vendor/lexik/jwt-authentication-bundle/Security/Guard/JWTTokenAuthenticator.php line 201

Open in your IDE?
  1. <?php
  3. namespace Lexik\Bundle\JWTAuthenticationBundle\Security\Guard;
  5. use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTAuthenticatedEvent;
  6. use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTExpiredEvent;
  7. use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTInvalidEvent;
  8. use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTNotFoundEvent;
  9. use Lexik\Bundle\JWTAuthenticationBundle\Events;
  10. use Lexik\Bundle\JWTAuthenticationBundle\Exception\ExpiredTokenException;
  11. use Lexik\Bundle\JWTAuthenticationBundle\Exception\InvalidPayloadException;
  12. use Lexik\Bundle\JWTAuthenticationBundle\Exception\InvalidTokenException;
  13. use Lexik\Bundle\JWTAuthenticationBundle\Exception\JWTDecodeFailureException;
  14. use Lexik\Bundle\JWTAuthenticationBundle\Exception\MissingTokenException;
  15. use Lexik\Bundle\JWTAuthenticationBundle\Exception\UserNotFoundException;
  16. use Lexik\Bundle\JWTAuthenticationBundle\Response\JWTAuthenticationFailureResponse;
  17. use Lexik\Bundle\JWTAuthenticationBundle\Security\Authentication\Token\JWTUserToken;
  18. use Lexik\Bundle\JWTAuthenticationBundle\Security\Authentication\Token\PreAuthenticationJWTUserToken;
  19. use Lexik\Bundle\JWTAuthenticationBundle\Security\Authentication\Token\PreAuthenticationJWTUserTokenInterface;
  20. use Lexik\Bundle\JWTAuthenticationBundle\Security\User\PayloadAwareUserProviderInterface;
  21. use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
  22. use Lexik\Bundle\JWTAuthenticationBundle\TokenExtractor\TokenExtractorInterface;
  23. use Symfony\Component\HttpFoundation\Request;
  24. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  25. use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
  26. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  27. use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
  28. use Symfony\Component\Security\Core\Exception\UserNotFoundException as SecurityUserNotFoundException;
  29. use Symfony\Component\Security\Core\User\ChainUserProvider;
  30. use Symfony\Component\Security\Core\User\UserInterface;
  31. use Symfony\Component\Security\Core\User\UserProviderInterface;
  32. use Symfony\Component\Security\Guard\AuthenticatorInterface;
  33. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  34. use Symfony\Contracts\Translation\TranslatorInterface;
  36. /**
  37. * JWTTokenAuthenticator (Guard implementation).
  38. *
  39. * @see http://knpuniversity.com/screencast/symfony-rest4/jwt-guard-authenticator
  40. *
  41. * @author Nicolas Cabot <n.cabot@lexik.fr>
  42. * @author Robin Chalas <robin.chalas@gmail.com>
  43. */
  44. class JWTTokenAuthenticator implements AuthenticatorInterface
  45. {
  46. /**
  47. * @var JWTTokenManagerInterface
  48. */
  49. private $jwtManager;
  51. /**
  52. * @var EventDispatcherInterface
  53. */
  54. private $dispatcher;
  56. /**
  57. * @var TokenExtractorInterface
  58. */
  59. private $tokenExtractor;
  61. /**
  62. * @var TokenStorageInterface
  63. */
  64. private $preAuthenticationTokenStorage;
  66. /**
  67. * @var TranslatorInterface
  68. */
  69. private $translator;
  71. public function __construct(
  72. JWTTokenManagerInterface $jwtManager,
  73. EventDispatcherInterface $dispatcher,
  74. TokenExtractorInterface $tokenExtractor,
  75. TokenStorageInterface $preAuthenticationTokenStorage,
  76. TranslatorInterface $translator = null
  77. ) {
  78. $this->jwtManager = $jwtManager;
  79. $this->dispatcher = $dispatcher;
  80. $this->tokenExtractor = $tokenExtractor;
  81. $this->preAuthenticationTokenStorage = $preAuthenticationTokenStorage;
  82. $this->translator = $translator;
  83. }
  85. public function supports(Request $request)
  86. {
  87. return false !== $this->getTokenExtractor()->extract($request);
  88. }
  90. /**
  91. * Returns a decoded JWT token extracted from a request.
