symfony security

cyklokoalicia · Nov 10, 2024 · f1f01e8 · f1f01e8
1 parent 5225021
commit f1f01e8
Show file tree

Hide file tree

Showing 20 changed files with 528 additions and 608 deletions.
diff --git a/admin.php b/admin.php
@@ -63,7 +63,7 @@
             <li><a href="<?= $configuration->get('systemURL'); ?>"><?= _('Map'); ?></a></li>
             <li class="active"><a href="<?= $configuration->get('systemURL'); ?>admin.php"><?= _('Admin'); ?></a></li>
 <?php if ($auth->isLoggedIn()): ?>
-            <li><a href="command.php?action=logout" id="logout"><?= _('Log out'); ?></a></li>
+            <li><a href="/logout" id="logout"><?= _('Log out'); ?></a></li>
 <?php endif; ?>
           </ul>
         </div><!--/.nav-collapse -->

diff --git a/command.php b/command.php
@@ -6,7 +6,6 @@
 require_once 'actions-web.php';
 
 $userid = $auth->getUserId();
-$session = $auth->getSessionId();
 
 /**
  * @var RentSystemInterface $rentSystem
@@ -33,15 +32,6 @@
       $existing=trim($_GET["existing"]);
       register($number,$smscode,$checkcode,$fullname,$useremail,$password,$password2,$existing);
       break;
-   case "login":
-      $number=trim($_POST["number"]);
-      $number = $phonePurifier->purify($number);
-      $password=trim($_POST["password"]);
-      $auth->login($number,$password);
-      break;
-   case "logout":
-      $auth->logout();
-      break;
    case "resetpassword":
       resetpassword($_GET["number"]);
       break;

diff --git a/composer.json b/composer.json
@@ -40,7 +40,8 @@
     "symfony/twig-bundle": "^5.4",
     "symfony/dotenv": "^5.4",
     "symfony/translation": "^5.4",
-    "symfony/asset": "^5.4"
+    "symfony/asset": "^5.4",
+    "symfony/security-bundle": "^5.4"
   },
   "require-dev": {
     "squizlabs/php_codesniffer": "^3.10|^4.0",

diff --git a/config/bundles.php b/config/bundles.php
@@ -3,7 +3,8 @@
 declare(strict_types=1);
 
 return [
-    Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true],
-    Symfony\Bundle\MonologBundle\MonologBundle::class => ['all' => true],
+    \Symfony\Bundle\FrameworkBundle\FrameworkBundle::class => ['all' => true],
+    \Symfony\Bundle\MonologBundle\MonologBundle::class => ['all' => true],
     \Symfony\Bundle\TwigBundle\TwigBundle::class  => ['all' => true],
+    \Symfony\Bundle\SecurityBundle\SecurityBundle::class => ['all' => true],
 ];
diff --git a/config/packages/framework.php b/config/packages/framework.php
@@ -2,15 +2,20 @@
 
 declare(strict_types=1);
 
+use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Config\FrameworkConfig;
 
 return static function (FrameworkConfig $framework): void {
     $framework->phpErrors()
         ->throw(false);
 
     $framework->session()
-        ->storageFactoryId('session.storage.factory.php_bridge')
-        ->handlerId(null);
+        ->enabled(true)
+        ->handlerId(null)
+        ->cookieSecure('auto')
+        ->cookieSamesite(Cookie::SAMESITE_LAX)
+        ->storageFactoryId('session.storage.factory.native')
+    ;
 
     $framework->secret('%env(APP_SECRET)%');
 

diff --git a/config/packages/security.php b/config/packages/security.php
@@ -0,0 +1,67 @@
+<?php
+
+declare(strict_types=1);
+
+use BikeShare\App\Security\TokenProvider;
+use BikeShare\App\Security\UserProvider;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
+use Symfony\Config\SecurityConfig;
+
+return function (SecurityConfig $security) {
+    $security
+        ->passwordHasher(PasswordAuthenticatedUserInterface::class)
+        ->algorithm('sha512')
+        ->encodeAsBase64(false)
+        ->iterations(1);
+
+    $security
+        ->provider('app_user_provider')
+        ->id(UserProvider::class);
+
+    $security
+        ->firewall('dev')
+        ->pattern('^/(_(profiler|wdt)|css|images|js)/')
+        ->security(false);
+
+    $mainFirewall = $security->firewall('main');
+    $mainFirewall->anonymous();
+    $mainFirewall
+        ->formLogin()
+        ->loginPath('login')
+        ->checkPath('login');
+    $mainFirewall
+        ->logout()
+        ->path('logout')
+        ->target('/');
+    $mainFirewall
+        ->rememberMe()
+        ->secret('%kernel.secret%')
+        ->lifetime(604800) // 1 week in seconds
+        ->tokenProvider(
+            [
+                'service' => TokenProvider::class,
+            ]
+        );
+
+    $security
+        ->accessControl()
+        ->path('^/login$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+    $security
+        ->accessControl()
+        ->path('^/(sms/)?receive.php$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+    $security
+        ->accessControl()
+        ->path('^/register.php$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+    $security
+        ->accessControl()
+        ->path('^/agree.php$')
+        ->roles(['IS_AUTHENTICATED_ANONYMOUSLY']);
+
+    $security
+        ->accessControl()
+        ->path('^/')
+        ->roles(['ROLE_USER']);
+};
diff --git a/config/routes.php b/config/routes.php
@@ -19,4 +19,9 @@
         ->controller([\BikeShare\Controller\SmsRequestController::class, 'index']);
     $routes->add('agree', '/agree.php')
         ->controller([\BikeShare\Controller\AgreeController::class, 'index']);
+    $routes->add('login', '/login')
+        ->controller([\BikeShare\Controller\SecurityController::class, 'login']);
+    $routes->add('logout', '/logout')
+        ->controller([\BikeShare\Controller\SecurityController::class, 'logout']);
+
 };
diff --git a/config/services.php b/config/services.php
@@ -50,6 +50,7 @@
             '../src/SmsConnector/SmsGateway/SmsGateway.php',
             '../src/App/Configuration.php',
             '../src/App/Kernel.php',
+            '../src/App/Entity',
         ]);
 
