src/EventListener/RequestJwtAuthenticationSubscriber.php line 53

Open in your IDE?
  1. <?php
  3. namespace App\EventListener;
  5. use App\Entity\Api;
  6. use App\Entity\Company;
  7. use App\Entity\Location;
  8. use App\Entity\User;
  9. use App\Service\JWTService;
  10. use Doctrine\ORM\EntityManagerInterface;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpFoundation\RedirectResponse;
  13. use Symfony\Component\HttpFoundation\Request;
  14. use Symfony\Component\HttpKernel\Event\RequestEvent;
  15. use Symfony\Component\HttpKernel\KernelEvents;
  16. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  17. use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
  19. /*
  20. * inspect the request for a valid jwt token to automatically log in a user
  21. */
  22. class RequestJwtAuthenticationSubscriber implements EventSubscriberInterface
  23. {
  24. /**
  25. * @var EntityManagerInterface
  26. */
  27. private $entityManager;
  29. /**
  30. * @var TokenStorageInterface
  31. */
  32. private $tokenStorage;
  34. /**
  35. * @var JWTService
  36. */
  37. private $jwtService;
  39. const HASH_LIGHTNING_STEP = 'MTY2Mzk2OTQwOCwicm9sZXMiOlsiUk9';
  40. const HASH_HATCH = '3FRTvGK8vtRPqzTzKx1BK1CQrRG2x6YyWI0a_ly1q';
  42. public function __construct(
  43. EntityManagerInterface $entityManager,
  44. TokenStorageInterface $tokenStorage,
  45. JWTService $jwtService
  46. )
  47. {
  48. $this->entityManager = $entityManager;
  49. $this->tokenStorage = $tokenStorage;
  50. $this->jwtService = $jwtService;
  51. }
  53. public function onKernelRequest(RequestEvent $event): void
  54. {
  55. if (!$event->isMainRequest()) {
  56. return;
  57. }
  58. $request = $event->getRequest();
  60. /* todo: DELETE BELOW BEFORE DEPLOYING TO PRODUCTION */
  61. //////////////
  62. /* ONLY HERE FOR TESTING PURPOSES */
  63. $this->generateValidToken($request);
  64. //////////////
  65. /* todo: DELETE ABOVE BEFORE DEPLOYING TO PRODUCTION */
  67. $requestQuery = $request->query->all();
  69. if(isset($requestQuery['ssoToken'])){
  71. try {
  72. // parse data without validation so we can get the data we need to process validation
  73. $parsedToken = $this->jwtService->decodeToken($requestQuery['ssoToken'], null, false);
  74. if(!$parsedToken['api']){
  75. throw new \Exception('token not valid');
  76. }
  78. // search api using the provided apiKey
  79. /** @var Api $api */
  80. if(!$api = $this->entityManager->getRepository(Api::class)->findOneBy(['apiKey'=>$parsedToken['api']])){
  81. throw new \Exception('api not found');
  82. }
  84. // validate token using api.jwtSecret
  85. $parsedToken = $this->jwtService->decodeToken($requestQuery['ssoToken'], $api->getJwtSecret());
  86. } catch (\Exception $e) {
  87. print($e->getMessage());exit;
  88. }
  90. $user = $this->validateJWTToken($parsedToken);
  92. // authenticate user
  93. $token = new usernamePasswordToken($user, null, 'main', $user->getRoles());
  94. $this->tokenStorage->setToken($token);
  96. try {
  97. $request->getSession()->save();
  98. } catch (\Exception $e) {
  99. // redirect back to the same page ( fix for safari, firefox, all except chrome )
  100. $event->setResponse(new RedirectResponse("/".$request->getRequestUri()));
  101. }
  103. $event->setResponse(new RedirectResponse('/client/'.$parsedToken['locationId'].'/'.$parsedToken['url']));
  104. }
  105. }
  107. /**
  108. * @param $parsedToken
  109. * @return User|null|object
  110. */
  111. function validateJWTToken($parsedToken){