  92. *
  93. * {@inheritdoc}
  94. *
  95. * @return PreAuthenticationJWTUserTokenInterface
  96. *
  97. * @throws InvalidTokenException If an error occur while decoding the token
  98. * @throws ExpiredTokenException If the request token is expired
  99. */
  100. public function getCredentials(Request $request)
  101. {
  102. $tokenExtractor = $this->getTokenExtractor();
  104. if (!$tokenExtractor instanceof TokenExtractorInterface) {
  105. throw new \RuntimeException(sprintf('Method "%s::getTokenExtractor()" must return an instance of "%s".', self::class, TokenExtractorInterface::class));
  106. }
  108. if (false === ($jsonWebToken = $tokenExtractor->extract($request))) {
  109. return;
  110. }
  112. $preAuthToken = new PreAuthenticationJWTUserToken($jsonWebToken);
  114. try {
  115. if (!$payload = $this->jwtManager->decode($preAuthToken)) {
  116. throw new InvalidTokenException('Invalid JWT Token');
  117. }
  119. $preAuthToken->setPayload($payload);
  120. } catch (JWTDecodeFailureException $e) {
  121. if (JWTDecodeFailureException::EXPIRED_TOKEN === $e->getReason()) {
  122. $expiredTokenException = new ExpiredTokenException();
  123. $expiredTokenException->setToken($preAuthToken);
  124. throw $expiredTokenException;
  125. }
  127. throw new InvalidTokenException('Invalid JWT Token', 0, $e);
  128. }
  130. return $preAuthToken;
  131. }
  133. /**
  134. * Returns an user object loaded from a JWT token.
  135. *
  136. * {@inheritdoc}
  137. *
  138. * @param PreAuthenticationJWTUserTokenInterface $preAuthToken Implementation of the (Security) TokenInterface
  139. *
  140. * @throws \InvalidArgumentException If preAuthToken is not of the good type
  141. * @throws InvalidPayloadException If the user identity field is not a key of the payload
  142. * @throws UserNotFoundException If no user can be loaded from the given token
  143. */
  144. public function getUser($preAuthToken, UserProviderInterface $userProvider)
  145. {
  146. if (!$preAuthToken instanceof PreAuthenticationJWTUserTokenInterface) {
  147. throw new \InvalidArgumentException(sprintf('The first argument of the "%s()" method must be an instance of "%s".', __METHOD__, PreAuthenticationJWTUserTokenInterface::class));
  148. }
  150. $payload = $preAuthToken->getPayload();
  151. $idClaim = $this->jwtManager->getUserIdClaim();
  153. if (!isset($payload[$idClaim])) {
  154. throw new InvalidPayloadException($idClaim);
  155. }
  157. $user = $this->loadUser($userProvider, $payload, $payload[$idClaim]);
  159. $this->preAuthenticationTokenStorage->setToken($preAuthToken);
  161. return $user;
  162. }
  164. /**
  165. * {@inheritdoc}
  166. */
  167. public function onAuthenticationFailure(Request $request, AuthenticationException $authException)
  168. {
  169. $errorMessage = strtr($authException->getMessageKey(), $authException->getMessageData());
  170. if (null !== $this->translator) {
  171. $errorMessage = $this->translator->trans($authException->getMessageKey(), $authException->getMessageData(), 'security');
  172. }
  173. $response = new JWTAuthenticationFailureResponse($errorMessage);
  175. if ($authException instanceof ExpiredTokenException) {
  176. $event = new JWTExpiredEvent($authException, $response, $request);
  177. $eventName = Events::JWT_EXPIRED;
  178. } else {
  179. $event = new JWTInvalidEvent($authException, $response, $request);
  180. $eventName = Events::JWT_INVALID;
  181. }
  183. $this->dispatcher->dispatch($event, $eventName);
  185. return $event->getResponse();
  186. }
  188. /**
  189. * {@inheritdoc}
  190. */
  191. public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey)
  192. {
  193. return;
  194. }
  196. /**
  197. * {@inheritdoc}
  198. *
  199. * @return JWTAuthenticationFailureResponse
  200. */
  201. public function start(Request $request, AuthenticationException $authException = null)
