custom/plugins/IwvTwoFactorAuthentication/src/Subscriber/BackendLoginSubscriber.php line 81

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Iwv\IwvTwoFactorAuthentication\Subscriber;
  7. use League\OAuth2\Server\Exception\OAuthServerException;
  8. use Shopware\Core\PlatformRequest;
  9. use Shopware\Core\Framework\Context;
  10. use Shopware\Core\Framework\DataAbstractionLayer\EntityRepositoryInterface;
  11. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  12. use Shopware\Core\Framework\DataAbstractionLayer\Search\Filter\EqualsFilter;
  13. use Shopware\Core\System\User\UserEntity;
  14. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  15. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpKernel\KernelEvents;
  19. use Iwv\IwvTwoFactorAuthentication\Service\TwoFactorAdaptors\GoogleAuthenticatorAdaptor;
  20. use Iwv\IwvTwoFactorAuthentication\Service\TwoFactorAdaptors\YubicoAuthenticatorAdaptor;
  21. use Iwv\IwvTwoFactorAuthentication\Service\TwoFactorAdaptors\EmailAuthenticatorAdaptor;
  22. use Iwv\IwvTwoFactorAuthentication\Service\CookieHelperValidator;
  23. use Iwv\IwvTwoFactorAuthentication\Service\SessionHelpers\SessionTokenHelper;
  24. use Exception;
  26. class BackendLoginSubscriber implements EventSubscriberInterface
  27. {
  28.     /**
  29.      * @var EntityRepositoryInterface
  30.      */
  31.     private $userRepository;
  33.     /**
  34.      * @var CookieHelperValidator
  35.      */
  36.     private $cookieHelperValidator;
  38.     /**
  39.      * @var GoogleAuthenticatorAdaptor
  40.      */
  41.     private $googleAuthenticatorAdaptor;
  43.     /**
  44.      * @var YubicoAuthenticatorAdaptor
  45.      */
  46.     private $yubicoAuthenticatorAdaptor;
  48.     /**
  49.      * @var EmailAuthenticatorAdaptor
  50.      */
  51.     private $emailAuthenticatorAdaptor;
  53.     /**
  54.      * @var SessionTokenHelper
  55.      */
  56.     private $sessionTokenHelper;
  58.     public function __construct(
  59.         EntityRepositoryInterface $userRepository,
  60.         CookieHelperValidator $cookieHelperValidator,
  61.         GoogleAuthenticatorAdaptor $googleAuthenticatorAdaptor,
  62.         YubicoAuthenticatorAdaptor $yubicoAuthenticatorAdaptor,
  63.         EmailAuthenticatorAdaptor $emailAuthenticatorAdaptor,
  64.         SessionTokenHelper $sessionTokenHelper
  65.     ) {
  66.         $this->userRepository $userRepository;
  67.         $this->cookieHelperValidator $cookieHelperValidator;
  68.         $this->googleAuthenticatorAdaptor $googleAuthenticatorAdaptor;
  69.         $this->yubicoAuthenticatorAdaptor $yubicoAuthenticatorAdaptor;
  70.         $this->emailAuthenticatorAdaptor $emailAuthenticatorAdaptor;
  71.         $this->sessionTokenHelper $sessionTokenHelper;
  72.     }
  74.     public static function getSubscribedEvents()
  75.     {
  76.         return [
  77.             KernelEvents::RESPONSE => 'onResponse',
  78.         ];
  79.     }
  81.     public function onResponse(ResponseEvent $event): void
  82.     {
  84.         /** @var \Symfony\Component\HttpFoundation\Request $request */
  85.         $request $event->getRequest();
  87.         /** @var \Symfony\Component\HttpFoundation\JsonResponse $response */
  88.         $response $event->getResponse();
  90.         /* return on invalid requests */
  91.         if (!in_array($event->getResponse()->getStatusCode(), [200204])) {
  92.             return;
  93.         }
  95.         /* $event->getContext() does not exists */
  96.         $context $request->attributes->get(PlatformRequest::ATTRIBUTE_CONTEXT_OBJECT);
  98.         /* update cookie request on profiles change */
  99.         if (
  100.             $request->attributes->get('_route') === 'api.action.iwv.two-factor.backend.google-authenticator' || 
  101.             $request->attributes->get('_route') === 'api.action.iwv.two-factor.backend.yubico-configurator' ||
  102.             $request->attributes->get('_route') === 'api.action.iwv.two-factor.backend.email-validate' ||
  103.             $request->attributes->get('_route') === 'api.action.iwv.two-factor.backend.disable-validator'
  104.         ) {
  106.             $responseContent json_decode($response->getContent(), true);
  108.             if (!array_key_exists('status'$responseContent['response']) || !$responseContent['response']['status']) {
  109.                 return;
  110.             }
  112.             if ($responseContent['response']['userId']) {
  113.                 $userDB $context->scope(Context::SYSTEM_SCOPE, fn(Context $systemContext) => $this->userRepository->search(new Criteria([$responseContent['response']['userId']]), $systemContext)->first());
  114.                 $customFields $userDB->getCustomFields();
  115.                 $twoFaParams $customFields['iwvTwoFactor'] ?? [];
  116.                 $response = !empty($twoFaParams) ? $this->cookieHelperValidator->addTwoFaCookie($response$userDB) : $this->cookieHelperValidator->removeTwoFaCookie($response);
  117.                 $event->setResponse($response);
  118.             }
  119.             return;
  120.         }
  121.         if ($request->attributes->get('_route') !== 'api.oauth.token') {
  122.             return;
  123.         }
  124.     
