[Security] Magic login link authentication

Author: weaverryan

src/Symfony/Bundle/FrameworkBundle/DependencyInjection/Compiler/UnusedTagsPass.php

@@ -74,6 +74,7 @@ class UnusedTagsPass implements CompilerPassInterface
         'routing.route_loader',
         'security.expression_language_provider',
         'security.remember_me_aware',
+        'security.authenticator.login_linker',
         'security.voter',
         'serializer.encoder',
         'serializer.normalizer',

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/EntryPointFactoryInterface.php

@@ -26,5 +26,5 @@ interface EntryPointFactoryInterface
      * This does not mean that the entry point is also used. This is managed
      * by the "entry_point" firewall setting.
      */
-    public function registerEntryPoint(ContainerBuilder $container, string $id, array $config): ?string;
+    public function registerEntryPoint(ContainerBuilder $container, string $firewallName, array $config): ?string;
 }

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php

@@ -97,9 +97,9 @@ protected function createEntryPoint(ContainerBuilder $container, string $id, arr
         return $this->registerEntryPoint($container, $id, $config);
     }
 
-    public function registerEntryPoint(ContainerBuilder $container, string $id, array $config): string
+    public function registerEntryPoint(ContainerBuilder $container, string $firewallName, array $config): string
     {
-        $entryPointId = 'security.authentication.form_entry_point.'.$id;
+        $entryPointId = 'security.authentication.form_entry_point.'.$firewallName;
         $container
             ->setDefinition($entryPointId, new ChildDefinition('security.authentication.form_entry_point'))
             ->addArgument(new Reference('security.http_utils'))

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/GuardAuthenticationFactory.php

@@ -114,7 +114,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         return $authenticatorIds;
     }
 
-    public function registerEntryPoint(ContainerBuilder $container, string $id, array $config): ?string
+    public function registerEntryPoint(ContainerBuilder $container, string $firewallName, array $config): ?string
     {
         try {
             return $this->determineEntryPoint(null, $config);

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/HttpBasicFactory.php

@@ -82,9 +82,9 @@ public function addConfiguration(NodeDefinition $node)
         ;
     }
 
-    public function registerEntryPoint(ContainerBuilder $container, string $id, array $config): string
+    public function registerEntryPoint(ContainerBuilder $container, string $firewallName, array $config): string
     {
-        $entryPointId = 'security.authentication.basic_entry_point.'.$id;
+        $entryPointId = 'security.authentication.basic_entry_point.'.$firewallName;
         $container
             ->setDefinition($entryPointId, new ChildDefinition('security.authentication.basic_entry_point'))
             ->addArgument($config['realm'])