  202. {
  203. $exception = new MissingTokenException('JWT Token not found', 0, $authException);
  204. $event = new JWTNotFoundEvent($exception, new JWTAuthenticationFailureResponse($exception->getMessageKey()), $request);
  206. $this->dispatcher->dispatch($event, Events::JWT_NOT_FOUND);
  208. return $event->getResponse();
  209. }
  211. /**
  212. * {@inheritdoc}
  213. */
  214. public function checkCredentials($credentials, UserInterface $user)
  215. {
  216. return true;
  217. }
  219. /**
  220. * {@inheritdoc}
  221. *
  222. * @throws \RuntimeException If there is no pre-authenticated token previously stored
  223. */
  224. public function createAuthenticatedToken(UserInterface $user, $providerKey)
  225. {
  226. $preAuthToken = $this->preAuthenticationTokenStorage->getToken();
  228. if (null === $preAuthToken) {
  229. throw new \RuntimeException('Unable to return an authenticated token since there is no pre authentication token.');
  230. }
  232. $authToken = new JWTUserToken($user->getRoles(), $user, $preAuthToken->getCredentials(), $providerKey);
  234. $this->dispatcher->dispatch(new JWTAuthenticatedEvent($preAuthToken->getPayload(), $authToken), Events::JWT_AUTHENTICATED);
  236. $this->preAuthenticationTokenStorage->setToken(null);
  238. return $authToken;
  239. }
  241. /**
  242. * {@inheritdoc}
  243. */
  244. public function supportsRememberMe()
  245. {
  246. return false;
  247. }
  249. /**
  250. * Gets the token extractor to be used for retrieving a JWT token in the
  251. * current request.
  252. *
  253. * Override this method for adding/removing extractors to the chain one or
  254. * returning a different {@link TokenExtractorInterface} implementation.
  255. *
  256. * @return TokenExtractorInterface
  257. */
  258. protected function getTokenExtractor()
  259. {
  260. return $this->tokenExtractor;
  261. }
  263. /**
  264. * @return JWTTokenManagerInterface
  265. */
  266. protected function getJwtManager()
  267. {
  268. return $this->jwtManager;
  269. }
  271. /**
  272. * @return EventDispatcherInterface
  273. */
  274. protected function getDispatcher()
  275. {
  276. return $this->dispatcher;
  277. }
  279. /**
  280. * @return TokenStorageInterface
  281. */
  282. protected function getPreAuthenticationTokenStorage()
  283. {
  284. return $this->preAuthenticationTokenStorage;
  285. }
  287. /**
  288. * Loads the user to authenticate.
  289. *
  290. * @param UserProviderInterface $userProvider An user provider
  291. * @param array $payload The token payload
  292. * @param string $identity The key from which to retrieve the user "username"
  293. *
  294. * @return UserInterface
  295. */
  296. protected function loadUser(UserProviderInterface $userProvider, array $payload, $identity)
  297. {
  298. $providers = $userProvider instanceof ChainUserProvider ? $userProvider->getProviders() : [$userProvider];
  300. foreach ($providers as $provider) {
  301. try {
  302. if ($provider instanceof PayloadAwareUserProviderInterface) {
  303. return $provider->loadUserByUsernameAndPayload($identity, $payload);
  304. }
  306. if (method_exists($provider, 'loadUserByIdentifier')) {
  307. return $provider->loadUserByIdentifier($identity);
  308. }
  310. return $provider->loadUserByUsername($identity);
  311. } catch (SecurityUserNotFoundException | UsernameNotFoundException $e) {
  312. // try next one
  313. }
  314. }
  316. if (class_exists(SecurityUserNotFoundException::class)) {
  317. $ex = new SecurityUserNotFoundException(sprintf('There is no user with name "%s".', $identity));
  318. $ex->setUserIdentifier($identity);
  319. } else {
  320. $ex = new UsernameNotFoundException(sprintf('There is no user with name "%s".', $identity));
  321. $ex->setUsername($identity);
  322. }
  324. throw $ex;
  325. }
  326. }