PageRenderTime 39ms CodeModel.GetById 12ms RepoModel.GetById 0ms app.codeStats 0ms

/src/Backend/Modules/Authentication/Actions/Index.php

http://github.com/forkcms/forkcms
PHP | 336 lines | 213 code | 55 blank | 68 comment | 29 complexity | fbaa82db137dba94184200f9fcb6005f MD5 | raw file
Possible License(s): MPL-2.0-no-copyleft-exception, MIT, AGPL-3.0, LGPL-2.1, BSD-3-Clause 
    

  1. <?php
    2. 

  2. 

  3. namespace Backend\Modules\Authentication\Actions;
    4. 

  4. 

  5. use Backend\Core\Engine\Authentication as BackendAuthentication;
    6. 

  6. use Backend\Core\Engine\Base\ActionIndex as BackendBaseActionIndex;
    7. 

  7. use Backend\Core\Engine\Form as BackendForm;
    8. 

  8. use Backend\Core\Language\Language as BL;
    9. 

  9. use Backend\Core\Engine\Model as BackendModel;
    10. 

  10. use Backend\Core\Engine\User;
    11. 

  11. use Backend\Modules\Users\Engine\Model as BackendUsersModel;
    12. 

  12. use Common\Mailer\Message;
    13. 

  13. use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
    14. 

  14. use Symfony\Component\HttpKernel\Exception\ServiceUnavailableHttpException;
    15. 

  15. 

  16. /**
    17. 

  17.  * This is the index-action (default), it will display the login screen
    18. 

  18.  */
    19. 

  19. class Index extends BackendBaseActionIndex
    20. 

  20. {
    21. 

  21.     /**
    22. 

  22.      * @var BackendForm
    23. 

  23.      */
    24. 

  24.     private $form;
    25. 

  25. 

  26.     /**
    27. 

  27.      * @var BackendForm
    28. 

  28.      */
    29. 

  29.     private $formForgotPassword;
    30. 

  30. 

  31.     public function execute(): void
    32. 

  32.     {
    33. 

  33.         // check if the user is really logged on
    34. 

  34.         if (BackendAuthentication::getUser()->isAuthenticated()) {
    35. 

  35.             $userEmail = BackendAuthentication::getUser()->getEmail();
    36. 

  36.             $this->getContainer()->get('logger.public')->info(
    37. 

  37.                 "User '{$userEmail}' is already authenticated."
    38. 

  38.             );
    39. 

  39.             $this->redirectToAllowedModuleAndAction();
    40. 

  40.         }
    41. 

  41. 

  42.         parent::execute();
    43. 

  43.         $this->buildForm();
    44. 

  44.         $this->validateForm();
    45. 

  45.         $this->parse();
    46. 

  46.         $this->display();
    47. 

  47.     }
    48. 

  48. 

  49.     private function buildForm(): void
    50. 

  50.     {
    51. 

  51.         $this->form = new BackendForm(null, null, 'post', true, false);
    52. 

  52.         $this->form
    53. 

  53.             ->addText('backend_email')
    54. 

  54.             ->setAttribute('placeholder', \SpoonFilter::ucfirst(BL::lbl('Email')))
    55. 

  55.             ->setAttribute('type', 'email')
    56. 

  56.         ;
    57. 

  57.         $this->form
    58. 

  58.             ->addPassword('backend_password')
    59. 

  59.             ->setAttribute('placeholder', \SpoonFilter::ucfirst(BL::lbl('Password')))
    60. 

  60.         ;
    61. 

  61. 

  62.         $this->formForgotPassword = new BackendForm('forgotPassword');
    63. 

  63.         $this->formForgotPassword->addText('backend_email_forgot');
    64. 

  64.     }
    65. 

  65. 

  66.     public function parse(): void
    67. 

  67.     {
    68. 

  68.         parent::parse();
    69. 

  69. 

  70.         // assign the interface language ourself, because it won't be assigned automagically
    71. 

  71.         $this->template->assign('INTERFACE_LANGUAGE', BL::getInterfaceLanguage());
    72. 

  72. 

  73.         $this->form->parse($this->template);
    74. 

  74.         $this->formForgotPassword->parse($this->template);
    75. 

  75.     }
    76. 

  76. 

  77.     private function validateForm(): void
    78. 

  78.     {
    79. 

  79.         if ($this->form->isSubmitted()) {
    80. 

  80.             $txtEmail = $this->form->getField('backend_email');
    81. 

