feature symfony#38177 [Security] Magic login link authentication (weaverryan)

This PR was squashed before being merged into the 5.2-dev branch.

Discussion
----------

[Security] Magic login link authentication

| Q             | A
| ------------- | ---
| Branch?       | master
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | none
| License       | MIT
| Doc PR        | TODO

Hi!

This adds a Slack-style "magic link" login authenticator to the new login system: (A) enter your email into a form, (B) receive an email with a link in it (C) click that link and you are authenticated!

For most users, implementing this would require:

A) Create a [controller](https://github.com/weaverryan/symfony-magic-login-link-example/blob/master/src/Controller/MagicLinkLoginController.php) with the "enter your email" form and a route for the "check" functionality (similar to `form_login`)
B) Activate in `security.yaml`:

```yml
security:
    enable_authenticator_manager: true
    # ...
    firewalls:
        # ...
        main:
            # ...
            login_link:
                check_route: 'magic_link_verify'
                # this is an important and powerful option
                # An array of properties on your User that are used to sign the link.
                # If any of these change, all existing links will become invalid
                # tl;dr If you want the modification of ANY field to invalidate ALL existing magic links immediately,
                # then you can add it to this list. You could even add a "lastLoginLinkSentAt" to invalid
                # all existing login links when a new one is sent.
                signature_properties: [id, password, email]

                # optional - by default, links can be reused but have a 10 minute lifetime
                #max_uses: 3
                #used_link_cache: cache.app
```

Done! This will generate a URL that looks something like this:

> https://127.0.0.1:9033/login/[email protected]&expires=1601342578&hash=YzE1ZDJlYjM3YTMyMjgwZDdkYzg2ZjFlMjZhN2E5ZWRmMzk3NjAxNjRjYThiMjMzNmIxYzAzYzQ4NmQ2Zjk4NA%3D%3D

We would implement a Maker command this config + login/controller. The implementation is done via a "signed URL" and an optional cache pool to "expire" links. The hash of the signed URL can contain any user fields you want, which give you a powerful mechanism to invalidate magic tokens on user data changes. See `signature_properties` above.

#### Security notes:

There is a LOT of variability about how secure these need to be:

* A) Many/most implementation only allow links to be used ONE time. That is *possible* with this implementation, but is not the *default*. You CAN add a `max_uses` config which stores the expired links in a cache so they cannot be re-used. However, to make this work, you need to do more work by adding some "page" between the link the users clicks and *actually* using the login link. Why? Because unless you do this, email clients may follow the link to "preview" it and will "consume" the link.

* B) Many implementations will invalidate all other login links for a user when a new one is created. We do *not* do that, but that IS possible (and we could even generate the code for it) by adding a `lastLoginLinkSentAt` field to `User` and including this in `signature_properties`.

* C) We *do* invalidate all links if the user's email address is changed (assuming the `email` is included in `signature_properties`, which it should be). You can also invalidate on password change or whatever you want.

* D) Some implementations add a "state" so that you can only use the link on the same device that created it. That is, in many cases, quite annoying. We do not currently support that, but we could in the future (and the user could add it themselves).

Thanks!

#### TODOS:

* [x] A) more tests: functional (?) traits
* [ ] B) documentation
* [ ] C) MakerBundle PR
* [ ] D) Make sure we have what we need to allow that "in between" page
* [ ] E) Create a new cache pool instead of relying on cache.app?

Commits
-------

a8afe10 [Security] Magic login link authentication

Author: fabpot

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php

@@ -74,6 +74,7 @@ class UnusedTagsPass implements CompilerPassInterface
         'routing.route_loader',
         'security.expression_language_provider',
         'security.remember_me_aware',
+        'security.authenticator.login_linker',
         'security.voter',
         'serializer.encoder',
         'serializer.normalizer',

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/EntryPointFactoryInterface.php

@@ -26,5 +26,5 @@ interface EntryPointFactoryInterface
      * This does not mean that the entry point is also used. This is managed
      * by the "entry_point" firewall setting.
      */
-    public function registerEntryPoint(ContainerBuilder $container, string $id, array $config): ?string;
+    public function registerEntryPoint(ContainerBuilder $container, string $firewallName, array $config): ?string;
 }