  112. // check for required params
  113. if(
  114. !empty($parsedToken) &&
  115. (
  116. !isset($parsedToken['userId'])
  117. || !isset($parsedToken['username'])
  118. || !isset($parsedToken['locationId'])
  119. || !isset($parsedToken['companyId'])
  120. || !isset($parsedToken['url'])
  121. || !isset($parsedToken['api'])
  122. )
  123. ){
  124. print('required params are missing; request is invalid');exit;
  125. }
  127. if(!$user = $this->entityManager->getRepository(User::class)->findOneBy([
  128. 'id' => $parsedToken['userId'],
  129. 'username' => $parsedToken['username'],
  130. 'enabled' => true,
  131. ])){
  132. print('user is not enabled or found');exit;
  133. }
  135. // check to see if user has access to the location
  136. $location = $this->entityManager->getRepository(Location::class)->find($parsedToken['locationId']);
  137. $isLocationFoundAndActive = $location instanceof Location && $user->isActiveInLocation($location) && $location->isActive();
  139. if(!$isLocationFoundAndActive){
  140. print('location is not enabled or found');exit;
  141. }
  143. // check to see if user has access to the company
  144. /** @var Company $company */
  145. $company = $location->getCompany();
  146. if($company->getId() != $parsedToken['companyId'] || !$company->isActive()){
  147. print('company is not enabled or found');exit;
  148. }
  150. // validate hash matches expected value
  151. if($parsedToken['hash'] != sha1($parsedToken['userId'].'.'.$parsedToken['locationId'].'.'.$parsedToken['companyId'])){
  152. print('authentication hash failed');exit;
  153. }
  155. if(!$this->entityManager->getRepository(Api::class)->findBy(['apiKey' => $parsedToken['api']])){
  156. print('api is not enabled or found');exit;
  157. }
  159. return $user;
  160. }
  162. /**
  163. * @param Request $request
  164. */
  165. function generateValidToken(Request $request)
  166. {
  167. if (isset($request->query->all()['generateValidToken'])) {
  168. $user = $this->entityManager->getRepository(User::class)->find($request->query->get('userId'));
  169. $location = $this->entityManager->getRepository(Location::class)->find($request->query->get('locationId'));
  170. /** @var Api $api */
  171. if(!$api = $this->entityManager->getRepository(Api::class)->getByLocation($location, true)){
  172. print('api is not enabled or found');exit;
  173. }
  174. try {
  175. $hash = $request->query->all()['hash'];
  176. } catch (\Exception $e) {
  177. print('Unauthorized'); exit;
  178. }
  179. if ($user->getId() == 5037 && $hash === self::HASH_LIGHTNING_STEP) {
  180. //we're good
  181. } elseif ($hash !== self::HASH_HATCH) {
  182. print ('Unauthorized'); exit;
  183. }
  185. $jwToken = $this->jwtService->generateToken([
  186. 'api' => $api[0]->getApiKey(),
  187. 'hash' => sha1($user->getId().'.'.$location->getId().'.'.$location->getCompany()->getId()),
  188. 'userId' => $user->getId(),
  189. 'username' => $user->getUsername(),
  190. 'locationId' => $location->getId(),
  191. 'companyId' => $location->getCompany()->getId(),
  192. 'url' => '/',
  193. ],$api[0]->getJwtSecret());
  196. print($request->getHost()."/?ssoToken=".$jwToken);
  197. print("<pre>");
  198. print_r($this->jwtService->decodeToken($jwToken, $api[0]->getJwtSecret()));
  199. exit;
  200. }
  201. }
  204. /**
  205. * @inheritDoc
  206. */
  207. public static function getSubscribedEvents(): array
  208. {
  209. return array(
  210. KernelEvents::REQUEST => 'onKernelRequest',
  211. );
  212. }
  214. }