src/V4/EventSubscriber/PreventMultipleLoginsEventSubscriber.php line 86

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\V4\EventSubscriber;
  7. use ApiPlatform\Core\DataProvider\ItemDataProviderInterface;
  8. use App\Security\Exception\TokenNotWhitelistedException;
  9. use App\Security\User;
  10. use App\Service\ApiWebService;
  11. use App\V4\EventSubscriber\Sentry\RegisterTransactionIdEventSubscriber;
  12. use App\V4\Logger\SentryLogger;
  13. use App\V4\Model\Security\UserInfo;
  14. use DateInterval;
  15. use DateTimeInterface;
  16. use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTAuthenticatedEvent;
  17. use Lexik\Bundle\JWTAuthenticationBundle\Events;
  18. use Lexik\Bundle\JWTAuthenticationBundle\Exception\ExpiredTokenException;
  19. use LogicException;
  20. use Psr\Log\LogLevel;
  21. use Symfony\Component\Cache\Adapter\AdapterInterface;
  22. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  23. use Symfony\Component\HttpFoundation\Request;
  24. use Symfony\Component\HttpFoundation\RequestStack;
  26. class PreventMultipleLoginsEventSubscriber implements EventSubscriberInterface
  27. {
  28.     private const AUTHENTICATION_USER_KEY 'authentication.%customer_id%.%user_id%';
  30.     /**
  31.      * @var AdapterInterface
  32.      */
  33.     private $cache;
  35.     /**
  36.      * @var ApiWebService
  37.      */
  38.     private $apiWebService;
  40.     /**
  41.      * @var ItemDataProviderInterface
  42.      */
  43.     private $itemDataProvider;
  45.     /**
  46.      * @var SentryLogger
  47.      */
  48.     private $sentryLogger;
  50.     /**
  51.      * @var RequestStack
  52.      */
  53.     private $requestStack;
  55.     /**
  56.      * @var bool
  57.      */
  58.     private $enableWhitelist;
  60.     /**
  61.      * @SuppressWarnings(PHPMD.BooleanArgumentFlag)
  62.      */
  63.     public function __construct(
  64.         AdapterInterface $cache,
  65.         ApiWebService $apiWebService,
  66.         ItemDataProviderInterface $itemDataProvider,
  67.         SentryLogger $sentryLogger,
  68.         RequestStack $requestStack,
  69.         bool $enableWhitelist false
  70.     ) {
  71.         $this->cache $cache;
  72.         $this->apiWebService $apiWebService;
  73.         $this->itemDataProvider $itemDataProvider;
  74.         $this->sentryLogger $sentryLogger;
  75.         $this->requestStack $requestStack;
  76.         $this->enableWhitelist $enableWhitelist;
  77.     }
  79.     public static function getSubscribedEvents(): array
  80.     {
  81.         return [
  82.             Events::JWT_AUTHENTICATED => 'onJWTAuthenticated',
  83.         ];
  84.     }
  86.     public function onJWTAuthenticated(JWTAuthenticatedEvent $event): void
  87.     {
  88.         if ($this->supports($event) === false) {
  89.             return;
  90.         }
  92.         $tokenIssuedAt $event->getPayload()['iat'];
  93.         $tokenExpiresAt $event->getPayload()['exp'];
  95.         // Should be unnecessary as Lexik should have already checked that
  96.         if ($tokenExpiresAt time()) {
  97.             $this->sentryLogger->captureMessage(
  98.                 SentryLogger::CHANNEL_SECURITY,
  99.                 "Expired token used for user {$event->getToken()->getUser()->getUsername()}",
  100.                 ['event' => $event]
  101.             );
  103.             throw new ExpiredTokenException('Expired JWT Token');
  104.         }
  106.         $user $event->getToken()->getUser();
  107.         if (!$user instanceof User) {
  108.             $this->sentryLogger->captureMessage(
  109.                 SentryLogger::CHANNEL_SECURITY,
  110.                 "No user was logged-in, yet JWTAuthenticatedEvent was dispatched for user {$event->getToken()->getUser()->getUsername()}",
  111.                 ['event' => $event'user' => $user]
  112.             );
  114.             throw new LogicException('No user was logged-in, yet JWTAuthenticatedEvent was dispatched.');
  115.         }
  117.         $databaseUser $this->getDatabaseUser($user$event->getToken()->getCredentials());