  81.             $txtPassword = $this->form->getField('backend_password');
    82. 

  82. 

  83.             // required fields
    84. 

  84.             if (!$txtEmail->isFilled() || !$txtPassword->isFilled()) {
    85. 

  85.                 // add error
    86. 

  86.                 $this->form->addError('fields required');
    87. 

  87. 

  88.                 // show error
    89. 

  89.                 $this->template->assign('hasError', true);
    90. 

  90.             }
    91. 

  91. 

  92.             $this->getContainer()->get('logger.public')->info(
    93. 

  93.                 "Trying to authenticate user '{$txtEmail->getValue()}'."
    94. 

  94.             );
    95. 

  95. 

  96.             // invalid form-token?
    97. 

  97.             if ($this->form->getToken() != $this->form->getField('form_token')->getValue()) {
    98. 

  98.                 // set a correct header, so bots understand they can't mess with us.
    99. 

  99.                 throw new BadRequestHttpException();
    100. 

  100.             }
    101. 

  101. 

  102.             // get the user's id
    103. 

  103.             $userId = BackendUsersModel::getIdByEmail($txtEmail->getValue());
    104. 

  104. 

  105.             // all fields are ok?
    106. 

  106.             if ($txtEmail->isFilled() && $txtPassword->isFilled() && $this->form->getToken() == $this->form->getField('form_token')->getValue()) {
    107. 

  107.                 // try to login the user
    108. 

  108.                 if (!BackendAuthentication::loginUser($txtEmail->getValue(), $txtPassword->getValue())) {
    109. 

  109.                     $this->getContainer()->get('logger.public')->info(
    110. 

  110.                         "Failed authenticating user '{$txtEmail->getValue()}'."
    111. 

  111.                     );
    112. 

  112. 

  113.                     // add error
    114. 

  114.                     $this->form->addError('invalid login');
    115. 

  115. 

  116.                     // store attempt in session
    117. 

  117.                     $current = (int) BackendModel::getSession()->get('backend_login_attempts', 0);
    118. 

  118. 

  119.                     // increment and store
    120. 

  120.                     BackendModel::getSession()->set('backend_login_attempts', ++$current);
    121. 

  121. 

  122.                     // save the failed login attempt in the user's settings
    123. 

  123.                     if ($userId !== false) {
    124. 

  124.                         BackendUsersModel::setSetting($userId, 'last_failed_login_attempt', time());
    125. 

  125.                     }
    126. 

  126. 

  127.                     // show error
    128. 

  128.                     $this->template->assign('hasError', true);
    129. 

  129.                 }
    130. 

  130.             }
    131. 

  131. 

  132.             // check sessions
    133. 

  133.             if (BackendModel::getSession()->get('backend_login_attempts', 0) >= 5) {
    134. 

  134.                 // get previous attempt
    135. 

  135.                 $previousAttempt = BackendModel::getSession()->get('backend_last_attempt', time());
    136. 

  136. 

  137.                 // calculate timeout
    138. 

  138.                 $timeout = 5 * (BackendModel::getSession()->get('backend_login_attempts') - 4);
    139. 

  139. 

  140.                 // too soon!
    141. 

  141.                 if (time() < $previousAttempt + $timeout) {
    142. 

  142.                     // sleep until the user can login again
    143. 

  143.                     sleep($timeout);
    144. 

  144. 

  145.                     // set a correct header, so bots understand they can't mess with us.
    146. 

  146.                     throw new ServiceUnavailableHttpException();
    147. 

  147.                 }
    148. 

  148.                 // increment and store
    149. 

  149.                 BackendModel::getSession()->set('backend_last_attempt', time());
    150. 

  150. 

  151.                 // too many attempts
    152. 

  152.                 $this->form->addError('too many attempts');
    153. 

  153. 

  154.                 $this->getContainer()->get('logger.public')->info(
    155. 

  155.                     "Too many login attempts for user '{$txtEmail->getValue()}'."
    156. 

  156.                 );
    157. 

  157. 

  158.                 // show error
    159. 

  159.                 $this->template->assign('hasTooManyAttemps', true);
    160. 

  160.                 $this->template->assign('hasError', false);
    161. 

  161.             }
    162. 

  162. 

  163.             // no errors in the form?
    164. 

  164.             if ($this->form->isCorrect()) {
    165. 

  165.                 // cleanup sessions
    166. 

