Create a new core AuthenticatorInterface

This is an iteration on the AuthenticatorInterface of the Guard, to allow more flexibility so it can be used as a real replaced of the authentication providers and listeners.
symfony · fabpot · Apr 21, 2020 · Sep 8, 2019 · 8000 Sep 8, 2019 · Sep 8, 2019
commit 5efa89239550057ff87edd3926562869f179626d
diff --git a/...Bundle/SecurityBundle/DependencyInjection/Security/Factory/EntryPointFactoryInterface.php b/...Bundle/SecurityBundle/DependencyInjection/Security/Factory/EntryPointFactoryInterface.php
@@ -0,0 +1,25 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
+
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ */
+interface EntryPointFactoryInterface
+{
+    /**
+     * Creates the entry point and returns the service ID.
+     */
+    public function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPointId): string;
+}
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php
@@ -22,7 +22,7 @@
  * @author Fabien Potencier <fabien@symfony.com>
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
  */
-class FormLoginFactory extends AbstractFactory implements GuardFactoryInterface
+class FormLoginFactory extends AbstractFactory implements GuardFactoryInterface, EntryPointFactoryInterface
 {
     public function __construct()
     {
@@ -84,7 +84,7 @@ protected function createListener(ContainerBuilder $container, string $id, array
         return $listenerId;
     }
 
-    protected function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPoint)
+    public function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPoint): string
     {
         $entryPointId = 'security.authentication.form_entry_point.'.$id;
         $container
@@ -105,7 +105,8 @@ public function createGuard(ContainerBuilder $container, string $id, array $conf
         $container
             ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.form_login'))
             ->replaceArgument(1, isset($config['csrf_token_generator']) ? new Reference($config['csrf_token_generator']) : null)
-            ->replaceArgument(3, $options);
+            ->replaceArgument(2, new Reference($userProviderId))
+            ->replaceArgument(4, $options);
 
         return $authenticatorId;
     }

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -11,6 +11,7 @@
 
 namespace Symfony\Bundle\SecurityBundle\DependencyInjection;
 
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\EntryPointFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\GuardFactoryInterface;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RememberMeFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\SecurityFactoryInterface;
@@ -516,6 +517,10 @@ private function createAuthenticationListeners(ContainerBuilder $container, stri
                         } else {
                             $authenticationProviders[$id.'_'.$key] = $authenticators;
                         }
+
+                        if ($factory instanceof EntryPointFactoryInterface) {
+                            $defaultEntryPoint = $factory->createEntryPoint($container, $id, $firewall[$key], $defaultEntryPoint);
+                        }
                     } else {
                         list($provider, $listenerId, $defaultEntryPoint) = $factory->create($container, $id, $firewall[$key], $userProvider, $defaultEntryPoint);
 

diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/authenticators.xml b/src/Symfony/Bundle/SecurityBundle/Resources/config/authenticators.xml
@@ -33,6 +33,7 @@
                  abstract="true">
             <argument type="service" id="security.http_utils" />
             <argument /> <!-- csrf token generator -->
+            <argument type="abstract">user provider</argument>
             <argument type="service" id="security.encoder_factory" />
             <argument type="abstract">options</argument>
         </service>

diff --git a/src/Symfony/Component/Security/Core/Authentication/Authenticator/AbstractAuthenticator.php b/src/Symfony/Component/Security/Core/Authentication/Authenticator/AbstractAuthenticator.php
@@ -0,0 +1,35 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Authenticator;
+
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Guard\Token\PostAuthenticationGuardToken;
+
+/**
+ * An optional base class that creates the necessary tokens for you.
+ *
+ * @author Ryan Weaver <ryan@knpuniversity.com>
+ */
+abstract class AbstractAuthenticator implements AuthenticatorInterface
+{
+    /**
+     * Shortcut to create a PostAuthenticationGuardToken for you, if you don't really
+     * care about which authenticated token you're using.
+     *
+     * @return PostAuthenticationGuardToken
+     */
+    public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface
+    {
+        return new PostAuthenticationGuardToken($user, $providerKey, $user->getRoles());
+    }
+}
diff --git a/...y/Component/Security/Core/Authentication/Authenticator/AbstractFormLoginAuthenticator.php b/...y/Component/Security/Core/Authentication/Authenticator/AbstractFormLoginAuthenticator.php
@@ -0,0 +1,62 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Authenticator;
+
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Security;
+use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+
+/**
+ * A base class to make form login authentication easier!
+ *
+ * @author Ryan Weaver <ryan@knpuniversity.com>
+ */
+abstract class AbstractFormLoginAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface
+{
+    /**
+     * Return the URL to the login page.
+     */
+    abstract protected function getLoginUrl(): string;
+
+    /**
+     * Override to change what happens after a bad username/password is submitted.
+     */
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
+    {
+        if ($request->hasSession()) {
+            $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
+        }
+
+        $url = $this->getLoginUrl();
+
+        return new RedirectResponse($url);
+    }
+
+    public function supportsRememberMe(): bool
+    {
+        return true;
+    }
+
+    /**
+     * Override to control what happens when the user hits a secure page
+     * but isn't logged in yet.
+     */
+    public function start(Request $request, AuthenticationException $authException = null): Response
+    {
+        $url = $this->getLoginUrl();
+
+        return new RedirectResponse($url);
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Authentication/Authenticator/AnonymousAuthenticator.php b/src/Symfony/Component/Security/Core/Authentication/Authenticator/AnonymousAuthenticator.php
@@ -1,5 +1,14 @@
 <?php
 
