feature #38177 [Security] Magic login link authentication (weaverryan)

This PR was squashed before being merged into the 5.2-dev branch.

Discussion
----------

[Security] Magic login link authentication

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | none
| License       | MIT
| Doc PR        | TODO

Hi!

This adds a Slack-style "magic link" login authenticator to the new login system: (A) enter your email into a form, (B) receive an email with a link in it (C) click that link and you are authenticated!

For most users, implementing this would require:

A) Create a [controller](https://github.com/weaverryan/symfony-magic-login-link-example/blob/master/src/Controller/MagicLinkLoginController.php) with the "enter your email" form and a route for the "check" functionality (similar to `form_login`)
B) Activate in `security.yaml`:

```yml
security:
    enable_authenticator_manager: true
    # ...
    firewalls:
        # ...
        main:
            # ...
            login_link:
                check_route: 'magic_link_verify'
                # this is an important and powerful option
                # An array of properties on your User that are used to sign the link.
                # If any of these change, all existing links will become invalid
                # tl;dr If you want the modification of ANY field to invalidate ALL existing magic links immediately,
                # then you can add it to this list. You could even add a "lastLoginLinkSentAt" to invalid
                # all existing login links when a new one is sent.
                signature_properties: [id, password, email]

                # optional - by default, links can be reused but have a 10 minute lifetime
                #max_uses: 3
                #used_link_cache: cache.app
```

Done! This will generate a URL that looks something like this:

> https://127.0.0.1:9033/login/[email protected]&expires=1601342578&hash=YzE1ZDJlYjM3YTMyMjgwZDdkYzg2ZjFlMjZhN2E5ZWRmMzk3NjAxNjRjYThiMjMzNmIxYzAzYzQ4NmQ2Zjk4NA%3D%3D

We would implement a Maker command this config + login/controller. The implementation is done via a "signed URL" and an optional cache pool to "expire" links. The hash of the signed URL can contain any user fields you want, which give you a powerful mechanism to invalidate magic tokens on user data changes. See `signature_properties` above.

#### Security notes:

There is a LOT of variability about how secure these need to be:

* A) Many/most implementation only allow links to be used ONE time. That is *possible* with this implementation, but is not the *default*. You CAN add a `max_uses` config which stores the expired links in a cache so they cannot be re-used. However, to make this work, you need to do more work by adding some "page" between the link the users clicks and *actually* using the login link. Why? Because unless you do this, email clients may follow the link to "preview" it and will "consume" the link.

* B) Many implementations will invalidate all other login links for a user when a new one is created. We do *not* do that, but that IS possible (and we could even generate the code for it) by adding a `lastLoginLinkSentAt` field to `User` and including this in `signature_properties`.

* C) We *do* invalidate all links if the user's email address is changed (assuming the `email` is included in `signature_properties`, which it should be). You can also invalidate on password change or whatever you want.

* D) Some implementations add a "state" so that you can only use the link on the same device that created it. That is, in many cases, quite annoying. We do not currently support that, but we could in the future (and the user could add it themselves).

Thanks!

#### TODOS:

* [x] A) more tests: functional (?) traits
* [ ] B) documentation
* [ ] C) MakerBundle PR
* [ ] D) Make sure we have what we need to allow that "in between" page
* [ ] E) Create a new cache pool instead of relying on cache.app?