src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LoginLinkFactory.php

@@ -0,0 +1,159 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
+
+use Symfony\Component\Config\Definition\Builder\NodeBuilder;
+use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\Config\FileLocator;
+use Symfony\Component\DependencyInjection\ChildDefinition;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
+use Symfony\Component\DependencyInjection\Reference;
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
+use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandler;
+
+/**
+ * @internal
+ * @experimental in 5.2
+ */
+class LoginLinkFactory extends AbstractFactory implements AuthenticatorFactoryInterface
+{
+    public function addConfiguration(NodeDefinition $node)
+    {
+        /** @var NodeBuilder $builder */
+        $builder = $node->children();
+
+        $builder
+            ->scalarNode('check_route')
+                ->isRequired()
+                ->info('Route that will validate the login link - e.g. app_login_link_verify')
+            ->end()
+            ->arrayNode('signature_properties')
+                ->prototype('scalar')->end()
+                ->requiresAtLeastOneElement()
+                ->info('An array of properties on your User that are used to sign the link. If any of these change, all existing links will become invalid')
+                ->example(['email', 'password'])
+            ->end()
+            ->integerNode('lifetime')
+                ->defaultValue(600)
+                ->info('The lifetime of the login link in seconds')
+            ->end()
+            ->integerNode('max_uses')
+                ->defaultNull()
+                ->info('Max number of times a login link can be used - null means unlimited within lifetime.')
+            ->end()
+            ->scalarNode('used_link_cache')
+                ->info('Cache service id used to expired links of max_uses is set')
+            ->end()
+            ->scalarNode('success_handler')
+                ->info(sprintf('A service id that implements %s', AuthenticationSuccessHandlerInterface::class))
+            ->end()
+            ->scalarNode('failure_handler')
+                ->info(sprintf('A service id that implements %s', AuthenticationFailureHandlerInterface::class))
+            ->end()
+            ->scalarNode('provider')
+                ->info('the user provider to load users from.')
+            ->end()
+        ;
+
+        foreach (array_merge($this->defaultSuccessHandlerOptions, $this->defaultFailureHandlerOptions) as $name => $default) {
+            if (\is_bool($default)) {
+                $builder->booleanNode($name)->defaultValue($default);
+            } else {
+                $builder->scalarNode($name)->defaultValue($default);
+            }
+        }
+    }
+
+    public function getKey()
+    {
+        return 'login-link';
+    }
+
+    public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
+    {
+        if (!class_exists(LoginLinkHandler::class)) {
+            throw new \LogicException('Login login link requires symfony/security-http:^5.2.');
+        }
+
+        if (!$container->hasDefinition('security.authenticator.login_link')) {
+            $loader = new PhpFileLoader($container, new FileLocator(\dirname(__DIR__).'/../../Resources/config'));
+            $loader->load('security_authenticator_login_link.php');
+        }
+
+        if (null !== $config['max_uses'] && !isset($config['used_link_cache'])) {
+            $config['used_link_cache'] = 'security.authenticator.cache.expired_links';
+        }
+
+        $expiredStorageId = null;
+        if (isset($config['used_link_cache'])) {
+            $expiredStorageId = 'security.authenticator.expired_login_link_storage.'.$firewallName;
+            $container
+                ->setDefinition($expiredStorageId, new ChildDefinition('security.authenticator.expired_login_link_storage'))
+                ->replaceArgument(0, new Reference($config['used_link_cache']))
+                ->replaceArgument(1, $config['lifetime']);
+        }
+
+        $linkerId = 'security.authenticator.login_link_handler.'.$firewallName;
+        $linkerOptions = [
+            'route_name' => $config['check_route'],
+            'lifetime' => $config['lifetime'],
+            'max_uses' => $config['max_uses'] ?? null,
+        ];
+        $container
+            ->setDefinition($linkerId, new ChildDefinition('security.authenticator.abstract_login_link_handler'))
+            ->replaceArgument(1, new Reference($userProviderId))
+            ->replaceArgument(3, $config['signature_properties'])
+            ->replaceArgument(5, $linkerOptions)
+            ->replaceArgument(6, $expiredStorageId ? new Reference($expiredStorageId) : null)
+            ->addTag('security.authenticator.login_linker', ['firewall' => $firewallName])
+        ;
+
+        $authenticatorId = 'security.authenticator.login_link.'.$firewallName;
+        $container
+            ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.login_link'))
+            ->replaceArgument(0, new Reference($linkerId))
+            ->replaceArgument(2, new Reference($this->createAuthenticationSuccessHandler($container, $firewallName, $config)))
+            ->replaceArgument(3, new Reference($this->createAuthenticationFailureHandler($container, $firewallName, $config)))
+            ->replaceArgument(4, [
+                'check_route' => $config['check_route'],
+            ]);
+
+        return $authenticatorId;
+    }
+
+    public function getPosition()
+    {
+        return 'form';
+    }
+
+    protected function createAuthProvider(ContainerBuilder $container, string $id, array $config, string $userProviderId)
+    {
+        throw new \Exception('The old authentication system is not supported with login_link.');
+    }
+
+    protected function getListenerId()
+    {
+        throw new \Exception('The old authentication system is not supported with login_link.');
+    }
+
+    protected function createListener(ContainerBuilder $container, string $id, array $config, string $userProvider)
+    {
+        throw new \Exception('The old authentication system is not supported with login_link.');
+    }
+
+    protected function createEntryPoint(ContainerBuilder $container, string $id, array $config, ?string $defaultEntryPointId)
+    {
+        throw new \Exception('The old authentication system is not supported with login_link.');
+    }
+}

