BookStack Code Mirror - bookstack/blobdiff - app/Auth/Access/LoginService.php

use BookStack\Actions\ActivityType;

use BookStack\Auth\Access\Mfa\MfaSession;

use BookStack\Auth\User;

use BookStack\Actions\ActivityType;

use BookStack\Auth\Access\Mfa\MfaSession;

use BookStack\Auth\User;

+use BookStack\Exceptions\StoppedAuthenticationException;

use BookStack\Facades\Activity;

use BookStack\Facades\Theme;

use BookStack\Theming\ThemeEvents;

use BookStack\Facades\Activity;

use BookStack\Facades\Theme;

use BookStack\Theming\ThemeEvents;

+use Exception;

class LoginService

{

class LoginService

{

+ protected const LAST_LOGIN_ATTEMPTED_SESSION_KEY = 'auth-login-last-attempted';

protected $mfaSession;

+ protected $emailConfirmationService;

- public function __construct(MfaSession $mfaSession)

+ public function __construct(MfaSession $mfaSession, EmailConfirmationService $emailConfirmationService)

{

$this->mfaSession = $mfaSession;

{

$this->mfaSession = $mfaSession;

+ $this->emailConfirmationService = $emailConfirmationService;

}

-

/**

* Log the given user into the system.

* Will start a login of the given user but will prevent if there's

* a reason to (MFA or Unconfirmed Email).

* Returns a boolean to indicate the current login result.

/**

* Log the given user into the system.

* Will start a login of the given user but will prevent if there's

* a reason to (MFA or Unconfirmed Email).

* Returns a boolean to indicate the current login result.

+ *

+ * @throws StoppedAuthenticationException

*/

- public function login(User $user, string $method): bool

+ public function login(User $user, string $method, bool $remember = false): void

{

if ($this->awaitingEmailConfirmation($user) || $this->needsMfaVerification($user)) {

{

if ($this->awaitingEmailConfirmation($user) || $this->needsMfaVerification($user)) {

- // TODO - Remember who last attempted a login so we can use them after such

- // a email confirmation or mfa verification step.

- // Create a method to fetch that attempted user for use by the email confirmation

- // or MFA verification services.

- // Also will need a method to 'reattemptLastAttempted' login for once

- // the email confirmation of MFA verification steps have passed.

- // Must ensure this remembered last attempted login is cleared upon successful login.

-

- // TODO - Does 'remember' still work? Probably not right now.

-

- // Old MFA middleware todos:

-

- // TODO - Need to redirect to setup if not configured AND ONLY IF NO OPTIONS CONFIGURED

- // Might need to change up such routes to start with /configure/ for such identification.

- // (Can't allow access to those if already configured)

- // TODO - Store mfa_pass into session for future requests?

-

- // TODO - Handle email confirmation handling

- // Left BookStack\Http\Middleware\Authenticate@emailConfirmationErrorResponse in which needs

- // be removed as an example of old behaviour.

+ $this->setLastLoginAttemptedForUser($user, $method, $remember);

- return false;

+ throw new StoppedAuthenticationException($user, $this);

}

- auth()->login($user);

+ $this->clearLastLoginAttempted();

+ auth()->login($user, $remember);

Activity::add(ActivityType::AUTH_LOGIN, "{$method}; {$user->logDescriptor()}");

Theme::dispatch(ThemeEvents::AUTH_LOGIN, $method, $user);

// Authenticate on all session guards if a likely admin

if ($user->can('users-manage') && $user->can('user-roles-manage')) {

Activity::add(ActivityType::AUTH_LOGIN, "{$method}; {$user->logDescriptor()}");

Theme::dispatch(ThemeEvents::AUTH_LOGIN, $method, $user);

// Authenticate on all session guards if a likely admin

if ($user->can('users-manage') && $user->can('user-roles-manage')) {

- $guards = ['standard', 'ldap', 'saml2'];

+ $guards = ['standard', 'ldap', 'saml2', 'oidc'];

foreach ($guards as $guard) {

auth($guard)->login($user);

}

foreach ($guards as $guard) {

auth($guard)->login($user);

}

+ }

+

+ /**

+ * Reattempt a system login after a previous stopped attempt.