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 namespace Symfony\Component\Security\Core\Authentication\Authenticator;
 
 use Symfony\Component\HttpFoundation\Request;
@@ -9,9 +18,6 @@
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Core\User\UserInterface;
-use Symfony\Component\Security\Core\User\UserProviderInterface;
-use Symfony\Component\Security\Guard\AuthenticatorInterface;
-use Symfony\Component\Security\Guard\Token\GuardTokenInterface;
 
 /**
  * @author Wouter de Jong <wouter@wouterj.nl>
@@ -25,11 +31,6 @@ public function __construct(string $secret)
         $this->secret = $secret;
     }
 
-    public function start(Request $request, AuthenticationException $authException = null)
-    {
-        return new Response(null, Response::HTTP_UNAUTHORIZED);
-    }
-
     public function supports(Request $request): ?bool
     {
         return true;
@@ -40,27 +41,29 @@ public function getCredentials(Request $request)
         return [];
     }
 
-    public function getUser($credentials, UserProviderInterface $userProvider)
+    public function getUser($credentials): ?UserInterface
     {
         return new User('anon.', null);
     }
 
-    public function checkCredentials($credentials, UserInterface $user)
+    public function checkCredentials($credentials, UserInterface $user): bool
     {
         return true;
     }
 
-    public function createAuthenticatedToken(UserInterface $user, string $providerKey)
+    public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface
     {
         return new AnonymousToken($this->secret, 'anon.', []);
     }
 
-    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
+        return null;
     }
 
-    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey)
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey): ?Response
     {
+        return null;
     }
 
     public function supportsRememberMe(): bool

diff --git a/src/Symfony/Component/Security/Core/Authentication/Authenticator/AuthenticatorInterface.php b/src/Symfony/Component/Security/Core/Authentication/Authenticator/AuthenticatorInterface.php
@@ -0,0 +1,129 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\Authenticator;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+/**
+ * The interface for all authenticators.
+ *
+ * @author Ryan Weaver <ryan@knpuniversity.com>
+ * @author Amaury Leroux de Lens <amaury@lerouxdelens.com>
+ * @author Wouter de Jong <wouter@wouterj.nl>
+ */
+interface AuthenticatorInterface
+{
+    /**
+     * Does the authenticator support the given Request?
+     *
+     * If this returns false, the authenticator will be skipped.
+     */
+    public function supports(Request $request): ?bool;
+
+    /**
+     * Get the authentication credentials from the request and return them
+     * as any type (e.g. an associate array).
+     *
+     * Whatever value you return here will be passed to getUser() and checkCredentials()
+     *
+     * For example, for a form login, you might:
+     *
+     *      return [
+     *          'username' => $request->request->get('_username'),
+     *          'password' => $request->request->get('_password'),
+     *      ];
+     *
+     * Or for an API token that's on a header, you might use:
+     *
+     *      return ['api_key' => $request->headers->get('X-API-TOKEN')];
+     *
+     * @return mixed Any non-null value
+     *
+     * @throws \UnexpectedValueException If null is returned
+     */
+    public function getCredentials(Request $request);
+
+    /**
+     * Return a UserInterface object based on the credentials.
+     *
+     * You may throw an AuthenticationException if you wish. If you return
+     * null, then a UsernameNotFoundException is thrown for you.
+     *
+     * @param mixed $credentials the value returned from getCredentials()
+     *
+     * @throws AuthenticationException
+     */
+    public function getUser($credentials): ?UserInterface;
+
+    /**
+     * Returns true if the credentials are valid.
+     *
+     * If false is returned, authentication will fail. You may also throw
+     * an AuthenticationException if you wish to cause authentication to fail.
+     *
+     * @param mixed $credentials the value returned from getCredentials()
+     *
+     * @throws AuthenticationException
+     */
+    public function checkCredentials($credentials, UserInterface $user): bool;
+
+    /**
+     * Create an authenticated token for the given user.
+     *
+     * If you don't care about which token class is used or don't really
+     * understand what a "token" is, you can skip this method by extending
+     * the AbstractAuthenticator class from your authenticator.
+     *
+     * @see AbstractAuthenticator
+     */
+    public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface;
+
+    /**
+     * Called when authentication executed, but failed (e.g. wrong username password).
+     *
+     * This should return the Response sent back to the user, like a
+     * RedirectResponse to the login page or a 403 response.
+     *
+     * If you return null, the request will continue, but the user will
+     * not be authenticated. This is probably not what you want to do.
+     */
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response;
+
+    /**
+     * Called when authentication executed and was successful!
+     *
+     * This should return the Response sent back to the user, like a
+     * RedirectResponse to the last page they visited.
+     *
+     * If you return null, the current request will continue, and the user
+     * will be authenticated. This makes sense, for example, with an API.
+     */
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey): ?Response;
+
+    /**
+     * Does this method support remember me cookies?
+     *
+     * Remember me cookie will be set if *all* of the following are met:
+     *  A) This method returns true
+     *  B) The remember_me key under your firewall is configured
+     *  C) The "remember me" functionality is activated. This is usually
+     *      done by having a _remember_me checkbox in your form, but
+     *      can be configured by the "always_remember_me" and "remember_me_parameter"
+     *      parameters under the "remember_me" firewall key
+     *  D) The onAuthenticationSuccess method returns a Response object
+     */
+    public function supportsRememberMe(): bool;
+}