  125.         $username $request->request->get('username');
  126.         /** @var UserEntity $userDB */
  127.         $userDB $context->scope(Context::SYSTEM_SCOPE, fn(Context $systemContext) => $this->userRepository->search((new Criteria())->addFilter(new EqualsFilter('username'$username)), $systemContext)->first());
  128.         
  129.         if(!$userDB){
  130.             return;
  131.         }
  133.         if ($this->cookieHelperValidator->hasScope($request\Shopware\Core\Framework\Api\OAuth\Scope\UserVerifiedScope::IDENTIFIER) ) {
  134.             return;    
  135.         }
  137.         $customFields $userDB->getCustomFields();
  138.         if (!$customFields || !isset($customFields['iwvTwoFactor']) || empty($customFields['iwvTwoFactor']) || ($this->cookieHelperValidator->hasScope($request\Shopware\Core\Framework\Api\OAuth\Scope\UserVerifiedScope::IDENTIFIER) && $this->cookieHelperValidator->hasTwoFaCookie($request$userDB))) {
  139.             return;
  140.         }
  141.         else if($customFields && isset($customFields['iwvTwoFactor'])
  142.         ){
  143.             $isSessionTokenValid $context->scope(Context::SYSTEM_SCOPE, fn(Context $systemContext) => $this->sessionTokenHelper->isSessionTokenValid($context$request$userDB));
  144.             if($isSessionTokenValid){
  145.                 $response $this->cookieHelperValidator->addTwoFaCookie($response$userDB);
  146.                 $event->setResponse($response);
  147.                 return;
  148.             }
  149.         }
  151.         $context->scope(Context::SYSTEM_SCOPE, fn(Context $systemContext) => $this->emailAuthenticatorAdaptor->load($systemContext$userDB));
  153.         try {
  154.             
  155.             $authenticatorCode = (string) $request->request->get('iwvAuthenticator');
  156.             $authenticatorData = (array) $request->request->get('iwvAuthenticationToken');
  157.             $rememberBrowser = (bool) $request->request->get('iwvTwoFaRememberBrowser');
  159.             if (!isset($authenticatorCode)) {  
  160.                 throw new Exception('OTP is required'1200);
  161.             } elseif (!isset($customFields['iwvTwoFactor'][$authenticatorCode])) {
  162.                 throw new Exception('Authenticator is not configured'1200);
  163.             }
  165.             switch ($authenticatorCode) {
  166.                 case 'emailAuth';
  167.                     if($authenticatorData['sendCodeButton']){
  168.                         $this->emailAuthenticatorAdaptor->sendLoginEmailCode();  
  169.                         throw new Exception('Email has been sent'1203);
  170.                     }
  171.                     else{
  172.                         $emailData $this->emailAuthenticatorAdaptor->authenticate(($authenticatorData['otpValue'] ?? ''));
  173.                         
  174.                         if(!$emailData['verified']){
  175.                             if($emailData['error'] === 'expired'){
  176.                                 throw new Exception('Invalid authentication code'1201);
  177.                             }
  178.                             else{
  179.                                 throw new Exception('Authentication code expired'1201);
  180.                             }
  181.                         }
  182.                         $customFields $this->emailAuthenticatorAdaptor->removeEmailAuthCode();
  183.                     }
  184.                     break;
  185.                 case 'yubico';
  186.                     if (!$this->yubicoAuthenticatorAdaptor->authenticate($customFields['iwvTwoFactor']['yubico']['clientId'], $customFields['iwvTwoFactor']['yubico']['secret'], ($authenticatorData['otpValue'] ?? ''))) {
  187.                         throw new Exception('Invalid authentication code'1201);
  188.                     }
  189.                     break;
  190.                 case 'otp2fa';
  191.                     if (!$this->googleAuthenticatorAdaptor->authenticate($customFields['iwvTwoFactor']['otp2fa']['secret'], ($authenticatorData['otpValue'] ?? ''))) {
  192.                         throw new Exception('Invalid authentication code'1201);
  193.                     }
  194.                     break;
  195.             }
  197.             $response $this->cookieHelperValidator->addTwoFaCookie($response$userDB);
  198.             if($rememberBrowser){
  199.                 $response $this->sessionTokenHelper->createNewSessionCookie($context$response$userDB$customFields);
  200.             }
  201.             else{
  202.                 $response $this->sessionTokenHelper->removeTwoFaCookie($context$response$userDB$customFields);
  203.             }
  204.             
  205.             $event->setResponse($response);
  207.         } catch (\Exception $ex) {
  208.             throw new OAuthServerException('OTP is required'$ex->getCode(), 'iwv-request-otp'401array_keys($customFields['iwvTwoFactor']));
  209.         }
  210.     }
  211. }