src/Controller/SecurityController.php line 81

Open in your IDE?
  1. <?php
  3. namespace App\Controller;
  5. use App\Entity\OAuth2ClientProfile;
  6. use App\Entity\OAuth2UserConsent;
  7. use App\Entity\PasswordReset;
  8. use App\Entity\User;
  9. use App\Form\ForgotPasswordType;
  10. use App\Form\LoginType;
  11. use App\Form\PasswordResetType;
  12. use App\Service\ItmConnectApiService;
  13. use App\Service\OAuth2Authorize;
  14. use App\Service\SiteConfig;
  15. use DateTime;
  16. use DateTimeInterface;
  17. use Doctrine\ORM\EntityManagerInterface;
  18. use League\Bundle\OAuth2ServerBundle\Model\Client;
  19. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  20. use Symfony\Component\HttpFoundation\RedirectResponse;
  21. use Symfony\Component\HttpFoundation\Request;
  22. use Symfony\Component\HttpFoundation\Response;
  23. use Symfony\Component\Mailer\MailerInterface;
  24. use Symfony\Component\Mime\Address;
  25. use Symfony\Component\Mime\Email;
  26. use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
  27. use Symfony\Component\Routing\Annotation\Route;
  28. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  29. use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
  30. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  31. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  32. use Kreait\Firebase\Contract\Messaging;
  33. use Psr\Log\LoggerInterface;
  35. class SecurityController extends AbstractController
  36. {
  38.     public function __construct(
  39.         private ItmConnectApiService $itemconnect,
  40.         private EntityManagerInterface $em,
  41.         private OAuth2Authorize $oauth2Authorize,
  42.         private MailerInterface $mailer,
  43.         private SiteConfig $siteConfig,
  44.         private Messaging  $messaging,
  45.         private LoggerInterface $logger,
  46.     ) {}
  48.     /**
  49.      * @Route("/login", name="app_login")
  50.      */
  51.     public function login(AuthenticationUtils $authenticationUtilsRequest $request): Response
  52.     {
  54.         /** @var User $user */
  55.         $user $this->getUser();
  57.         if ($user) {
  58.             if ($user->canAccessBO()) {
  59.                 return $this->redirectToRoute('admin');
  60.             }
  61.             return $this->redirectToRoute('home');
  62.         }
  64.         $form $this->createForm(LoginType::class);
  65.         // get the login error if there is one
  66.         $error $authenticationUtils->getLastAuthenticationError();
  68.         // last username entered by the user
  69.         $lastUsername $authenticationUtils->getLastUsername();
  71.         return $this->render('security/login.html.twig', [
  72.             'last_username' => $lastUsername,
  73.             'form' => $form->createView(),
  74.             'error' => $error,
  75.         ]);
  76.     }
  78.     /**
  79.      * @Route("/forgot-password", name="app_password_request")
  80.      */
  81.     function forgot_password(Request $request): Response
  82.     {
  83.         $form $this->createForm(ForgotPasswordType::class);
  85.         $form->handleRequest($request);
  87.         if ($form->isSubmitted() && $form->isValid()) {
  89.             $email $form->getData('email');
  91.             $user $this->em->getRepository(User::class)->findOneBy(['email' => $email]);
  93.             if ($user) {
  95.                 // Create a password reset entry
  96.                 $passwordReset = new PasswordReset();
  97.                 $passwordReset->setEmail($user->getEmail());
  98.                 // $passwordReset->setToken(md5(rand()));
  99.                 // Generate a secure random token
  100.                 $passwordReset->setToken(bin2hex(random_bytes(32)));
  101.                 $passwordReset->setCreatedAt(new \DateTime('now'));
  102.                 $this->em->persist($passwordReset);
  103.                 $this->em->flush();
  105.                 // Generate the password reset link
  106.                 $reset_link $this->generateUrl('app_reset_password', ['token' => $passwordReset->getToken()], UrlGeneratorInterface::ABSOLUTE_URL);
  108.                 // Build the password reset email using a Twig HTML template
  109.                 $email = (new Email())
  110.                     ->from(new Address($this->siteConfig->getContactEmail(), 'Support Elvinck'))
  111.                     ->to($user->getEmail())
  112.                     ->subject('Réinitialisation de votre mot de passe')
  113.                     ->html(
  114.                         $html $this->renderView('emails/reset_password.html.twig', [
  115.                             'reset_link' => $reset_link
  116.                         ])
  117.                     );
  119.                 // Send the email via the mailer service
  120.                 $this->mailer->send($email);
  122.                 // Log the password reset request with user email and IP
  123.                 $this->logger->info('[PWD_RESET] Password reset email sent.', [
  124.                     'email' => $user->getEmail(),
  125.                     'ip' => $request->getClientIp(),
  126.                     'datetime' => (new \DateTime())->format('Y-m-d H:i:s'),
  127.                 ]);
  129.             }
  131.             $this->addFlash(
  132.                 'notice',
  133.                 'Si un compte est associé à cette adresse, un lien de réinitialisation vous a été envoyé par e-mail.'
