custom/plugins/IwvTwoFactorAuthentication/src/Subscriber/BackendLoginSubscriber.php line 73

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Iwv\IwvTwoFactorAuthentication\Subscriber;
  7. use League\OAuth2\Server\Exception\OAuthServerException;
  8. use Shopware\Core\PlatformRequest;
  9. use Shopware\Core\Framework\Context;
  10. use Shopware\Core\Framework\DataAbstractionLayer\EntityRepositoryInterface;
  11. use Shopware\Core\Framework\DataAbstractionLayer\Search\Criteria;
  12. use Shopware\Core\Framework\DataAbstractionLayer\Search\Filter\EqualsFilter;
  13. use Shopware\Core\System\User\UserEntity;
  14. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  15. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\HttpFoundation\Request;
  18. use Symfony\Component\HttpKernel\KernelEvents;
  19. use Iwv\IwvTwoFactorAuthentication\Service\TwoFactorAdaptors\GoogleAuthenticatorAdaptor;
  20. use Iwv\IwvTwoFactorAuthentication\Service\TwoFactorAdaptors\YubicoAuthenticatorAdaptor;
  21. use Iwv\IwvTwoFactorAuthentication\Service\TwoFactorAdaptors\EmailAuthenticatorAdaptor;
  22. use Iwv\IwvTwoFactorAuthentication\Service\CookieHelperValidator;
  23. use Exception;
  25. class BackendLoginSubscriber implements EventSubscriberInterface
  26. {
  27.     /**
  28.      * @var EntityRepositoryInterface
  29.      */
  30.     private $userRepository;
  32.     /**
  33.      * @var CookieHelperValidator
  34.      */
  35.     private $cookieHelperValidator;
  37.     /**
  38.      * @var GoogleAuthenticatorAdaptor
  39.      */
  40.     private $googleAuthenticatorAdaptor;
  42.     /**
  43.      * @var YubicoAuthenticatorAdaptor
  44.      */
  45.     private $yubicoAuthenticatorAdaptor;
  47.     /**
  48.      * @var EmailAuthenticatorAdaptor
  49.      */
  50.     private $emailAuthenticatorAdaptor;
  52.     public function __construct(
  53.         EntityRepositoryInterface $userRepository,
  54.         CookieHelperValidator $cookieHelperValidator,
  55.         GoogleAuthenticatorAdaptor $googleAuthenticatorAdaptor,
  56.         YubicoAuthenticatorAdaptor $yubicoAuthenticatorAdaptor,
  57.         EmailAuthenticatorAdaptor $emailAuthenticatorAdaptor
  58.     ) {
  59.         $this->userRepository $userRepository;
  60.         $this->cookieHelperValidator $cookieHelperValidator;
  61.         $this->googleAuthenticatorAdaptor $googleAuthenticatorAdaptor;
  62.         $this->yubicoAuthenticatorAdaptor $yubicoAuthenticatorAdaptor;
  63.         $this->emailAuthenticatorAdaptor $emailAuthenticatorAdaptor;
  64.     }
  66.     public static function getSubscribedEvents()
  67.     {
  68.         return [
  69.             KernelEvents::RESPONSE => 'onResponse',
  70.         ];
  71.     }
  73.     public function onResponse(ResponseEvent $event): void
  74.     {
  76.         /** @var \Symfony\Component\HttpFoundation\Request $request */
  77.         $request $event->getRequest();
  79.         /** @var \Symfony\Component\HttpFoundation\JsonResponse $response */
  80.         $response $event->getResponse();
  82.         /* return on invalid requests */
  83.         if (!in_array($event->getResponse()->getStatusCode(), [200204])) {
  84.             return;
  85.         }
  87.         /* $event->getContext() does not exists */
  88.         $context $request->attributes->get(PlatformRequest::ATTRIBUTE_CONTEXT_OBJECT);
  90.         /* update cookie request on profiles change */
  91.         if (
  92.             $request->attributes->get('_route') === 'api.action.iwv.two-factor.backend.google-authenticator' || 
  93.             $request->attributes->get('_route') === 'api.action.iwv.two-factor.backend.yubico-configurator' ||
  94.             $request->attributes->get('_route') === 'api.action.iwv.two-factor.backend.email-validate' ||
  95.             $request->attributes->get('_route') === 'api.action.iwv.two-factor.backend.disable-validator'
  96.         ) {
  98.             $responseContent json_decode($response->getContent(), true);
  100.             if (!array_key_exists('status'$responseContent['response']) || !$responseContent['response']['status']) {
  101.                 return;
  102.             }
  104.             if ($responseContent['response']['userId']) {
  105.                 $userDB $context->scope(Context::SYSTEM_SCOPE, fn(Context $systemContext) => $this->userRepository->search(new Criteria([$responseContent['response']['userId']]), $systemContext)->first());
  106.                 $customFields $userDB->getCustomFields();
  107.                 $twoFaParams $customFields['iwvTwoFactor'] ?? [];
  108.                 $response = !empty($twoFaParams) ? $this->cookieHelperValidator->addTwoFaCookie($response$userDB) : $this->cookieHelperValidator->removeTwoFaCookie($response);
  109.                 $event->setResponse($response);
  110.             }
  111.             return;
  112.         }
  113.         if ($request->attributes->get('_route') !== 'api.oauth.token') {
  114.             return;
  115.         }
  116.     
