[Security] Rework the remember me system

Author: wouterj

Authenticator/Passport/Badge/RememberMeBadge.php

@@ -14,14 +14,9 @@
 /**
  * Adds support for remember me to this authenticator.
  *
- * Remember me cookie will be set if *all* of the following are met:
- *  A) This badge is present in the Passport
- *  B) The remember_me key under your firewall is configured
- *  C) The "remember me" functionality is activated. This is usually
- *      done by having a _remember_me checkbox in your form, but
- *      can be configured by the "always_remember_me" and "remember_me_parameter"
- *      parameters under the "remember_me" firewall key
- *  D) The authentication process returns a success Response object
+ * The presence of this badge doesn't create the remember-me cookie. The actual
+ * cookie is only created if this badge is enabled. By default, this is done
+ * by the {@see RememberMeConditionsListener} if all conditions are met.
  *
  * @author Wouter de Jong <[email protected]>
  *
@@ -30,6 +25,40 @@
  */
 class RememberMeBadge implements BadgeInterface
 {
+    private $enabled = false;
+
+    /**
+     * Enables remember-me cookie creation.
+     *
+     * In most cases, {@see RememberMeConditionsListener} enables this
+     * automatically if always_remember_me is true or the remember_me_parameter
+     * exists in the request.
+     *
+     * @return $this
+     */
+    public function enable(): self
+    {
+        $this->enabled = true;
+
+        return $this;
+    }
+
+    /**
+     * Disables remember-me cookie creation.
+     *
+     * The default is disabled, this can be called to suppress creation
+     * after it was enabled.
+     */
+    public function disable(): void
+    {
+        $this->enabled = false;
+    }
+
+    public function isEnabled(): bool
+    {
+        return $this->enabled;
+    }
+
     public function isResolved(): bool
     {
         return true; // remember me does not need to be explicitly resolved

Authenticator/RememberMeAuthenticator.php

@@ -11,22 +11,28 @@
 
 namespace Symfony\Component\Security\Http\Authenticator;
 
+use Psr\Log\LoggerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\CookieTheftException;
+use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
+use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\PassportInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
-use Symfony\Component\Security\Http\RememberMe\RememberMeServicesInterface;
+use Symfony\Component\Security\Http\RememberMe\RememberMeDetails;
+use Symfony\Component\Security\Http\RememberMe\RememberMeHandlerInterface;
+use Symfony\Component\Security\Http\RememberMe\ResponseListener;
 
 /**
  * The RememberMe *Authenticator* performs remember me authentication.
  *
  * This authenticator is executed whenever a user's session
- * expired and a remember me cookie was found. This authenticator
+ * expired and a remember-me cookie was found. This authenticator
  * then "re-authenticates" the user using the information in the
  * cookie.
  *
@@ -37,17 +43,19 @@
  */
 class RememberMeAuthenticator implements InteractiveAuthenticatorInterface
 {
-    private $rememberMeServices;
+    private $rememberMeHandler;
     private $secret;
     private $tokenStorage;
-    private $options = [];
+    private $cookieName;
+    private $logger;
 
-    public function __construct(RememberMeServicesInterface $rememberMeServices, string $secret, TokenStorageInterface $tokenStorage, array $options)
+    public function __construct(RememberMeHandlerInterface $rememberMeHandler, string $secret, TokenStorageInterface $tokenStorage, string $cookieName, LoggerInterface $logger = null)
     {
-        $this->rememberMeServices = $rememberMeServices;
+        $this->rememberMeHandler = $rememberMeHandler;
         $this->secret = $secret;
         $this->tokenStorage = $tokenStorage;
-        $this->options = $options;
+        $this->cookieName = $cookieName;
+        $this->logger = $logger;
     }
 
     public function supports(Request $request): ?bool
@@ -57,33 +65,34 @@ public function supports(Request $request): ?bool
             return false;
         }
 
-        // if the attribute is set, this is a lazy firewall. The previous
-        // support call already indicated support, so return null and avoid
-        // recreating the cookie
-        if ($request->attributes->has('_remember_me_token')) {
-            return null;
+        if (($cookie = $request->attributes->get(ResponseListener::COOKIE_ATTR_NAME)) && null === $cookie->getValue()) {
+            return false;
         }
 
-        $token = $this->rememberMeServices->autoLogin($request);
-        if (null === $token) {
+        if (!$request->cookies->has($this->cookieName)) {
             return false;
         }
 
-        $request->attributes->set('_remember_me_token', $token);
+        if (null !== $this->logger) {
+            $this->logger->debug('Remember-me cookie detected.');
+        }
 
         // the `null` return value indicates that this authenticator supports lazy firewalls
         return null;
     }
 
     public function authenticate(Request $request): PassportInterface
     {
-        $token = $request->attributes->get('_remember_me_token');
-        if (null === $token) {
-            throw new \LogicException('No remember me token is set.');
+        $rawCookie = $request->cookies->get($this->cookieName);
+        if (!$rawCookie) {
+            throw new \LogicException('No remember-me cookie is found.');
         }
 