src/Symfony/Bundle/SecurityBundle/LoginLink/FirewallAwareLoginLinkHandler.php

@@ -0,0 +1,63 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\LoginLink;
+
+use Psr\Container\ContainerInterface;
+use Symfony\Bundle\SecurityBundle\Security\FirewallMap;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkDetails;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandlerInterface;
+
+/**
+ * Decorates the login link handler for the current firewall.
+ *
+ * @author Ryan Weaver <[email protected]>
+ */
+class FirewallAwareLoginLinkHandler implements LoginLinkHandlerInterface
+{
+    private $firewallMap;
+    private $loginLinkHandlerLocator;
+    private $requestStack;
+
+    public function __construct(FirewallMap $firewallMap, ContainerInterface $loginLinkHandlerLocator, RequestStack $requestStack)
+    {
+        $this->firewallMap = $firewallMap;
+        $this->loginLinkHandlerLocator = $loginLinkHandlerLocator;
+        $this->requestStack = $requestStack;
+    }
+
+    public function createLoginLink(UserInterface $user): LoginLinkDetails
+    {
+        return $this->getLoginLinkHandler()->createLoginLink($user);
+    }
+
+    public function consumeLoginLink(Request $request): UserInterface
+    {
+        return $this->getLoginLinkHandler()->consumeLoginLink($request);
+    }
+
+    private function getLoginLinkHandler(): LoginLinkHandlerInterface
+    {
+        if (null === $request = $this->requestStack->getCurrentRequest()) {
+            throw new \LogicException('Cannot determine the correct LoginLinkHandler to use: there is no active Request and so, the firewall cannot be determined. Try using the specific login link handler service.');
+        }
+
+        $firewallName = $this->firewallMap->getFirewallConfig($request)->getName();
+        if (!$this->loginLinkHandlerLocator->has($firewallName)) {
+            throw new \InvalidArgumentException(sprintf('No login link handler found. Did you add a login_link key under your "%s" firewall?', $firewallName));
+        }
+
+        return $this->loginLinkHandlerLocator->get($firewallName);
+    }
+}

src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_login_link.php

@@ -0,0 +1,72 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\DependencyInjection\Loader\Configurator;
+
+use Symfony\Bundle\SecurityBundle\LoginLink\FirewallAwareLoginLinkHandler;
+use Symfony\Component\Security\Http\Authenticator\LoginLinkAuthenticator;
+use Symfony\Component\Security\Http\LoginLink\ExpiredLoginLinkStorage;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandler;
+use Symfony\Component\Security\Http\LoginLink\LoginLinkHandlerInterface;
+
+return static function (ContainerConfigurator $container) {
+    $container->services()
+        ->set('security.authenticator.login_link', LoginLinkAuthenticator::class)
+            ->abstract()
+            ->args([
+                abstract_arg('the login link handler instance'),
+                service('security.http_utils'),
+                abstract_arg('authentication success handler'),
+                abstract_arg('authentication failure handler'),
+                abstract_arg('options'),
+            ])
+
+        ->set('security.authenticator.abstract_login_link_handler', LoginLinkHandler::class)
+            ->abstract()
+            ->args([
+                service('router'),
+                abstract_arg('user provider'),
+                service('property_accessor'),
+                abstract_arg('signature properties'),
+                '%kernel.secret%',
+                abstract_arg('options'),
+                abstract_arg('expired login link storage'),
+            ])
+
+        ->set('security.authenticator.expired_login_link_storage', ExpiredLoginLinkStorage::class)
+            ->abstract()
+            ->args([
+                abstract_arg('cache pool service'),
+                abstract_arg('expired login link storage'),
+            ])
+
+        ->set('security.authenticator.cache.expired_links')
+            ->parent('cache.app')
+            ->private()
+            ->tag('cache.pool')
+
+        ->set('security.authenticator.firewall_aware_login_link_handler', FirewallAwareLoginLinkHandler::class)
+            ->args([
+                service('security.firewall.map'),
+                tagged_locator('security.authenticator.login_linker', 'firewall'),
+                service('request_stack'),
+            ])
+        ->alias(LoginLinkHandlerInterface::class, 'security.authenticator.firewall_aware_login_link_handler')
+
+        ->set('security.authenticator.entity_login_link_user_handler', EntityLoginLinkUserHandler::class)
+            ->abstract()
+            ->args([
+                service('doctrine'),
+                abstract_arg('user entity class name'),
+            ])
+
+    ;
+};

src/Symfony/Bundle/SecurityBundle/SecurityBundle.php

@@ -28,6 +28,7 @@
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\HttpBasicLdapFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\JsonLoginFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\JsonLoginLdapFactory;
+use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\LoginLinkFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\LoginThrottlingFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RememberMeFactory;
 use Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory\RemoteUserFactory;
@@ -66,6 +67,7 @@ public function build(ContainerBuilder $container)
         $extension->addSecurityListenerFactory(new AnonymousFactory());
         $extension->addSecurityListenerFactory(new CustomAuthenticatorFactory());
         $extension->addSecurityListenerFactory(new LoginThrottlingFactory());
+        $extension->addSecurityListenerFactory(new LoginLinkFactory());
 
         $extension->addUserProviderFactory(new InMemoryFactory());
         $extension->addUserProviderFactory(new LdapFactory());