Merge pull request #18178 from craftcms/feature/session-authorizations

[6.x] Session authorizations + elevated sessions

Author: brandonkelly

CHANGELOG-WIP.md

@@ -142,6 +142,11 @@ Craft's Mutex classes have been deprecated. [Laravel's atomic locking](https://l
 - Deprecated `\craft\records\RecoveryCodes`. `\CraftCms\Cms\Auth\Models\RecoveryCodes` should be used instead.
 - Deprecated `\craft\records\SsoIdentity`. `\CraftCms\Cms\Auth\Models\SsoIdentity` should be used instead.
 - Deprecated `\craft\records\WebAuthn`. `\CraftCms\Cms\Auth\Models\WebAuthn` should be used instead.
+- Deprecated `craft\behaviors\SessionBehavior::authorize`. `CraftCms\Cms\Auth\SessionAuth::authorize` should be used instead.
+- Deprecated `craft\behaviors\SessionBehavior::deauthorize`. `CraftCms\Cms\Auth\SessionAuth::deauthorize` should be used instead.
+- Deprecated `craft\behaviors\SessionBehavior::checkAuthorization`. `CraftCms\Cms\Auth\SessionAuth::checkAuthorization` should be used instead.
+- Deprecated `GeneralConfig::elevatedSessionDuration()`. The `auth.password_timeout` config value should be used instead. To disable password confirmation (elevated sessions), you now set this value to `-1` instead of `0`.
+    - Elevated sessions now work through [Laravel's password confirmation](https://laravel.com/docs/12.x/authentication#password-confirmation) system.
 
 ## Drafts
 

routes/actions.php

@@ -53,7 +53,6 @@
 use CraftCms\Cms\Http\Middleware\RequireAdmin;
 use CraftCms\Cms\Http\Middleware\RequireAdminChanges;
 use CraftCms\Cms\Http\Middleware\RequireEdition;
-use CraftCms\Cms\Http\Middleware\RequireElevatedSession;
 use CraftCms\Cms\Http\Middleware\RequireToken;
 use CraftCms\Cms\Support\Str;
 use Illuminate\Foundation\Http\Middleware\VerifyCsrfToken;
@@ -273,7 +272,7 @@
         Route::post('app/cache-updates', [UpdatesController::class, 'cache']);
 
         // Users
-        Route::middleware([RequireElevatedSession::class])->group(function () {
+        Route::middleware('password.confirm')->group(function () {
             Route::post('users/impersonate', [ImpersonationController::class, 'impersonate']);
             Route::post('users/get-impersonation-url', [ImpersonationController::class, 'getUrl']);
         });

src/Auth/Concerns/ConfirmsPasswords.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CraftCms\Cms\Auth\Concerns;
+
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Date;
+use Illuminate\Support\Facades\Session;
+
+use function CraftCms\Cms\t;
+
+trait ConfirmsPasswords
+{
+    protected function confirmPassword(): void
+    {
+        Session::passwordConfirmed();
+    }
+
+    protected function requireConfirmedPassword(?string $message = null): void
+    {
+        abort_unless(
+            $this->isPasswordConfirmed(),
+            403,
+            $message ?? t('This action may only be performed with an elevated session.')
+        );
+    }
+
+    protected function isPasswordConfirmed(): bool
+    {
+        $maximumSecondsSinceConfirmation = config('auth.password_timeout', 900);
+
+        if ($maximumSecondsSinceConfirmation === -1) {
+            return true;
+        }
+
+        return $this->confirmedPasswordTimeout() !== 0;
+    }
+
+    protected function confirmedPasswordTimeout(): int|false
+    {
+        if (Auth::check()) {
+            $maximumSecondsSinceConfirmation = config('auth.password_timeout', 300);
+            $confirmedAt = Session::get('auth.password_confirmed_at');
+
+            if ($confirmedAt !== null) {
+                $diff = Date::now()->unix() - $confirmedAt;
+                $remainingTime = $maximumSecondsSinceConfirmation - $diff;
+
+                if ($remainingTime >= 0) {
+                    return $remainingTime;
+                }
+            }
+        }
+
+        // If it has been disabled, return false.
+        if (config('auth.password_timeout') === -1) {
+            return false;
+        }
+
+        return 0;
+    }
+}

src/Http/EnforcesPermissions.php src/Auth/Concerns/EnforcesPermissions.phpsrc/Http/EnforcesPermissions.php renamed to src/Auth/Concerns/EnforcesPermissions.php