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php

@@ -97,9 +97,9 @@ protected function createEntryPoint(ContainerBuilder $container, string $id, arr
         return $this->registerEntryPoint($container, $id, $config);
     }
 
-    public function registerEntryPoint(ContainerBuilder $container, string $id, array $config): string
+    public function registerEntryPoint(ContainerBuilder $container, string $firewallName, array $config): string
     {
-        $entryPointId = 'security.authentication.form_entry_point.'.$id;
+        $entryPointId = 'security.authentication.form_entry_point.'.$firewallName;
         $container
             ->setDefinition($entryPointId, new ChildDefinition('security.authentication.form_entry_point'))
             ->addArgument(new Reference('security.http_utils'))

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php

@@ -114,7 +114,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         return $authenticatorIds;
     }
 
-    public function registerEntryPoint(ContainerBuilder $container, string $id, array $config): ?string
+    public function registerEntryPoint(ContainerBuilder $container, string $firewallName, array $config): ?string
     {
         try {
             return $this->determineEntryPoint(null, $config);

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php

@@ -82,9 +82,9 @@ public function addConfiguration(NodeDefinition $node)
         ;
     }
 
-    public function registerEntryPoint(ContainerBuilder $container, string $id, array $config): string
+    public function registerEntryPoint(ContainerBuilder $container, string $firewallName, array $config): string
     {
-        $entryPointId = 'security.authentication.basic_entry_point.'.$id;
+        $entryPointId = 'security.authentication.basic_entry_point.'.$firewallName;
         $container
             ->setDefinition($entryPointId, new ChildDefinition('security.authentication.basic_entry_point'))
             ->addArgument($config['realm'])

