X-Git-Url: http://source.bookstackapp.com/bookstack/blobdiff_plain/a3f19ebe96063eae54384fd56d2da8b66e625c14..refs/pull/3210/head:/app/Auth/Access/LoginService.php diff --git a/app/Auth/Access/LoginService.php b/app/Auth/Access/LoginService.php index 9823caafa..f41570417 100644 --- a/app/Auth/Access/LoginService.php +++ b/app/Auth/Access/LoginService.php @@ -13,14 +13,15 @@ use Exception; class LoginService { - protected const LAST_LOGIN_ATTEMPTED_SESSION_KEY = 'auth-login-last-attempted'; protected $mfaSession; + protected $emailConfirmationService; - public function __construct(MfaSession $mfaSession) + public function __construct(MfaSession $mfaSession, EmailConfirmationService $emailConfirmationService) { $this->mfaSession = $mfaSession; + $this->emailConfirmationService = $emailConfirmationService; } /** @@ -28,36 +29,25 @@ class LoginService * Will start a login of the given user but will prevent if there's * a reason to (MFA or Unconfirmed Email). * Returns a boolean to indicate the current login result. + * * @throws StoppedAuthenticationException */ - public function login(User $user, string $method): void + public function login(User $user, string $method, bool $remember = false): void { if ($this->awaitingEmailConfirmation($user) || $this->needsMfaVerification($user)) { - $this->setLastLoginAttemptedForUser($user); - throw new StoppedAuthenticationException($user, $this); - // TODO - Does 'remember' still work? Probably not right now. - - // Old MFA middleware todos: - - // TODO - Need to redirect to setup if not configured AND ONLY IF NO OPTIONS CONFIGURED - // Might need to change up such routes to start with /configure/ for such identification. - // (Can't allow access to those if already configured) - // Or, More likely, Need to add defence to those to prevent access unless - // logged in or during partial auth. + $this->setLastLoginAttemptedForUser($user, $method, $remember); - // TODO - Handle email confirmation handling - // Left BookStack\Http\Middleware\Authenticate@emailConfirmationErrorResponse in which needs - // be removed as an example of old behaviour. + throw new StoppedAuthenticationException($user, $this); } $this->clearLastLoginAttempted(); - auth()->login($user); + auth()->login($user, $remember); Activity::add(ActivityType::AUTH_LOGIN, "{$method}; {$user->logDescriptor()}"); Theme::dispatch(ThemeEvents::AUTH_LOGIN, $method, $user); // Authenticate on all session guards if a likely admin if ($user->can('users-manage') && $user->can('user-roles-manage')) { - $guards = ['standard', 'ldap', 'saml2']; + $guards = ['standard', 'ldap', 'saml2', 'oidc']; foreach ($guards as $guard) { auth($guard)->login($user); } @@ -66,15 +56,17 @@ class LoginService /** * Reattempt a system login after a previous stopped attempt. + * * @throws Exception */ - public function reattemptLoginFor(User $user, string $method) + public function reattemptLoginFor(User $user) { if ($user->id !== ($this->getLastLoginAttemptUser()->id ?? null)) { throw new Exception('Login reattempt user does align with current session state'); } - $this->login($user, $method); + $lastLoginDetails = $this->getLastLoginAttemptDetails(); + $this->login($user, $lastLoginDetails['method'], $lastLoginDetails['remember'] ?? false); } /** @@ -84,22 +76,46 @@ class LoginService */ public function getLastLoginAttemptUser(): ?User { - $id = session()->get(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY); - if (!$id) { - return null; - } + $id = $this->getLastLoginAttemptDetails()['user_id']; return User::query()->where('id', '=', $id)->first(); } + /** + * Get the details of the last login attempt. + * Checks upon a ttl of about 1 hour since that last attempted login. + * + * @return array{user_id: ?string, method: ?string, remember: bool} + */ + protected function getLastLoginAttemptDetails(): array + { + $value = session()->get(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY); + if (!$value) { + return ['user_id' => null, 'method' => null]; + } + + [$id, $method, $remember, $time] = explode(':', $value); + $hourAgo = time() - (60 * 60); + if ($time < $hourAgo) { + $this->clearLastLoginAttempted(); + + return ['user_id' => null, 'method' => null]; + } + + return ['user_id' => $id, 'method' => $method, 'remember' => boolval($remember)]; + } + /** * Set the last login attempted user. * Must be only used when credentials are correct and a login could be * achieved but a secondary factor has stopped the login. */ - protected function setLastLoginAttemptedForUser(User $user) + protected function setLastLoginAttemptedForUser(User $user, string $method, bool $remember) { - session()->put(self::LAST_LOGIN_ATTEMPTED_SESSION_KEY, $user->id); + session()->put( + self::LAST_LOGIN_ATTEMPTED_SESSION_KEY, + implode(':', [$user->id, $method, $remember, time()]) + ); } /** @@ -123,8 +139,7 @@ class LoginService */ public function awaitingEmailConfirmation(User $user): bool { - $requireConfirmation = (setting('registration-confirmation') || setting('registration-restrict')); - return $requireConfirmation && !$user->email_confirmed; + return $this->emailConfirmationService->confirmationRequired() && !$user->email_confirmed; } /** @@ -141,10 +156,9 @@ class LoginService if ($result) { $user = auth()->user(); auth()->logout(); - $this->login($user, $method); + $this->login($user, $method, $remember); } return $result; } - -} \ No newline at end of file +}