Commits
-------

a8afe109d8 [Security] Magic login link authentication

Author: fabpot

Authenticator/LoginLinkAuthenticator.php

@@ -0,0 +1,90 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Authenticator;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
+use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\HttpUtils;
+use Symfony\Component\Security\Http\LoginLink\Exception\InvalidLoginLinkAuthenticationException;
+use Symfony\Component\Security\Http\LoginLink\Exception\InvalidLoginLinkExceptionInterface;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandlerInterface;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+final class LoginLinkAuthenticator extends AbstractAuthenticator implements InteractiveAuthenticatorInterface
+{
+    private $loginLinkHandler;
+    private $httpUtils;
+    private $successHandler;
+    private $failureHandler;
+    private $options;
+
+    public function __construct(LoginLinkHandlerInterface $loginLinkHandler, HttpUtils $httpUtils, AuthenticationSuccessHandlerInterface $successHandler, AuthenticationFailureHandlerInterface $failureHandler, array $options)
+    {
+        $this->loginLinkHandler = $loginLinkHandler;
+        $this->httpUtils = $httpUtils;
+        $this->successHandler = $successHandler;
+        $this->failureHandler = $failureHandler;
+        $this->options = $options;
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        return $this->httpUtils->checkRequestPath($request, $this->options['check_route']);
+    }
+
+    public function authenticate(Request $request): PassportInterface
+    {
+        $username = $request->get('user');
+
+        if (!$username) {
+            throw new InvalidLoginLinkAuthenticationException('Missing user from link.');
+        }
+
+        return new SelfValidatingPassport(
+            new UserBadge($username, function () use ($request) {
+                try {
+                    $user = $this->loginLinkHandler->consumeLoginLink($request);
+                } catch (InvalidLoginLinkExceptionInterface $e) {
+                    throw new InvalidLoginLinkAuthenticationException('Login link could not be validated.', 0, $e);
+                }
+
+                return $user;
+            }),
+            []
+        );
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return $this->successHandler->onAuthenticationSuccess($request, $token);
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): Response
+    {
+        return $this->failureHandler->onAuthenticationFailure($request, $exception);
+    }
+
+    public function isInteractive(): bool
+    {
+        return true;
+    }
+}

LoginLink/Exception/ExpiredLoginLinkException.php

@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink\Exception;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+class ExpiredLoginLinkException extends \Exception implements InvalidLoginLinkExceptionInterface
+{
+}

LoginLink/Exception/InvalidLoginLinkAuthenticationException.php

@@ -0,0 +1,31 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink\Exception;
+
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+
+/**
+ * Thrown when a login link is invalid.
+ *
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+class InvalidLoginLinkAuthenticationException extends AuthenticationException
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function getMessageKey()
+    {
+        return 'Invalid or expired login link.';
+    }
+}

LoginLink/Exception/InvalidLoginLinkException.php

@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink\Exception;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+class InvalidLoginLinkException extends \Exception implements InvalidLoginLinkExceptionInterface
+{
+}

LoginLink/Exception/InvalidLoginLinkExceptionInterface.php

@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink\Exception;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+interface InvalidLoginLinkExceptionInterface extends \Throwable
+{
+}

LoginLink/ExpiredLoginLinkStorage.php

@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink;
+
+use Psr\Cache\CacheItemPoolInterface;
+
+/**
+ * @final
+ */
+class ExpiredLoginLinkStorage
+{
+    private $cache;
+    private $lifetime;
+
+    public function __construct(CacheItemPoolInterface $cache, int $lifetime)
+    {
+        $this->cache = $cache;
+        $this->lifetime = $lifetime;
+    }
+
+    public function countUsages(string $hash): int
+    {
+        $key = rawurlencode($hash);
+        if (!$this->cache->hasItem($key)) {
+            return 0;
+        }
+
+        return $this->cache->getItem($key)->get();
+    }
+
+    public function incrementUsages(string $hash): void
+    {
+        $item = $this->cache->getItem(rawurlencode($hash));
+
+        if (!$item->isHit()) {
+            $item->expiresAfter($this->lifetime);
+        }
+
+        $item->set($this->countUsages($hash) + 1);
+        $this->cache->save($item);
+    }
+}

LoginLink/LoginLinkDetails.php

@@ -0,0 +1,43 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\LoginLink;
+
+/**
+ * @author Ryan Weaver <[email protected]>
+ * @experimental in 5.2
+ */
+class LoginLinkDetails
+{
+    private $url;
+    private $expiresAt;
+
+    public function __construct(string $url, \DateTimeImmutable $expiresAt)
+    {
+        $this->url = $url;
+        $this->expiresAt = $expiresAt;
+    }
+
+    public function getUrl(): string
+    {
+        return $this->url;
+    }
+
+    public function getExpiresAt(): \DateTimeImmutable
+    {
+        return $this->expiresAt;
+    }
+
+    public function __toString()
+    {
+        return $this->url;
+    }
+}