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginLinkFactory.php

@@ -0,0 +1,159 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
+
+use Symfony\Component\Config\Definition\Builder\NodeBuilder;
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\Config\FileLocator;
+use Symfony\Component\DependencyInjection\ChildDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
+use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
+use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandler;
+
+/**
+ * @internal
+ * @experimental in 5.2
+ */
+class LoginLinkFactory extends AbstractFactory implements AuthenticatorFactoryInterface
+{
+    public function addConfiguration(NodeDefinition $node)
+    {
+        /** @var NodeBuilder $builder */
+        $builder = $node->children();
+
+        $builder
+            ->scalarNode('check_route')
+                ->isRequired()
+                ->info('Route that will validate the login link - e.g. app_login_link_verify')
+            ->end()
+            ->arrayNode('signature_properties')
+                ->prototype('scalar')->end()
+                ->requiresAtLeastOneElement()
+                ->info('An array of properties on your User that are used to sign the link. If any of these change, all existing links will become invalid')
+                ->example(['email', 'password'])
+            ->end()
+            ->integerNode('lifetime')
+                ->defaultValue(600)
+                ->info('The lifetime of the login link in seconds')
+            ->end()
+            ->integerNode('max_uses')
+                ->defaultNull()
+                ->info('Max number of times a login link can be used - null means unlimited within lifetime.')
+            ->end()
+            ->scalarNode('used_link_cache')
+                ->info('Cache service id used to expired links of max_uses is set')
+            ->end()
+            ->scalarNode('success_handler')
+                ->info(sprintf('A service id that implements %s', AuthenticationSuccessHandlerInterface::class))
+            ->end()
+            ->scalarNode('failure_handler')
+                ->info(sprintf('A service id that implements %s', AuthenticationFailureHandlerInterface::class))
+            ->end()
+            ->scalarNode('provider')
+                ->info('the user provider to load users from.')
+            ->end()
+        ;
+
+        foreach (array_merge($this->defaultSuccessHandlerOptions, $this->defaultFailureHandlerOptions) as $name => $default) {
+            if (\is_bool($default)) {
+                $builder->booleanNode($name)->defaultValue($default);
+            } else {
+                $builder->scalarNode($name)->defaultValue($default);
+            }
+        }
+    }
+
+    public function getKey()
+    {
+        return 'login-link';
+    }
+
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
+    {
+        if (!class_exists(LoginLinkHandler::class)) {
+            throw new \LogicException('Login login link requires symfony/security-http:^5.2.');
+        }
+
+        if (!$container->hasDefinition('security.authenticator.login_link')) {
+            $loader = new PhpFileLoader($container, new FileLocator(\dirname(__DIR__).'/../../Resources/config'));
+            $loader->load('security_authenticator_login_link.php');
+        }
+
+        if (null !== $config['max_uses'] && !isset($config['used_link_cache'])) {
+            $config['used_link_cache'] = 'security.authenticator.cache.expired_links';
+        }
+
+        $expiredStorageId = null;
+        if (isset($config['used_link_cache'])) {
+            $expiredStorageId = 'security.authenticator.expired_login_link_storage.'.$firewallName;
+            $container
+                ->setDefinition($expiredStorageId, new ChildDefinition('security.authenticator.expired_login_link_storage'))
+                ->replaceArgument(0, new Reference($config['used_link_cache']))
+                ->replaceArgument(1, $config['lifetime']);
+        }
+
+        $linkerId = 'security.authenticator.login_link_handler.'.$firewallName;
+        $linkerOptions = [
+            'route_name' => $config['check_route'],
+            'lifetime' => $config['lifetime'],
+            'max_uses' => $config['max_uses'] ?? null,
+        ];
+        $container
+            ->setDefinition($linkerId, new ChildDefinition('security.authenticator.abstract_login_link_handler'))
+            ->replaceArgument(1, new Reference($userProviderId))
+            ->replaceArgument(3, $config['signature_properties'])
+            ->replaceArgument(5, $linkerOptions)
+            ->replaceArgument(6, $expiredStorageId ? new Reference($expiredStorageId) : null)
+            ->addTag('security.authenticator.login_linker', ['firewall' => $firewallName])
+        ;
+
+        $authenticatorId = 'security.authenticator.login_link.'.$firewallName;
+        $container
+            ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.login_link'))
+            ->replaceArgument(0, new Reference($linkerId))
+            ->replaceArgument(2, new Reference($this->createAuthenticationSuccessHandler($container, $firewallName, $config)))
+            ->replaceArgument(3, new Reference($this->createAuthenticationFailureHandler($container, $firewallName, $config)))
+            ->replaceArgument(4, [
+                'check_route' => $config['check_route'],
+            ]);
+
+        return $authenticatorId;
+    }
+
+    public function getPosition()
+    {
+        return 'form';
+    }
+
+    protected function createAuthProvider(ContainerBuilder $container, string $id, array $config, string $userProviderId)
+    {
+        throw new \Exception('The old authentication system is not supported with login_link.');
+    }
+
+    protected function getListenerId()
+    {
+        throw new \Exception('The old authentication system is not supported with login_link.');
+    }
+
+    protected function createListener(ContainerBuilder $container, string $id, array $config, string $userProvider)
+    {
+        throw new \Exception('The old authentication system is not supported with login_link.');
+    }
+
+    protected function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPointId)
+    {
+        throw new \Exception('The old authentication system is not supported with login_link.');
+    }
+}

