X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/1278fb4969f87d2433a6e1e1f70d63f0e9a41d30..refs/pull/3012/head:/app/Auth/Access/LoginService.php

diff --git a/app/Auth/Access/LoginService.php b/app/Auth/Access/LoginService.php
index 3d67b1e77..f41570417 100644
--- a/app/Auth/Access/LoginService.php
+++ b/app/Auth/Access/LoginService.php
@@ -5,73 +5,131 @@ namespace BookStack\Auth\Access;
 use BookStack\Actions\ActivityType;
 use BookStack\Auth\Access\Mfa\MfaSession;
 use BookStack\Auth\User;
+use BookStack\Exceptions\StoppedAuthenticationException;
 use BookStack\Facades\Activity;
 use BookStack\Facades\Theme;
 use BookStack\Theming\ThemeEvents;
+use Exception;
 
 class LoginService
 {
+    protected const LAST_LOGIN_ATTEMPTED_SESSION_KEY = 'auth-login-last-attempted';
 
     protected $mfaSession;
+    protected $emailConfirmationService;
 
-    public function __construct(MfaSession $mfaSession)
+    public function __construct(MfaSession $mfaSession, EmailConfirmationService $emailConfirmationService)
     {
         $this->mfaSession = $mfaSession;
+        $this->emailConfirmationService = $emailConfirmationService;
     }
 
-
     /**
      * Log the given user into the system.
      * Will start a login of the given user but will prevent if there's
      * a reason to (MFA or Unconfirmed Email).
      * Returns a boolean to indicate the current login result.
+     *
+     * @throws StoppedAuthenticationException
      */
-    public function login(User $user, string $method): bool
+    public function login(User $user, string $method, bool $remember = false): void
     {
         if ($this->awaitingEmailConfirmation($user) || $this->needsMfaVerification($user)) {
-            // TODO - Remember who last attempted a login so we can use them after such
-            //  a email confirmation or mfa verification step.
-            //  Create a method to fetch that attempted user for use by the email confirmation
-            //  or MFA verification services.
-            //  Also will need a method to 'reattemptLastAttempted' login for once
-            //  the email confirmation of MFA verification steps have passed.
-            //  Must ensure this remembered last attempted login is cleared upon successful login.
-
-            // TODO - Does 'remember' still work? Probably not right now.
-
-            // Old MFA middleware todos:
-
-            // TODO - Need to redirect to setup if not configured AND ONLY IF NO OPTIONS CONFIGURED
-            //    Might need to change up such routes to start with /configure/ for such identification.
-            //    (Can't allow access to those if already configured)
-            // TODO - Store mfa_pass into session for future requests?
-
-            // TODO - Handle email confirmation handling
-            //  Left BookStack\Http\Middleware\Authenticate@emailConfirmationErrorResponse in which needs
-            //  be removed as an example of old behaviour.
+            $this->setLastLoginAttemptedForUser($user, $method, $remember);
 
-            return false;
+            throw new StoppedAuthenticationException($user, $this);
         }
 
-        auth()->login($user);
+        $this->clearLastLoginAttempted();
+        auth()->login($user, $remember);
         Activity::add(ActivityType::AUTH_LOGIN, "{$method}; {$user->logDescriptor()}");
         Theme::dispatch(ThemeEvents::AUTH_LOGIN, $method, $user);
 
         // Authenticate on all session guards if a likely admin
         if ($user->can('users-manage') && $user->can('user-roles-manage')) {
-            $guards = ['standard', 'ldap', 'saml2'];
+            $guards = ['standard', 'ldap', 'saml2', 'oidc'];
             foreach ($guards as $guard) {
                 auth($guard)->login($user);
             }
         }
+    }
+
+    /**
+     * Reattempt a system login after a previous stopped attempt.
+     *
+     * @throws Exception
+     */
+    public function reattemptLoginFor(User $user)
+    {
+        if ($user->id !== ($this->getLastLoginAttemptUser()->id ?? null)) {
+            throw new Exception('Login reattempt user does align with current session state');
+        }
+
+        $lastLoginDetails = $this->getLastLoginAttemptDetails();
+        $this->login($user, $lastLoginDetails['method'], $lastLoginDetails['remember'] ?? false);
+    }
+
+    /**
+     * Get the last user that was attempted to be logged in.
+     * Only exists if the last login attempt had correct credentials
+     * but had been prevented by a secondary factor.
+     */
+    public function getLastLoginAttemptUser(): ?User
+    {
+        $id = $this->getLastLoginAttemptDetails()['user_id'];
+
+        return User::query()->where('id', '=', $id)->first();
+    }
+
+    /**
+     * Get the details of the last login attempt.
+     * Checks upon a ttl of about 1 hour since that last attempted login.
+     *
+     * @return array{user_id: ?string, method: ?string, remember: bool}
+     */
+    protected function getLastLoginAttemptDetails(): array
+    {
+        $value = session()->get(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY);
+        if (!$value) {
+            return ['user_id' => null, 'method' => null];
+        }
 
-        return true;
+        [$id, $method, $remember, $time] = explode(':', $value);
+        $hourAgo = time() - (60 * 60);
+        if ($time < $hourAgo) {
+            $this->clearLastLoginAttempted();
+
+            return ['user_id' => null, 'method' => null];
+        }
+
+        return ['user_id' => $id, 'method' => $method, 'remember' => boolval($remember)];
+    }
+
+    /**
+     * Set the last login attempted user.
+     * Must be only used when credentials are correct and a login could be
+     * achieved but a secondary factor has stopped the login.
+     */
+    protected function setLastLoginAttemptedForUser(User $user, string $method, bool $remember)
+    {
+        session()->put(
+            self::LAST_LOGIN_ATTEMPTED_SESSION_KEY,
+            implode(':', [$user->id, $method, $remember, time()])
+        );
+    }
+
+    /**
+     * Clear the last login attempted session value.
+     */
+    protected function clearLastLoginAttempted(): void
+    {
+        session()->remove(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY);
     }
 
     /**
      * Check if MFA verification is needed.
      */
-    protected function needsMfaVerification(User $user): bool
+    public function needsMfaVerification(User $user): bool
     {
         return !$this->mfaSession->isVerifiedForUser($user) && $this->mfaSession->isRequiredForUser($user);
     }
@@ -79,16 +137,18 @@ class LoginService
     /**
      * Check if the given user is awaiting email confirmation.
      */
-    protected function awaitingEmailConfirmation(User $user): bool
+    public function awaitingEmailConfirmation(User $user): bool
     {
-        $requireConfirmation = (setting('registration-confirmation') || setting('registration-restrict'));
-        return $requireConfirmation && !$user->email_confirmed;
+        return $this->emailConfirmationService->confirmationRequired() && !$user->email_confirmed;
     }
 
     /**
      * Attempt the login of a user using the given credentials.
      * Meant to mirror Laravel's default guard 'attempt' method
      * but in a manner that always routes through our login system.
+     * May interrupt the flow if extra authentication requirements are imposed.
+     *
+     * @throws StoppedAuthenticationException
      */
     public function attempt(array $credentials, string $method, bool $remember = false): bool
     {
@@ -96,10 +156,9 @@ class LoginService
         if ($result) {
             $user = auth()->user();
             auth()->logout();
-            $result = $this->login($user, $method);
+            $this->login($user, $method, $remember);
         }
 
         return $result;
     }
-
-}
\ No newline at end of file
+}