+ *

+ * @throws Exception

+ */

+ public function reattemptLoginFor(User $user)

+ {

+ if ($user->id !== ($this->getLastLoginAttemptUser()->id ?? null)) {

+ throw new Exception('Login reattempt user does align with current session state');

+ }

+

+ $lastLoginDetails = $this->getLastLoginAttemptDetails();

+ $this->login($user, $lastLoginDetails['method'], $lastLoginDetails['remember'] ?? false);

+ }

+

+ /**

+ * Get the last user that was attempted to be logged in.

+ * Only exists if the last login attempt had correct credentials

+ * but had been prevented by a secondary factor.

+ */

+ public function getLastLoginAttemptUser(): ?User

+ {

+ $id = $this->getLastLoginAttemptDetails()['user_id'];

+

+ return User::query()->where('id', '=', $id)->first();

+ }

+

+ /**

+ * Get the details of the last login attempt.

+ * Checks upon a ttl of about 1 hour since that last attempted login.

+ *

+ * @return array{user_id: ?string, method: ?string, remember: bool}

+ */

+ protected function getLastLoginAttemptDetails(): array

+ {

+ $value = session()->get(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY);

+ if (!$value) {

+ return ['user_id' => null, 'method' => null];

+ }

- return true;

+ [$id, $method, $remember, $time] = explode(':', $value);

+ $hourAgo = time() - (60 * 60);

+ if ($time < $hourAgo) {

+ $this->clearLastLoginAttempted();

+

+ return ['user_id' => null, 'method' => null];

+ }

+

+ return ['user_id' => $id, 'method' => $method, 'remember' => boolval($remember)];

+ }

+

+ /**

+ * Set the last login attempted user.

+ * Must be only used when credentials are correct and a login could be

+ * achieved but a secondary factor has stopped the login.

+ */

+ protected function setLastLoginAttemptedForUser(User $user, string $method, bool $remember)

+ {

+ session()->put(

+ self::LAST_LOGIN_ATTEMPTED_SESSION_KEY,

+ implode(':', [$user->id, $method, $remember, time()])

+ );

+ }

+

+ /**

+ * Clear the last login attempted session value.

+ */

+ protected function clearLastLoginAttempted(): void

+ {

+ session()->remove(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY);

}

/**

* Check if MFA verification is needed.

*/

}

/**

* Check if MFA verification is needed.

*/

- protected function needsMfaVerification(User $user): bool

+ public function needsMfaVerification(User $user): bool

{

return !$this->mfaSession->isVerifiedForUser($user) && $this->mfaSession->isRequiredForUser($user);

}

{

return !$this->mfaSession->isVerifiedForUser($user) && $this->mfaSession->isRequiredForUser($user);

}

/**

* Check if the given user is awaiting email confirmation.

*/

/**

* Check if the given user is awaiting email confirmation.

*/

- protected function awaitingEmailConfirmation(User $user): bool

+ public function awaitingEmailConfirmation(User $user): bool

{

- $requireConfirmation = (setting('registration-confirmation') || setting('registration-restrict'));

- return $requireConfirmation && !$user->email_confirmed;

+ return $this->emailConfirmationService->confirmationRequired() && !$user->email_confirmed;

}

/**

* Attempt the login of a user using the given credentials.

* Meant to mirror Laravel's default guard 'attempt' method

* but in a manner that always routes through our login system.

}

/**

* Attempt the login of a user using the given credentials.

* Meant to mirror Laravel's default guard 'attempt' method

* but in a manner that always routes through our login system.

+ * May interrupt the flow if extra authentication requirements are imposed.

+ *

+ * @throws StoppedAuthenticationException

*/

public function attempt(array $credentials, string $method, bool $remember = false): bool

{

*/

public function attempt(array $credentials, string $method, bool $remember = false): bool

{

if ($result) {

$user = auth()->user();

auth()->logout();

if ($result) {

$user = auth()->user();

auth()->logout();

- $result = $this->login($user, $method);

+ $this->login($user, $method, $remember);

}

return $result;

}

return $result;

}

-

-}

\ No newline at end of file

+}