From 63f9f22fa37b14171c6f92d24f99ccf01ae7af00 Mon Sep 17 00:00:00 2001 From: Jeremy Benoist Date: Thu, 8 Jun 2017 22:24:49 +0200 Subject: [PATCH] Log an error level message when user auth fail MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit When a user login using the form we know log an error level information with information about the user: - username used - IP - User agent For example: > Authentication failure for user "eza", from IP "127.0.0.1", with UA: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36". It’ll allows server admin using fail2ban to configure it to block these people if they generate too much failure authentication. --- app/config/security.yml | 1 + .../UserBundle/Resources/config/services.yml | 8 +++ .../CustomAuthenticationFailureHandler.php | 62 +++++++++++++++++++ 3 files changed, 71 insertions(+) create mode 100644 src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php diff --git a/app/config/security.yml b/app/config/security.yml index ffb1d356f..171a69e2e 100644 --- a/app/config/security.yml +++ b/app/config/security.yml @@ -41,6 +41,7 @@ security: form_login: provider: fos_userbundle csrf_token_generator: security.csrf.token_manager + failure_handler: wallabag_user.security.custom_auth_failure_handler anonymous: true remember_me: diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml index 72f6f12c1..6ab463e36 100644 --- a/src/Wallabag/UserBundle/Resources/config/services.yml +++ b/src/Wallabag/UserBundle/Resources/config/services.yml @@ -35,3 +35,11 @@ services: - "%wallabag_core.list_mode%" tags: - { name: kernel.event_subscriber } + + wallabag_user.security.custom_auth_failure_handler: + class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler + arguments: + - "@http_kernel" + - "@security.http_utils" + - { } + - "@logger" diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php new file mode 100644 index 000000000..93e2d17b7 --- /dev/null +++ b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php @@ -0,0 +1,62 @@ +options['failure_path_parameter'])) { + $this->options['failure_path'] = $failureUrl; + } + + if (null === $this->options['failure_path']) { + $this->options['failure_path'] = $this->options['login_path']; + } + + if ($this->options['failure_forward']) { + $this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]); + + $this->logError($request); + + $subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']); + $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception); + + return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST); + } + + $this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]); + + $this->logError($request); + + $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception); + + return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']); + } + + /** + * Log error information about fialure + * + * @param Request $request + */ + private function logError(Request $request) + { + $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".'); + } +}