Log an error level message when user auth fail

When a user login using the form we know log an error level information with information about the user:
- username used
- IP
- User agent

For example:

> Authentication failure for user "eza", from IP "127.0.0.1", with UA: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36".

It’ll allows server admin using fail2ban to configure it to block these people if they generate too much failure authentication.
This commit is contained in:
Jeremy Benoist 2017-06-08 22:24:49 +02:00
parent 3f474025d8
commit 63f9f22fa3
No known key found for this signature in database
GPG key ID: BCA73962457ACC3C
3 changed files with 71 additions and 0 deletions

View file

@ -41,6 +41,7 @@ security:
form_login: form_login:
provider: fos_userbundle provider: fos_userbundle
csrf_token_generator: security.csrf.token_manager csrf_token_generator: security.csrf.token_manager
failure_handler: wallabag_user.security.custom_auth_failure_handler
anonymous: true anonymous: true
remember_me: remember_me:

View file

@ -35,3 +35,11 @@ services:
- "%wallabag_core.list_mode%" - "%wallabag_core.list_mode%"
tags: tags:
- { name: kernel.event_subscriber } - { name: kernel.event_subscriber }
wallabag_user.security.custom_auth_failure_handler:
class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler
arguments:
- "@http_kernel"
- "@security.http_utils"
- { }
- "@logger"

View file

@ -0,0 +1,62 @@
<?php
namespace Wallabag\UserBundle\Security;
use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Core\Exception\AuthenticationException;
use Symfony\Component\Security\Http\ParameterBagUtils;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Symfony\Component\Security\Core\Security;
/**
* This is a custom authentication failure.
* It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
*
* This only changing thing is the logError() addition
*/
class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler
{
/**
* {@inheritdoc}
*/
public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
{
if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
$this->options['failure_path'] = $failureUrl;
}
if (null === $this->options['failure_path']) {
$this->options['failure_path'] = $this->options['login_path'];
}
if ($this->options['failure_forward']) {
$this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]);
$this->logError($request);
$subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']);
$subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
}
$this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]);
$this->logError($request);
$request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']);
}
/**
* Log error information about fialure
*
* @param Request $request
*/
private function logError(Request $request)
{
$this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
}
}