Merge pull request #1068 from wallabag/v2-api-authentication

V2 api authentication
This commit is contained in:
Jeremy 2015-02-10 13:49:57 +01:00
commit 2c0ffcf397
11 changed files with 95 additions and 56 deletions

View file

@ -17,6 +17,11 @@ monolog:
type: fingers_crossed
action_level: error
handler: nested
wsse:
type: stream
path: %kernel.logs_dir%/%kernel.environment%.wsse.log
level: error
channels: [wsse]
nested:
type: stream
path: "%kernel.logs_dir%/%kernel.environment%.log"

View file

@ -16,9 +16,11 @@ security:
# the main part of the security, where you can set up firewalls
# for specific sections of your app
firewalls:
#wsse_secured:
# pattern: /api/.*
# wsse: true
wsse_secured:
pattern: /api/.*
wsse: true
stateless: true
anonymous: true
login_firewall:
pattern: ^/login$
anonymous: ~
@ -54,6 +56,7 @@ security:
target: /
access_control:
- { path: ^/api/salt, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/doc, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/, roles: ROLE_USER }

View file

@ -6,7 +6,6 @@ use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Wallabag\CoreBundle\Entity\Entry;
use Wallabag\CoreBundle\Repository;
use Wallabag\CoreBundle\Service\Extractor;
use Wallabag\CoreBundle\Helper\Url;

View file

@ -12,6 +12,29 @@ use Wallabag\CoreBundle\Service\Extractor;
class WallabagRestController extends Controller
{
/**
* Retrieve salt for a giver user.
*
* @ApiDoc(
* parameters={
* {"name"="username", "dataType"="string", "required"=true, "description"="username"}
* }
* )
* @return string
*/
public function getSaltAction($username)
{
$user = $this
->getDoctrine()
->getRepository('WallabagCoreBundle:User')
->findOneByUsername($username);
if (is_null($user)) {
throw $this->createNotFoundException();
}
return $user->getSalt();
}
/**
* Retrieve all entries. It could be filtered by many options.
*
@ -43,7 +66,7 @@ class WallabagRestController extends Controller
$entries = $this
->getDoctrine()
->getRepository('WallabagCoreBundle:Entry')
->findEntries(1, $isArchived, $isStarred, $isDeleted, $sort, $order);
->findEntries($this->getUser()->getId(), $isArchived, $isStarred, $isDeleted, $sort, $order);
if (!is_array($entries)) {
throw $this->createNotFoundException();
@ -85,8 +108,7 @@ class WallabagRestController extends Controller
$url = $request->request->get('url');
$content = Extractor::extract($url);
$entry = new Entry();
$entry->setUserId(1);
$entry = new Entry($this->getUser());
$entry->setUrl($url);
$entry->setTitle($request->request->get('title') ?: $content->getTitle());
$entry->setContent($content->getBody());

View file

@ -3,7 +3,7 @@
namespace Wallabag\CoreBundle\DependencyInjection;
use Symfony\Component\DependencyInjection\ContainerBuilder;
use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
use Symfony\Component\DependencyInjection\Loader\YamlFileLoader;
use Symfony\Component\HttpKernel\DependencyInjection\Extension;
use Symfony\Component\Config\FileLocator;
@ -11,8 +11,8 @@ class WallabagCoreExtension extends Extension
{
public function load(array $configs, ContainerBuilder $container)
{
$loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
$loader->load('services.xml');
$loader = new YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
$loader->load('services.yml');
}
public function getAlias()

View file

@ -91,12 +91,12 @@ class EntryRepository extends EntityRepository
/**
* Find Entries
*
* @param int $userId
* @param bool $isArchived
* @param bool $isStarred
* @param bool $isDeleted
* @param string $sort
* @param string $order
* @param int $userId
* @param bool $isArchived
* @param bool $isStarred
* @param bool $isDeleted
* @param string $sort
* @param string $order
*
* @return ArrayCollection
*/