src/Symfony/Bundle/SecurityBundle/LoginLink/FirewallAwareLoginLinkHandler.php

@@ -0,0 +1,63 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\LoginLink;
+
+use Psr\Container\ContainerInterface;
+use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkDetails;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandlerInterface;
+
+/**
+ * Decorates the login link handler for the current firewall.
+ *
+ * @author Ryan Weaver <[email protected]>
+ */
+class FirewallAwareLoginLinkHandler implements LoginLinkHandlerInterface
+{
+    private $firewallMap;
+    private $loginLinkHandlerLocator;
+    private $requestStack;
+
+    public function __construct(FirewallMap $firewallMap, ContainerInterface $loginLinkHandlerLocator, RequestStack $requestStack)
+    {
+        $this->firewallMap = $firewallMap;
+        $this->loginLinkHandlerLocator = $loginLinkHandlerLocator;
+        $this->requestStack = $requestStack;
+    }
+
+    public function createLoginLink(UserInterface $user): LoginLinkDetails
+    {
+        return $this->getLoginLinkHandler()->createLoginLink($user);
+    }
+
+    public function consumeLoginLink(Request $request): UserInterface
+    {
+        return $this->getLoginLinkHandler()->consumeLoginLink($request);
+    }
+
+    private function getLoginLinkHandler(): LoginLinkHandlerInterface
+    {
+        if (null === $request = $this->requestStack->getCurrentRequest()) {
+            throw new \LogicException('Cannot determine the correct LoginLinkHandler to use: there is no active Request and so, the firewall cannot be determined. Try using the specific login link handler service.');
+        }
+
+        $firewallName = $this->firewallMap->getFirewallConfig($request)->getName();
+        if (!$this->loginLinkHandlerLocator->has($firewallName)) {
+            throw new \InvalidArgumentException(sprintf('No login link handler found. Did you add a login_link key under your "%s" firewall?', $firewallName));
+        }
+
+        return $this->loginLinkHandlerLocator->get($firewallName);
+    }
+}

src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_login_link.php

@@ -0,0 +1,72 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\DependencyInjection\Loader\Configurator;
+
+use Symfony\Bundle\SecurityBundle\LoginLink\FirewallAwareLoginLinkHandler;
+use Symfony\Component\Security\Http\Authenticator\LoginLinkAuthenticator;
+use Symfony\Component\Security\Http\LoginLink\ExpiredLoginLinkStorage;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandler;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandlerInterface;
+
+return static function (ContainerConfigurator $container) {
+    $container->services()
+        ->set('security.authenticator.login_link', LoginLinkAuthenticator::class)
+            ->abstract()
+            ->args([
+                abstract_arg('the login link handler instance'),
+                service('security.http_utils'),
+                abstract_arg('authentication success handler'),
+                abstract_arg('authentication failure handler'),
+                abstract_arg('options'),
+            ])
+
+        ->set('security.authenticator.abstract_login_link_handler', LoginLinkHandler::class)
+            ->abstract()
+            ->args([
+                service('router'),
+                abstract_arg('user provider'),
+                service('property_accessor'),
+                abstract_arg('signature properties'),
+                '%kernel.secret%',
+                abstract_arg('options'),
+                abstract_arg('expired login link storage'),
+            ])
+
+        ->set('security.authenticator.expired_login_link_storage', ExpiredLoginLinkStorage::class)
+            ->abstract()
+            ->args([
+                abstract_arg('cache pool service'),
+                abstract_arg('expired login link storage'),
+            ])
+
+        ->set('security.authenticator.cache.expired_links')
+            ->parent('cache.app')
+            ->private()
+            ->tag('cache.pool')
+
+        ->set('security.authenticator.firewall_aware_login_link_handler', FirewallAwareLoginLinkHandler::class)
+            ->args([
+                service('security.firewall.map'),
+                tagged_locator('security.authenticator.login_linker', 'firewall'),
+                service('request_stack'),
+            ])
+        ->alias(LoginLinkHandlerInterface::class, 'security.authenticator.firewall_aware_login_link_handler')
+
+        ->set('security.authenticator.entity_login_link_user_handler', EntityLoginLinkUserHandler::class)
+            ->abstract()
+            ->args([
+                service('doctrine'),
+                abstract_arg('user entity class name'),
+            ])
+
+    ;
+};

src/Symfony/Bundle/SecurityBundle/SecurityBundle.php

@@ -28,6 +28,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\HttpBasicLdapFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\JsonLoginFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\JsonLoginLdapFactory;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\LoginLinkFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\LoginThrottlingFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RememberMeFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RemoteUserFactory;
@@ -66,6 +67,7 @@ public function build(ContainerBuilder $container)
         $extension->addSecurityListenerFactory(new AnonymousFactory());
         $extension->addSecurityListenerFactory(new CustomAuthenticatorFactory());
         $extension->addSecurityListenerFactory(new LoginThrottlingFactory());
+        $extension->addSecurityListenerFactory(new LoginLinkFactory());
 
         $extension->addUserProviderFactory(new InMemoryFactory());
         $extension->addUserProviderFactory(new LdapFactory());