[Security] Magic login link authentication

Author: weaverryan

Authenticator/LoginLinkAuthenticator.php

@@ -0,0 +1,90 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authenticator;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
+use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\LoginLink\Exception\InvalidLoginLinkAuthenticationException;
+use Symfony\Component\Security\Http\LoginLink\Exception\InvalidLoginLinkExceptionInterface;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandlerInterface;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+final class LoginLinkAuthenticator extends AbstractAuthenticator implements InteractiveAuthenticatorInterface
+{
+    private $loginLinkHandler;
+    private $httpUtils;
+    private $successHandler;
+    private $failureHandler;
+    private $options;
+
+    public function __construct(LoginLinkHandlerInterface $loginLinkHandler, HttpUtils $httpUtils, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options)
+    {
+        $this->loginLinkHandler = $loginLinkHandler;
+        $this->httpUtils = $httpUtils;
+        $this->successHandler = $successHandler;
+        $this->failureHandler = $failureHandler;
+        $this->options = $options;
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        return $this->httpUtils->checkRequestPath($request, $this->options['check_route']);
+    }
+
+    public function authenticate(Request $request): PassportInterface
+    {
+        $username = $request->get('user');
+
+        if (!$username) {
+            throw new InvalidLoginLinkAuthenticationException('Missing user from link.');
+        }
+
+        return new SelfValidatingPassport(
+            new UserBadge($username, function () use ($request) {
+                try {
+                    $user = $this->loginLinkHandler->consumeLoginLink($request);
+                } catch (InvalidLoginLinkExceptionInterface $e) {
+                    throw new InvalidLoginLinkAuthenticationException('Login link could not be validated.', 0, $e);
+                }
+
+                return $user;
+            }),
+            []
+        );
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return $this->successHandler->onAuthenticationSuccess($request, $token);
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
+    {
+        return $this->failureHandler->onAuthenticationFailure($request, $exception);
+    }
+
+    public function isInteractive(): bool
+    {
+        return true;
+    }
+}

LoginLink/Exception/ExpiredLoginLinkException.php

@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink\Exception;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+class ExpiredLoginLinkException extends \Exception implements InvalidLoginLinkExceptionInterface
+{
+}

LoginLink/Exception/InvalidLoginLinkAuthenticationException.php

@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink\Exception;
+
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+
+/**
+ * Thrown when a login link is invalid.
+ *
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+class InvalidLoginLinkAuthenticationException extends AuthenticationException
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getMessageKey()
+    {
+        return 'Invalid or expired login link.';
+    }
+}

LoginLink/Exception/InvalidLoginLinkException.php

@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink\Exception;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+class InvalidLoginLinkException extends \Exception implements InvalidLoginLinkExceptionInterface
+{
+}

LoginLink/Exception/InvalidLoginLinkExceptionInterface.php

@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink\Exception;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+interface InvalidLoginLinkExceptionInterface extends \Throwable
+{
+}

LoginLink/ExpiredLoginLinkStorage.php

@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink;
+
+use Psr\Cache\CacheItemPoolInterface;
+
+/**
+ * @final
+ */
+class ExpiredLoginLinkStorage
+{
+    private $cache;
+    private $lifetime;
+
+    public function __construct(CacheItemPoolInterface $cache, int $lifetime)
+    {
+        $this->cache = $cache;
+        $this->lifetime = $lifetime;
+    }
+
+    public function countUsages(string $hash): int
+    {
+        $key = rawurlencode($hash);
+        if (!$this->cache->hasItem($key)) {
+            return 0;
+        }
+
+        return $this->cache->getItem($key)->get();
+    }
+
+    public function incrementUsages(string $hash): void
+    {
+        $item = $this->cache->getItem(rawurlencode($hash));
+
+        if (!$item->isHit()) {
+            $item->expiresAfter($this->lifetime);
+        }
+
+        $item->set($this->countUsages($hash) + 1);
+        $this->cache->save($item);
+    }
+}

LoginLink/LoginLinkDetails.php

@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+class LoginLinkDetails
+{
+    private $url;
+    private $expiresAt;
+
+    public function __construct(string $url, \DateTimeImmutable $expiresAt)
+    {
+        $this->url = $url;
+        $this->expiresAt = $expiresAt;
+    }
+
+    public function getUrl(): string
+    {
+        return $this->url;
+    }
+
+    public function getExpiresAt(): \DateTimeImmutable
+    {
+        return $this->expiresAt;
+    }
+
+    public function __toString()
+    {
+        return $this->url;
+    }
+}