  118.         if (!$databaseUser->getTokenValidAfter() instanceof DateTimeInterface) {
  119.             $this->sentryLogger->captureMessage(
  120.                 SentryLogger::CHANNEL_SECURITY,
  121.                 "User {$user->getUsername()} was never authenticated.",
  122.                 ['event' => $event'user' => $user'databaseUser' => $databaseUser]
  123.             );
  125.             throw new LogicException('User was never authenticated.');
  126.         }
  128.         if ($tokenIssuedAt $databaseUser->getTokenValidAfter()->getTimestamp()) {
  129.             $this->sentryLogger->captureMessage(
  130.                 SentryLogger::CHANNEL_SECURITY,
  131.                 "User {$user->getUsername()} tried to use a non-whitelisted token.",
  132.                 ['event' => $event'user' => $user'databaseUser' => $databaseUserSentryLogger::OPTION_NOT_NEED_SENTRY => true]
  133.             );
  135.             throw new TokenNotWhitelistedException('logout_mercure');
  136.         }
  138.         if ($tokenIssuedAt $databaseUser->getTokenValidAfter()->getTimestamp()) {
  139.             $this->clearCache($user);
  140.         }
  141.     }
  143.     private function supports(JWTAuthenticatedEvent $event): bool
  144.     {
  145.         // 1: Whitelist must be enabled
  146.         if (!$this->enableWhitelist) {
  147.             return false;
  148.         }
  150.         // 2: Only Requests should be supported
  151.         $request $this->requestStack->getCurrentRequest();
  152.         if (!$request instanceof Request) {
  153.             return false;
  154.         }
  156.         // 3: System Users should only be restricted if they are using the front API
  157.         $user $event->getToken()->getUser();
  158.         if ($user instanceof User && $user->isSystemUser()) {
  159.             $transactionId $request->headers->get(RegisterTransactionIdEventSubscriber::KEY_TRANSACTION_ID'');
  160.             if (empty($transactionId) || !str_starts_with($transactionId'front:')) {
  161.                 return false;
  162.             }
  163.         }
  165.         return true;
  166.     }
  168.     private function getDatabaseUser(User $userstring $bearerToken): UserInfo
  169.     {
  170.         $cachedUserItem $this
  171.             ->cache
  172.             ->getItem(str_replace(['%customer_id%''%user_id%'], [$user->getCustomerId(), $user->getUserId()], self::AUTHENTICATION_USER_KEY));
  174.         if (!$cachedUserItem->isHit()) {
  175.             $this->apiWebService->disableAuth();
  176.             $this->apiWebService->addHeader('Authorization''Bearer ' $bearerToken);
  177.             $databaseUser $this->itemDataProvider->getItem(UserInfo::class, $user->getUserId());
  179.             if (!$databaseUser instanceof UserInfo) {
  180.                 $this->sentryLogger->captureMessage(
  181.                     SentryLogger::CHANNEL_SECURITY,
  182.                     "User {$user->getUsername()} was not found in the database.",
  183.                     ['user' => $user]
  184.                 );
  186.                 throw new LogicException(sprintf('User [%s] was not found in the database.'$user->getUserId()));
  187.             }
  189.             $cachedUserItem
  190.                 // Force check every 5 minutes, should be necessary as any new token should delete the cache
  191.                 ->expiresAfter(new DateInterval('PT5M'))
  192.                 ->set($databaseUser);
  193.             $this->cache->save($cachedUserItem);
  194.         }
  196.         return $cachedUserItem->get();
  197.     }
  199.     private function clearCache(User $user): void
  200.     {
  201.         $this
  202.             ->cache
  203.             ->deleteItem(
  204.                 str_replace(
  205.                     ['%customer_id%''%user_id%'],
  206.                     [$user->getCustomerId(), $user->getUserId()],
  207.                     self::AUTHENTICATION_USER_KEY
  208.                 )
  209.             );
  210.     }
  211. }