@@ -2,17 +2,15 @@
 
 declare(strict_types=1);
 
-namespace CraftCms\Cms\Http;
+namespace CraftCms\Cms\Auth\Concerns;
 
 use Craft;
 use craft\elements\Entry;
+use CraftCms\Cms\Auth\SessionAuth;
 use CraftCms\Cms\Site\Data\Site;
 use CraftCms\Cms\Support\Facades\Sites;
-use CraftCms\Yii2Adapter\IdentityWrapper;
 use Illuminate\Support\Facades\Auth;
 
-use function CraftCms\Cms\t;
-
 trait EnforcesPermissions
 {
     protected function enforeSitePermission(Site $site): void
@@ -42,7 +40,7 @@ protected function enforceEditEntryPermissions(Entry $entry, bool $duplicate = f
 
     protected function requireSessionAuthorization(string $permission): void
     {
-        if (! Craft::$app->getSession()->checkAuthorization($permission)) {
+        if (! SessionAuth::checkAuthorization($permission)) {
             abort(403, 'User is not authorized to perform this action.');
         }
     }
@@ -58,19 +56,6 @@ protected function requirePermission(string $permission): void
         }
     }
 
-    protected function requireElevatedSession(): void
-    {
-        Craft::$app->getUser()->setIdentity(
-            new IdentityWrapper(Auth::user()),
-        );
-
-        abort_unless(
-            Craft::$app->getUser()->getHasElevatedSession(),
-            403,
-            t('This action may only be performed with an elevated session.'),
-        );
-    }
-
     protected function requireAdmin(): void
     {
         abort_unless(Auth::user()->isAdmin(), 403, 'User is not permitted to perform this action.');

src/Auth/SessionAuth.php

@@ -0,0 +1,77 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CraftCms\Cms\Auth;
+
+use CraftCms\Cms\Cms;
+use Illuminate\Support\Facades\Cache;
+use Illuminate\Support\Facades\Session;
+
+final class SessionAuth
+{
+    private const string AUTH_LOCK_NAME = 'authAccess';
+
+    /**
+     * @var string|null The session variable name used to store the authorization keys for the current session.
+     *
+     * @see authorize()
+     * @see deauthorize()
+     * @see checkAuthorization()
+     */
+    public static ?string $authAccessParam = '__auth_access';
+
+    /**
+     * Authorizes the user to perform an action for the duration of the session.
+     */
+    public static function authorize(string $action): void
+    {
+        Cache::lock(self::AUTH_LOCK_NAME)->block(5, function () use ($action) {
+            $access = Session::get(self::authAccessParam(), []);
+
+            if (in_array($action, $access, true)) {
+                return;
+            }
+
+            $access[] = $action;
+
+            Session::put(self::authAccessParam(), $access);
+        });
+    }
+
+    /**
+     * Deauthorizes the user from performing an action.
+     */
+    public static function deauthorize(string $action): void
+    {
+        Cache::lock(self::AUTH_LOCK_NAME)->block(5, function () use ($action) {
+            $access = Session::get(self::authAccessParam(), []);
+            $index = array_search($action, $access, true);
+
+            if ($index === false) {
+                return;
+            }
+
+            array_splice($access, $index, 1);
+
+            Session::put(self::authAccessParam(), $access);
+        });
+    }
+
+    /**
+     * Returns whether the user is authorized to perform an action.
+     */
+    public static function checkAuthorization(string $action): bool
+    {
+        $access = Session::get(self::authAccessParam(), []);
+
+        return in_array($action, $access, true);
+    }
+
+    private static function authAccessParam(): string
+    {
+        $prefix = md5('CraftSession'.Cms::envId());
+
+        return $prefix.self::$authAccessParam;
+    }
+}

src/Cms.php

@@ -41,4 +41,9 @@ public static function systemName(): string
 
         return $name ?: config('app.name', 'Craft');
     }
+
+    public static function envId(): string
+    {
+        return sprintf('%s--%s', self::systemName(), app()->environment());
+    }
 }