  117.         $username $request->request->get('username');
  118.         /** @var UserEntity $userDB */
  119.         $userDB $context->scope(Context::SYSTEM_SCOPE, fn(Context $systemContext) => $this->userRepository->search((new Criteria())->addFilter(new EqualsFilter('username'$username)), $systemContext)->first());
  121.         if (!$userDB || !($customFields $userDB->getCustomFields()) || !isset($customFields['iwvTwoFactor']) || empty($customFields['iwvTwoFactor']) || ($this->cookieHelperValidator->hasScope($request\Shopware\Core\Framework\Api\OAuth\Scope\UserVerifiedScope::IDENTIFIER) && $this->cookieHelperValidator->hasTwoFaCookie($request$userDB))) {
  122.             return;
  123.         }
  124.         $context->scope(Context::SYSTEM_SCOPE, fn(Context $systemContext) => $this->emailAuthenticatorAdaptor->load($systemContext$userDB));
  126.         try {
  127.             
  128.             $authenticatorCode = (string) $request->request->get('iwvAuthenticator');
  129.             $authenticatorData = (array) $request->request->get('iwvAuthenticationToken');
  130.             $context->scope(Context::SYSTEM_SCOPE, fn(Context $systemContext) => $this->emailAuthenticatorAdaptor->load($systemContext$userDB));
  131.             
  132.             if (!isset($authenticatorCode)) {  
  133.                 throw new Exception('OTP is required'1200);
  134.             } elseif (!isset($customFields['iwvTwoFactor'][$authenticatorCode])) {
  135.                 throw new Exception('Authenticator is not configured'1200);
  136.             }
  138.             switch ($authenticatorCode) {
  139.                 case 'emailAuth';
  140.                     if($authenticatorData['sendCodeButton']){
  141.                         $this->emailAuthenticatorAdaptor->sendLoginEmailCode();  
  142.                         throw new Exception('Email has been sent'1203);
  143.                     }
  144.                     else{
  145.                         $emailData $this->emailAuthenticatorAdaptor->authenticate(($authenticatorData['otpValue'] ?? ''));
  146.                         
  147.                         if(!$emailData['verified']){
  148.                             if($emailData['error'] === 'expired'){
  149.                                 throw new Exception('Invalid authentication code'1201);
  150.                             }
  151.                             else{
  152.                                 throw new Exception('Authentication code expired'1201);
  153.                             }
  154.                         }
  155.                     }
  156.                     break;
  157.                 case 'yubico';
  158.                     if (!$this->yubicoAuthenticatorAdaptor->authenticate($customFields['iwvTwoFactor']['yubico']['clientId'], $customFields['iwvTwoFactor']['yubico']['secret'], ($authenticatorData['otpValue'] ?? ''))) {
  159.                         throw new Exception('Invalid authentication code'1201);
  160.                     }
  161.                     break;
  162.                 case 'otp2fa';
  163.                     if (!$this->googleAuthenticatorAdaptor->authenticate($customFields['iwvTwoFactor']['otp2fa']['secret'], ($authenticatorData['otpValue'] ?? ''))) {
  164.                         throw new Exception('Invalid authentication code'1201);
  165.                     }
  166.                     break;
  167.             }
  169.             $response $this->cookieHelperValidator->addTwoFaCookie($response$userDB);
  170.             $event->setResponse($response);
  171.         } catch (\Exception $ex) {
  172.             throw new OAuthServerException('OTP is required'$ex->getCode(), 'iwv-request-otp'401array_keys($customFields['iwvTwoFactor']));
  173.         }
  174.     }
  175. }