  134.             );
  135.         }
  137.         return $this->render('security/forgot-password.html.twig', [
  138.             'form' => $form->createView()
  139.         ]);
  140.     }
  142.     /**
  143.      * @Route("/reset-password", name="app_reset_password")
  144.      */
  145.     function reset_password(Request $requestUserPasswordHasherInterface $passwordHasher): Response
  146.     {
  147.         $form $this->createForm(PasswordResetType::class);
  149.         $form->handleRequest($request);
  151.         $session $request->getSession();
  152.         $token $request->query->get('token');
  153.          // Store token in session and redirect to clean the URL (hide token)
  154.         if ($token) {
  155.             $session->set('reset_token'$token);
  156.             return $this->redirectToRoute('app_reset_password');
  157.         }
  159.         // Retrieve token from session
  160.         $token $session->get('reset_token');
  161.         $passwordReset $this->em->getRepository(PasswordReset::class)->findOneBy(['token' => $token]);
  162.         
  163.         // token does not exist or already used
  164.         if (!$passwordReset) {
  165.             $session->remove('reset_token');
  167.             // Log an invalid or expired token access attempt
  168.             $this->logger->warning('[PWD_RESET] Attempt to reset password with invalid or expired token.', [
  169.                 'token' => $token,
  170.                 'ip' => $request->getClientIp(),
  171.                 'datetime' => (new \DateTime())->format('Y-m-d H:i:s'),
  172.             ]);
  174.             $this->addFlash('error','Ce lien de réinitilisation a déjà été utilisé ou est non valide. Merci de refaire une nouvelle demande.');
  175.             return $this->redirectToRoute('app_password_request');
  176.             
  177.         } elseif ($passwordReset->getCreatedAt() < new \DateTime('-24 hours')) {
  178.             // token is expired
  179.             $this->em->remove($passwordReset);
  180.             $this->em->flush();
  181.             $session->remove('reset_token');
  183.             // Log an expired token access attempt
  184.             $this->logger->warning('[PWD_RESET] Expired password reset token.', [
  185.                     'token' => $token,
  186.                     'ip' => $request->getClientIp(),
  187.                     'datetime' => (new \DateTime())->format('Y-m-d H:i:s'),
  188.             ]);
  190.             $this->addFlash('error''Ce lien de réinitialisation a expiré. Merci de refaire une nouvelle demande.');
  191.             return $this->redirectToRoute('app_password_request');
  192.         }
  194.         //  valid token and valid form submission
  195.         if ($form->isSubmitted() && $form->isValid()) {
  197.             $user $this->em->getRepository(User::class)->findOneBy(['email' => $passwordReset->getEmail()]);
  199.             if ($user) {
  200.                 $datas $form->getData();
  202.                 $hashedPassword $passwordHasher->hashPassword(
  203.                     $user,
  204.                     $datas['password']
  205.                 );
  206.                 