View file

@ -1,27 +0,0 @@
<?xml version="1.0" ?>
<container xmlns="http://symfony.com/schema/dic/services"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
<services>
<!-- Twig -->
<service id="wallabag_core.twig.wallabag" class="Wallabag\CoreBundle\Twig\Extension\WallabagExtension">
<tag name="twig.extension" />
</service>
<!-- Security -->
<service id="wsse.security.authentication.provider"
class="Wallabag\CoreBundle\Security\Authentication\Provider\WsseProvider" public="false">
<argument /> <!-- User Provider -->
<argument>%kernel.cache_dir%/security/nonces</argument>
</service>
<service id="wsse.security.authentication.listener"
class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">
<argument type="service" id="security.context"/>
<argument type="service" id="security.authentication.manager" />
</service>
</services>
</container>

View file

@ -0,0 +1,15 @@
services:
wallabag_core.twig.wallabag:
class: Wallabag\CoreBundle\Twig\Extension\WallabagExtension
tags:
- { name: twig.extension }
wsse.security.authentication.provider:
class: Wallabag\CoreBundle\Security\Authentication\Provider\WsseProvider
public: false
arguments: ['', '%kernel.cache_dir%/security/nonces']
wsse.security.authentication.listener:
class: Wallabag\CoreBundle\Security\Firewall\WsseListener
public: false
tags:
- { name: monolog.logger, channel: wsse }
arguments: ['@security.context', '@security.authentication.manager', '@logger']

View file

@ -17,12 +17,21 @@ class WsseProvider implements AuthenticationProviderInterface
{
$this->userProvider = $userProvider;
$this->cacheDir = $cacheDir;
// If cache directory does not exist we create it
if (!is_dir($this->cacheDir)) {
mkdir($this->cacheDir, 0777, true);
}
}
public function authenticate(TokenInterface $token)
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if (!$user) {
throw new AuthenticationException("Bad credentials. Did you forgot your username?");
}
if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
@ -35,20 +44,30 @@ class WsseProvider implements AuthenticationProviderInterface
protected function validateDigest($digest, $nonce, $created, $secret)
{
// Expire le timestamp après 5 minutes
if (time() - strtotime($created) > 300) {
return false;
// Check created time is not in the future
if (strtotime($created) > time()) {
throw new AuthenticationException("Back to the future...");
}
// Valide que le nonce est unique dans les 5 minutes
// Expire timestamp after 5 minutes
if (time() - strtotime($created) > 300) {
throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
}
// Validate nonce is unique within 5 minutes
if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
throw new NonceExpiredException('Previously used nonce detected');
}
file_put_contents($this->cacheDir.'/'.$nonce, time());
// Valide le Secret
// Validate Secret
$expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
if ($digest !== $expected) {
throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
}
return $digest === $expected;
}

View file

@ -9,16 +9,19 @@ use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
use Psr\Log\LoggerInterface;
class WsseListener implements ListenerInterface
{
protected $securityContext;
protected $authenticationManager;
protected $logger;
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)
public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
{
$this->securityContext = $securityContext;
$this->authenticationManager = $authenticationManager;
$this->logger = $logger;
}
public function handle(GetResponseEvent $event)
@ -41,17 +44,19 @@ class WsseListener implements ListenerInterface
$authToken = $this->authenticationManager->authenticate($token);
$this->securityContext->setToken($authToken);
} catch (AuthenticationException $failed) {
// ... you might log something here
// To deny the authentication clear the token. This will redirect to the login page.
// $this->securityContext->setToken(null);
// return;
return;
} catch (AuthenticationException $failed) {
$failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
$this->logger->err($failedMessage);
// Deny authentication with a '403 Forbidden' HTTP response
$response = new Response();
$response->setStatusCode(403);
$response->setContent($failedMessage);
$event->setResponse($response);
return;
}
}
}

View file

@ -3,8 +3,6 @@
namespace Wallabag\CoreBundle\Tests;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
use Symfony\Component\BrowserKit\Cookie;
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
class WallabagTestCase extends WebTestCase
{