  166.                 BackendModel::getSession()->remove('backend_login_attempts');
    167. 

  167.                 BackendModel::getSession()->remove('backend_last_attempt');
    168. 

  168. 

  169.                 // save the login timestamp in the user's settings
    170. 

  170.                 $lastLogin = BackendUsersModel::getSetting($userId, 'current_login');
    171. 

  171.                 BackendUsersModel::setSetting($userId, 'current_login', time());
    172. 

  172.                 if ($lastLogin) {
    173. 

  173.                     BackendUsersModel::setSetting($userId, 'last_login', $lastLogin);
    174. 

  174.                 }
    175. 

  175. 

  176.                 $this->getContainer()->get('logger.public')->info(
    177. 

  177.                     "Successfully authenticated user '{$txtEmail->getValue()}'."
    178. 

  178.                 );
    179. 

  179. 

  180.                 // redirect to the correct URL (URL the user was looking for or fallback)
    181. 

  181.                 $this->redirectToAllowedModuleAndAction();
    182. 

  182.             }
    183. 

  183.         }
    184. 

  184. 

  185.         // is the form submitted
    186. 

  186.         if ($this->formForgotPassword->isSubmitted()) {
    187. 

  187.             // backend email
    188. 

  188.             $email = $this->formForgotPassword->getField('backend_email_forgot')->getValue();
    189. 

  189. 

  190.             // required fields
    191. 

  191.             if ($this->formForgotPassword->getField('backend_email_forgot')->isEmail(BL::err('EmailIsInvalid'))) {
    192. 

  192.                 // check if there is a user with the given emailaddress
    193. 

  193.                 if (!BackendUsersModel::existsEmail($email)) {
    194. 

  194.                     $this->formForgotPassword->getField('backend_email_forgot')->addError(BL::err('EmailIsUnknown'));
    195. 

  195.                 }
    196. 

  196.             }
    197. 

  197. 

  198.             // no errors in the form?
    199. 

  199.             if ($this->formForgotPassword->isCorrect()) {
    200. 

  200.                 // generate the key for the reset link and fetch the user ID for this email
    201. 

  201.                 $key = BackendAuthentication::getEncryptedString($email, uniqid('', true));
    202. 

  202. 

  203.                 // insert the key and the timestamp into the user settings
    204. 

  204.                 $userId = BackendUsersModel::getIdByEmail($email);
    205. 

  205.                 $user = new User($userId);
    206. 

  206.                 $user->setSetting('reset_password_key', $key);
    207. 

  207.                 $user->setSetting('reset_password_timestamp', time());
    208. 

  208. 

  209.                 // send e-mail to user
    210. 

  210.                 $from = $this->get('fork.settings')->get('Core', 'mailer_from');
    211. 

  211.                 $replyTo = $this->get('fork.settings')->get('Core', 'mailer_reply_to');
    212. 

  212.                 $message = Message::newInstance(
    213. 

  213.                     \SpoonFilter::ucfirst(BL::msg('ResetYourPasswordMailSubject'))
    214. 

  214.                 )
    215. 

  215.                     ->setFrom([$from['email'] => $from['name']])
    216. 

  216.                     ->setTo([$email])
    217. 

  217.                     ->setReplyTo([$replyTo['email'] => $replyTo['name']])
    218. 

  218.                     ->parseHtml(
    219. 

  219.                         '/Authentication/Layout/Templates/Mails/ResetPassword.html.twig',
    220. 

  220.                         [
    221. 

  221.                             'resetLink' => SITE_URL . BackendModel::createUrlForAction('ResetPassword')
    222. 

  222.                                            . '&email=' . $email . '&key=' . $key,
    223. 

  223.                         ]
    224. 

  224.                     );
    225. 

  225.                 $this->get('mailer')->send($message);
    226. 

  226. 

  227.                 // clear post-values
    228. 

  228.                 $_POST['backend_email_forgot'] = '';
    229. 

  229. 

  230.                 // show success message
    231. 

  231.                 $this->template->assign('isForgotPasswordSuccess', true);
    232. 

  232. 

  233.                 // show form
    234. 

  234.                 $this->template->assign('showForm', true);
    235. 

  235.             } else {
    236. 

  236.                 // errors?
    237. 

  237.                 $this->template->assign('showForm', true);
    238. 

  238.             }
    239. 

  239.         }
    240. 

  240.     }
    241. 

  241. 

  242.     /**
    243. 