  207.                 $user->setPassword($hashedPassword);
  208.                 $this->em->persist($user);
  209.                 $this->em->remove($passwordReset);
  211.                 $this->em->flush();
  212.                 
  213.                 // Log successful password reset with associated user email and IP
  214.                 $this->logger->info('[PWD_RESET] Password was successfully reset.', [
  215.                     'email' => $user->getEmail(),
  216.                     'ip' => $request->getClientIp(),
  217.                     'datetime' => (new \DateTime())->format('Y-m-d H:i:s'),
  218.                 ]);
  221.                 return $this->redirectToRoute('app_login');
  222.             }
  223.         }
  224.        
  226.         return $this->render('security/reset-password.html.twig', [
  227.             'form' => $form->createView()
  228.         ]);
  229.     }
  231.     /**
  232.      * @Route("/logout-itmconnect", name="app_logout_itmconnect")
  233.      */
  234.     public function logoutItmconnect()
  235.     {
  236.         /** @var User $user */
  237.         $user $this->getUser();
  239.         if ($user != null && $user->getIsItmConnect()) {
  240.             $refreshToken $user->getRefreshToken();
  241.             $this->itemconnect->itmLogout($refreshToken);
  242.         }
  244.         return $this->redirectToRoute('app_logout');
  245.     }
  247.     /**
  248.      * @Route("/logout", name="app_logout")
  249.      */
  250.     public function logout(Request $request)
  251.     {
  252.         $session $request->getSession();
  253.         if ($session->has('customReferrer')) return $this->redirectToRoute($session->get('customReferrer'));
  254.         throw new \LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
  255.     }
  257.     /**
  258.      * @Route("/before-authorize", name="before_oauth2_authorize")
  259.      */
  260.     public function beforeAuthorize(TokenStorageInterface $tokenStorageEventDispatcherInterface $eventDispatcherRequest $request): Response
  261.     {
  262.         /** @var User $user */
  263.         $user $this->getUser();
  265.         $url $this->generateUrl('custom_oauth2_authorize'$request->query->all());
  266.         $response =  new RedirectResponse($url);
  267.         if ($user) {
  268.             if ($user->getIsItmConnect() !== null && $user->getIsItmConnect()) {
  269.                 $refreshToken $user->getRefreshToken();
  270.                 $this->itemconnect->itmLogout($refreshToken);
  271.             }
  272.             $tokenStorage->setToken(null);
  273.             $response->headers->clearCookie('REMEMBERME');
  274.         }
  275.         $session $request->getSession();
  276.         $session->set('customReferrer'$url);
  277.         return $response;
  278.     }
  280.     /**
  281.      * @Route("/authorize2", name="custom_oauth2_authorize")
  282.      */
  283.     public function customAuthorize(Request $request): Response
  284.     {
  285.         $session $request->getSession();
  286.         if (!$session->has('customReferrer')) $session->set('customReferrer'$request->getRequestUri());
  287.         return $this->oauth2Authorize->indexAction($request);
  288.     }
  290.     /**
  291.      * @Route("/consent", name="app_consent")
  292.      */
  293.     public function consent(Request $request): Response
  294.     {
  295.         $clientId $request->query->get('client_id');
  296.         if (!$clientId || !ctype_alnum($clientId) || !$this->getUser()) {
  297.             return $this->redirectToRoute('index');
  298.         }
  299.         $appClient $this->em->getRepository(Client::class)->findOneBy(['identifier' => $clientId]);
  300.         if (!$appClient) {
  301.             return $this->redirectToRoute('index');
  302.         }
  303.         $appProfile $this->em->getRepository(OAuth2ClientProfile::class)->findOneBy(['client' => $appClient]);
  304.         $appName $appProfile->getName();
  306.         // Get the client scopes
  307.         $requestedScopes explode(' '$request->query->get('scope'));
