenProvider(
+            [
+                'service' => TokenProvider::class,
+            ]
+        );
+
+    $security
+        ->accessControl()
+        ->path('^/login$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+    $security
+        ->accessControl()
+        ->path('^/(sms/)?receive.php$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+    $security
+        ->accessControl()
+        ->path('^/register.php$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+    $security
+        ->accessControl()
+        ->path('^/agree.php$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+    $security
+        ->accessControl()
+        ->path('^/resetPassword$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+
+    $security
+        ->accessControl()
+        ->path('^/')
+        ->roles(['ROLE_USER']);
+};

config/routes.php

@@ -19,4 +19,10 @@
         ->controller([\BikeShare\Controller\SmsRequestController::class, 'index']);
     $routes->add('agree', '/agree.php')
         ->controller([\BikeShare\Controller\AgreeController::class, 'index']);
+    $routes->add('login', '/login')
+        ->controller([\BikeShare\Controller\SecurityController::class, 'login']);
+    $routes->add('logout', '/logout')
+        ->controller([\BikeShare\Controller\SecurityController::class, 'logout']);
+    $routes->add('reset_password', '/resetPassword')
+        ->controller([\BikeShare\Controller\SecurityController::class, 'resetPassword']);
 };

config/services.php

@@ -50,6 +50,7 @@
             '../src/SmsConnector/SmsGateway/SmsGateway.php',
             '../src/App/Configuration.php',
             '../src/App/Kernel.php',
+            '../src/App/Entity',
         ]);
 
     $services->get(MysqliDb::class)

index.php

@@ -109,7 +109,7 @@
 		echo '</select></li>';
 	}
 
-	echo '<li><a href="command.php?action=logout" id="logout"><span class="glyphicon glyphicon-log-out"></span> ', _('Log out'), '</a></li>';
+	echo '<li><a href="/logout" id="logout"><span class="glyphicon glyphicon-log-out"></span> ', _('Log out'), '</a></li>';
 }
 ?>
    </ul>

public/js/functions.js

@@ -11,21 +11,13 @@ $(document).ready(function () {
     $('.bicycleactions').hide();
     $('#notetext').hide();
     $('#couponblock').hide();
-    $('#passwordresetblock').hide();
     $("#rent").hide();
     $(document).ajaxStart(function () {
         $('#overlay').show();
     });
     $(document).ajaxStop(function () {
         $('#overlay').hide();
     });
-    $("#password").focus(function () {
-        $('#passwordresetblock').show();
-    });
-    $("#resetpassword").click(function () {
-        if (window.ga) ga('send', 'event', 'buttons', 'click', 'password-reset');
-        resetpassword();
-    });
     $("#rent").click(function () {
         if (window.ga) ga('send', 'event', 'buttons', 'click', 'bike-rent');
         rent();
@@ -504,20 +496,6 @@ function validatecoupon() {
     });
 }
 
-function resetpassword() {
-    $('#passwordresetblock').hide();
-    if (sms == 0 && $('#number').val() > 0) {
-        $.ajax({
-            url: "command.php?action=resetpassword&number=" + $('#number').val()
-        }).done(function (jsonresponse) {
-            jsonobject = $.parseJSON(jsonresponse);
-            handleresponse(jsonobject);
-        });
-    } else if (sms == 1 && $('#number').val() > 0) {
-        window.location = "register.php#reset" + $('#number').val();
-    }
-}
-
 function attachbicycleinfo(element, attachto) {
     $('#' + attachto + ' .bikenumber').html($(element).attr('data-id'));
     // show warning, if exists:

scan.php

@@ -7,7 +7,6 @@
 
 $auth->refreshSession();
 $userid = $auth->getUserId();
-$session = $auth->getSessionId();
 
 if (!$auth->isLoggedIn()) {
     response("<h3>" . _('You are not logged in.') . "</h3>", ERROR);

src/App/Entity/User.php

@@ -0,0 +1,91 @@
+<?php
+
+declare(strict_types=1);
+
+namespace BikeShare\App\Entity;
+
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+class User implements UserInterface, PasswordAuthenticatedUserInterface
+{
+    private int $userId;
+    private string $number;
+    private string $password;
+    private string $city;
+    private string $userName;
+    private int $privileges;
+
+    public function __construct(
+        int $userId,
+        string $number,
+        string $email,
+        string $password,
+        string $city,
+        string $userName,
+        int $privileges
+    ) {
+        $this->userId = $userId;
+        $this->number = $number;
+        $this->email = $email;
+        $this->password = $password;
+        $this->city = $city;
+        $this->userName = $userName;
+        $this->privileges = $privileges;
+    }
+
+    public function getCity(): string
+    {
+        return $this->city;
+    }
+
+    public function getNumber(): string
+    {
+        return $this->number;
+    }
+
+    public function getEmail(): string
+    {
+        return $this->email;
+    }
+
+    public function getPrivileges(): int
+    {
+        return $this->privileges;
+    }
+
+    public function getUserId(): int
+    {
+        return $this->userId;
+    }
+
+    public function getUsername(): string
+    {
+        return $this->userName;
+    }
+
+    public function getPassword(): string
+    {
+        return $this->password;
+    }
+
+    public function getUserIdentifier(): string
+    {
+        return $this->number;
+    }
+
+    public function getRoles(): array
+    {
+        return ['ROLE_USER'];
+    }
+
+    public function getSalt(): ?string
+    {
+        return null;
+    }
+
+    public function eraseCredentials()
+    {
+        // If you store any temporary, sensitive data on the user, clear it here
+    }
+}