-        // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
-        return new SelfValidatingPassport(new UserBadge(method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername(), [$token, 'getUser']));
+        $rememberMeCookie = RememberMeDetails::fromRawCookie($rawCookie);
+
+        return new SelfValidatingPassport(new UserBadge($rememberMeCookie->getUserIdentifier(), function () use ($rememberMeCookie) {
+            return $this->rememberMeHandler->consumeRememberMeCookie($rememberMeCookie);
+        }));
     }
 
     public function createAuthenticatedToken(PassportInterface $passport, string $firewallName): TokenInterface
@@ -98,7 +107,15 @@ public function onAuthenticationSuccess(Request $request, TokenInterface $token,
 
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
-        $this->rememberMeServices->loginFail($request, $exception);
+        if (null !== $this->logger) {
+            if ($exception instanceof UsernameNotFoundException) {
+                $this->logger->info('User for remember-me cookie not found.', ['exception' => $exception]);
+            } elseif ($exception instanceof UnsupportedUserException) {
+                $this->logger->warning('User class for remember-me cookie not supported.', ['exception' => $exception]);
+            } elseif (!$exception instanceof CookieTheftException) {
+                $this->logger->debug('Remember me authentication failed.', ['exception' => $exception]);
+            }
+        }
 
         return null;
     }

Event/DeauthenticatedEvent.php

@@ -15,7 +15,11 @@
 use Symfony\Contracts\EventDispatcher\Event;
 
 /**
- * Deauthentication happens in case the user has changed when trying to refresh the token.
+ * Deauthentication happens in case the user has changed when trying to
+ * refresh the token.
+ *
+ * Use {@see TokenDeauthenticatedEvent} if you want to cover all cases where
+ * a session is deauthenticated.
  *
  * @author Hamza Amrouche <[email protected]>
  */

Event/TokenDeauthenticatedEvent.php

@@ -0,0 +1,51 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Event;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Contracts\EventDispatcher\Event;
+
+/**
+ * This event is dispatched when the current security token is deauthenticated
+ * when trying to reference the token.
+ *
+ * This includes changes in the user ({@see DeauthenticatedEvent}), but
+ * also cases where there is no user provider available to refresh the user.
+ *
+ * Use this event if you want to trigger some actions whenever a user is
+ * deauthenticated and redirected back to the authentication entry point
+ * (e.g. clearing all remember-me cookies).
+ *
+ * @author Wouter de Jong <[email protected]>
+ */
+final class TokenDeauthenticatedEvent extends Event
+{
+    private $originalToken;
+    private $request;
+
+    public function __construct(TokenInterface $originalToken, Request $request)
+    {
+        $this->originalToken = $originalToken;
+        $this->request = $request;
+    }
+
+    public function getOriginalToken(): TokenInterface
+    {
+        return $this->originalToken;
+    }
+
+    public function getRequest(): Request
+    {
+        return $this->request;
+    }
+}

EventListener/CheckRememberMeConditionsListener.php

@@ -0,0 +1,79 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\EventListener;
+
+use Psr\Log\LoggerInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
+use Symfony\Component\Security\Http\Event\LoginFailureEvent;
+use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Component\Security\Http\Event\TokenDeauthenticatedEvent;
+use Symfony\Component\Security\Http\ParameterBagUtils;
+use Symfony\Component\Security\Http\RememberMe\RememberMeHandlerInterface;
+
+/**
+ * Checks if all conditions are met for remember me.
+ *
+ * The conditions that must be met for this listener to enable remember me:
+ *  A) This badge is present in the Passport
+ *  B) The remember_me key under your firewall is configured
+ *  C) The "remember me" functionality is activated. This is usually
+ *      done by having a _remember_me checkbox in your form, but
+ *      can be configured by the "always_remember_me" and "remember_me_parameter"
+ *      parameters under the "remember_me" firewall key (or "always_remember_me"
+ *      is enabled)
+ *
+ * @author Wouter de Jong <[email protected]>
+ *
+ * @final
+ * @experimental in 5.3
+ */
+class CheckRememberMeConditionsListener implements EventSubscriberInterface
+{
+    private $options;
+    private $logger;
+
+    public function __construct(array $options = [], ?LoggerInterface $logger = null)
+    {
+        $this->options = $options + ['always_remember_me' => false, 'remember_me_parameter' => '_remember_me'];
+        $this->logger = $logger;
+    }
+
+    public function onSuccessfulLogin(LoginSuccessEvent $event): void
+    {
+        $passport = $event->getPassport();
+        if (!$passport->hasBadge(RememberMeBadge::class)) {
+            return;
+        }
+
+        /** @var RememberMeBadge $badge */
+        $badge = $passport->getBadge(RememberMeBadge::class);
+        if (!$this->options['always_remember_me']) {
+            $parameter = ParameterBagUtils::getRequestParameterValue($event->getRequest(), $this->options['remember_me_parameter']);
+            if (!('true' === $parameter || 'on' === $parameter || '1' === $parameter || 'yes' === $parameter || true === $parameter)) {
+                if (null !== $this->logger) {
+                    $this->logger->debug('Remember me disabled; request does not contain remember me parameter ("{parameter}").', ['parameter' => $this->options['remember_me_parameter']]);
+                }
+
+                return;
+            }
+        }
+
+        $badge->enable();
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [LoginSuccessEvent::class => ['onSuccessfulLogin', -32]];
+    }
+}