  308.         // Get the client scopes in the database
  309.         $clientScopes $appClient->getScopes();
  311.         // Check all requested scopes are in the client scopes
  312.         if (count(array_diff($requestedScopes$clientScopes)) > 0) {
  313.             return $this->redirectToRoute('index');
  314.         }
  316.         // Check if the user has already consented to the scopes
  317.         /** @var User $user */
  318.         $user $this->getUser();
  319.         $userConsents $user->getOAuth2UserConsents()->filter(
  320.             fn(OAuth2UserConsent $consent) => $consent->getClient() === $appClient
  321.         )->first() ?: null;
  322.         $userScopes $userConsents?->getScopes() ?? [];
  323.         $hasExistingScopes count($userScopes) > 0;
  325.         // If user has already consented to the scopes, give consent
  326.         if (count(array_diff($requestedScopes$userScopes)) === 0) {
  327.             $request->getSession()->set('consent_granted'true);
  328.             return $this->redirectToRoute('custom_oauth2_authorize'$request->query->all());
  329.         }
  331.         // Remove the scopes to which the user has already consented
  332.         $requestedScopes array_diff($requestedScopes$userScopes);
  334.         // Map the requested scopes to scope names
  335.         $scopeNames = [
  336.             'profile' => 'Your profile',
  337.             'email' => 'Your email address'
  338.         ];
  340.         // Get all the scope names in the requested scopes.
  341.         $requestedScopeNames array_map(fn($scope) => $scopeNames[$scope], $requestedScopes);
  342.         $existingScopes array_map(fn($scope) => $scopeNames[$scope], $userScopes);
  343.         $request->getSession()->set('consent_granted'true);
  344.         // Add the requested scopes to the user's scopes
  345.         $consents $userConsents ?? new OAuth2UserConsent();
  346.         $consents->setScopes(array_merge($requestedScopes$userScopes));
  347.         $consents->setClient($appClient);
  348.         $consents->setCreated(new \DateTimeImmutable());
  349.         $consents->setExpires(new \DateTimeImmutable('+30 days'));
  350.         $consents->setIpAddress($request->getClientIp());
  351.         $user->addOAuth2UserConsent($consents);
  352.         $this->em->persist($consents);
  353.         $this->em->flush();
  354.         return $this->redirectToRoute('custom_oauth2_authorize'$request->query->all());
  355.     }
  357.     /**
  358.      * @Route("/.well-known/jwks.json", name="app_jwks")
  359.      */
  360.     public function jwks(): Response
  361.     {
  362.         // Load the public key from the filesystem and use OpenSSL to parse it.
  363.         $kernelDirectory $this->getParameter('kernel.project_dir');
  364.         $publicKey openssl_pkey_get_public(file_get_contents($kernelDirectory '/var/keys/public.key'));
  365.         $details openssl_pkey_get_details($publicKey);
  366.         $jwks = [
  367.             'keys' => [
  368.                 [
  369.                     'kty' => 'RSA',
  370.                     'alg' => 'RS256',
  371.                     'use' => 'sig',
  372.                     'kid' => '1',
  373.                     'n' => strtr(rtrim(base64_encode($details['rsa']['n']), '='), '+/''-_'),
  374.                     'e' => strtr(rtrim(base64_encode($details['rsa']['e']), '='), '+/''-_'),
  375.                 ],
  376.             ],
  377.         ];
  378.         return $this->json($jwks);
  379.     }
  381.     /**
  382.      * @Route("/subscribe-topic", name="app_subscribe_topic")
  383.      */
  384.     public function subscribeTopic(Request $request): Response
  385.     {
  386.         $body json_decode($request->getContent(), true);
  388.         if (isset($body['token'])) {
  390.             $topics $this->messaging->subscribeToTopic("global-fr"$body['token']);
  392.             return $this->json(["status" => "Success""data" => $topics], 200);
  393.         }
  395.         return $this->json(["status" => "Error""data" => "No token received to subscribe (expecting a body with token property)"], 500);
  396.     }
  397. }