  243.      * Find out which module and action are allowed
    244. 

  244.      * and send the user on his way.
    245. 

  245.      */
    246. 

  246.     private function redirectToAllowedModuleAndAction(): void
    247. 

  247.     {
    248. 

  248.         $allowedModule = $this->getAllowedModule();
    249. 

  249.         $allowedAction = $this->getAllowedAction($allowedModule);
    250. 

  250.         $allowedModuleActionUrl = $allowedModule !== false && $allowedAction !== false ?
    251. 

  251.             BackendModel::createUrlForAction($allowedAction, $allowedModule) :
    252. 

  252.             BackendModel::createUrlForAction('Index', 'Authentication');
    253. 

  253. 

  254.         $userEmail = BackendAuthentication::getUser()->getEmail();
    255. 

  255.         $this->getContainer()->get('logger.public')->info(
    256. 

  256.             "Redirecting user '{$userEmail}' to {$allowedModuleActionUrl}."
    257. 

  257.         );
    258. 

  258. 

  259.         $this->redirect(
    260. 

  260.             $this->sanitizeQueryString(
    261. 

  261.                 $this->getRequest()->query->get('querystring', $allowedModuleActionUrl),
    262. 

  262.                 $allowedModuleActionUrl
    263. 

  263.             )
    264. 

  264.         );
    265. 

  265.     }
    266. 

  266. 

  267.     /**
    268. 

  268.      * Run through the action of a certain module and find us an action(name) this user is allowed to access.
    269. 

  269.      *
    270. 

  270.      * @param string $module
    271. 

  271.      *
    272. 

  272.      * @return bool|string
    273. 

  273.      */
    274. 

  274.     private function getAllowedAction(string $module)
    275. 

  275.     {
    276. 

  276.         if (BackendAuthentication::isAllowedAction('Index', $module)) {
    277. 

  277.             return 'Index';
    278. 

  278.         }
    279. 

  279.         $allowedAction = false;
    280. 

  280. 

  281.         $groupsRightsActions = BackendUsersModel::getModuleGroupsRightsActions(
    282. 

  282.             $module
    283. 

  283.         );
    284. 

  284. 

  285.         foreach ($groupsRightsActions as $groupsRightsAction) {
    286. 

  286.             $isAllowedAction = BackendAuthentication::isAllowedAction(
    287. 

  287.                 $groupsRightsAction['action'],
    288. 

  288.                 $module
    289. 

  289.             );
    290. 

  290.             if ($isAllowedAction) {
    291. 

  291.                 $allowedAction = $groupsRightsAction['action'];
    292. 

  292.                 break;
    293. 

  293.             }
    294. 

  294.         }
    295. 

  295. 

  296.         return $allowedAction;
    297. 

  297.     }
    298. 

  298. 

  299.     /**
    300. 

  300.      * Run through the modules and find us a module(name) this user is allowed to access.
    301. 

  301.      *
    302. 

  302.      * @return bool|string
    303. 

  303.      */
    304. 

  304.     private function getAllowedModule()
    305. 

  305.     {
    306. 

  306.         // create filter with modules which may not be displayed
    307. 

  307.         $filter = ['Authentication', 'Error', 'Core'];
    308. 

  308. 

  309.         // get all modules
    310. 

  310.         $modules = array_diff(BackendModel::getModules(), $filter);
    311. 

  311.         $allowedModule = false;
    312. 

  312. 

  313.         if (BackendAuthentication::isAllowedModule('Dashboard')) {
    314. 

  314.             $allowedModule = 'Dashboard';
    315. 

  315.         } else {
    316. 

  316.             foreach ($modules as $module) {
    317. 

  317.                 if (BackendAuthentication::isAllowedModule($module)) {
    318. 

  318.                     $allowedModule = $module;
    319. 

  319.                     break;
    320. 

  320.                 }
    321. 

  321.             }
    322. 

  322.         }
    323. 

  323. 

  324.         return $allowedModule;
    325. 

  325.     }
    326. 

  326. 

  327.     private function sanitizeQueryString(string $queryString, string $default): string
    328. 

  328.     {
    329. 

  329.         // only allow internal urls starting with "\"
    330. 

  330.         if (!preg_match('/^\//', $queryString)) {
    331. 

  331.             return $default;
    332. 

  332.         }
    333. 

  333. 

  334.         return $queryString;
    335. 

  335.     }
    336. 

  336. }
    337. 

  337.