     $services->get(MysqliDb::class)

diff --git a/index.php b/index.php
@@ -109,7 +109,7 @@
 		echo '</select></li>';
 	}
 
-	echo '<li><a href="command.php?action=logout" id="logout"><span class="glyphicon glyphicon-log-out"></span> ', _('Log out'), '</a></li>';
+	echo '<li><a href="/logout" id="logout"><span class="glyphicon glyphicon-log-out"></span> ', _('Log out'), '</a></li>';
 }
 ?>
    </ul>

diff --git a/public/images/logo_small.svg b/public/images/logo_small.svg
diff --git a/scan.php b/scan.php
@@ -7,7 +7,6 @@
 
 $auth->refreshSession();
 $userid = $auth->getUserId();
-$session = $auth->getSessionId();
 
 if (!$auth->isLoggedIn()) {
     response("<h3>" . _('You are not logged in.') . "</h3>", ERROR);

diff --git a/src/App/Entity/User.php b/src/App/Entity/User.php
@@ -0,0 +1,82 @@
+<?php
+
+namespace BikeShare\App\Entity;
+
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+class User implements UserInterface, PasswordAuthenticatedUserInterface
+{
+    private int $userId;
+    private string $number;
+    private string $password;
+    private string $city;
+    private string $userName;
+    private int $privileges;
+
+    public function __construct(
+        int $userId,
+        string $number,
+        string $password,
+        string $city,
+        string $userName,
+        int $privileges
+    ) {
+        $this->userId = $userId;
+        $this->number = $number;
+        $this->password = $password;
+        $this->city = $city;
+        $this->userName = $userName;
+        $this->privileges = $privileges;
+    }
+
+    public function getCity(): string
+    {
+        return $this->city;
+    }
+
+    public function getNumber(): string
+    {
+        return $this->number;
+    }
+
+    public function getPrivileges(): int
+    {
+        return $this->privileges;
+    }
+
+    public function getUserId(): int
+    {
+        return $this->userId;
+    }
+
+    public function getUsername(): string
+    {
+        return $this->userName;
+    }
+
+    public function getPassword(): string
+    {
+        return $this->password;
+    }
+
+    public function getUserIdentifier(): string
+    {
+        return $this->number;
+    }
+
+    public function getRoles(): array
+    {
+        return ['ROLE_USER'];
+    }
+
+    public function getSalt(): ?string
+    {
+        return null;
+    }
+
+    public function eraseCredentials()
+    {
+        // If you store any temporary, sensitive data on the user, clear it here
+    }
+}
diff --git a/src/App/Security/TokenProvider.php b/src/App/Security/TokenProvider.php
@@ -0,0 +1,88 @@
+<?php
+
+namespace BikeShare\App\Security;
+
+use BikeShare\Db\DbInterface;
+use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
+use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentTokenInterface;
+use Symfony\Component\Security\Core\Authentication\RememberMe\TokenProviderInterface;
+use Symfony\Component\Security\Core\Exception\TokenNotFoundException;
+
+class TokenProvider implements TokenProviderInterface
+{
+    private $tokens = [];
+    private DbInterface $db;
+
+    public function __construct(
+        DbInterface $db
+    ) {
+        $this->db = $db;
+    }
+
+    public function loadTokenBySeries(string $series)
+    {
+        if (!isset($this->tokens[$series])) {
+            $result = $this->db->query(
+                "SELECT * FROM remember_me_tokens WHERE series='$series'"
+            );
+            if (!$result || $result->rowCount() == 0) {
+                throw new TokenNotFoundException('No token found.');
+            }
+
+            $row = $result->fetchAssoc();
+
+            $this->tokens[$series] = new PersistentToken(
+                $row['class'],
+                $row['username'],
+                $row['series'],
+                $row['value'],
+                new \DateTime($row['lastUsed'])
+            );
+        }
+
+        return $this->tokens[$series];
+
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function updateToken(string $series, string $tokenValue, \DateTime $lastUsed)
+    {
+        $currentToken = $this->loadTokenBySeries($series);
+
+        $token = new PersistentToken(
+            $currentToken->getClass(),
+            method_exists($currentToken, 'getUserIdentifier') ? $currentToken->getUserIdentifier() : $currentToken->getUsername(),
+            $series,
+            $tokenValue,
+            $lastUsed
+        );
+        $this->tokens[$series] = $token;
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function deleteTokenBySeries(string $series)
+    {
+        $this->db->query(
+            "DELETE FROM remember_me_tokens WHERE series='$series'"
+        );
+
+        unset($this->tokens[$series]);
+    }
+
+    /**
+     * {@inheritdoc}
+     */
+    public function createNewToken(PersistentTokenInterface $token)
+    {
+        $this->db->query(
+            "INSERT INTO remember_me_tokens (class, username, series, value, lastUsed) 
+            VALUES ('{$token->getClass()}', '{$token->getUsername()}', '{$token->getSeries()}', '{$token->getTokenValue()}', '{$token->getLastUsed()->format('Y-m-d H:i:s')}')"
+        );
+
+        $this->tokens[$token->getSeries()] = $token;
+    }
+}