src/Controller/SecurityController.php line 31

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Controller;
  5. use LogicException;
  6. use MedBrief\MSR\Service\Security\IPFailedLogin;
  7. use MedBrief\MSR\Service\Security\SecurityTimeDelayHelperService;
  8. use MedBrief\MSR\Service\Security\UserFailedLogin;
  9. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  10. use Symfony\Component\HttpFoundation\Request;
  11. use Symfony\Component\HttpFoundation\Response;
  12. use Symfony\Component\Routing\Annotation\Route;
  13. use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
  15. class SecurityController extends AbstractController
  16. {
  17. private readonly string $clientIpAddress;
  19. public function __construct(private readonly SecurityTimeDelayHelperService $securityTimeDelayHelper)
  20. {
  21. $this->clientIpAddress = Request::createFromGlobals()->getClientIp() ?? 'Unknown';
  22. }
  24. /**
  25. * @Route("/login", name="login")
  26. *
  27. * @param AuthenticationUtils $authenticationUtils
  28. * @param UserFailedLogin $userFailedLogin
  29. * @param IPFailedLogin $IPFailedLogin
  30. */
  31. public function login(AuthenticationUtils $authenticationUtils, UserFailedLogin $userFailedLogin, IPFailedLogin $IPFailedLogin): Response
  32. {
  33. // Start time to measure response duration
  34. $startTime = microtime(true);
  36. // Get the login error if there is one
  37. $error = $authenticationUtils->getLastAuthenticationError();
  39. // Last username entered by the user
  40. $lastUsername = $authenticationUtils->getLastUsername();
  42. // If the user is already logged in, redirect them to the dashboard
  43. if ($this->getUser()) {
  44. // Clear failed logins for authenticated user
  45. $userFailedLogin->loginFailureClear($this->getUser()->getUsername()); //TODO: replace ->getUsername() with ->getUserIdentifier() during next Symfony upgrade.
  47. // Clear failed logins for ip address by username
  48. $IPFailedLogin->loginFailureClear($this->getUser()->getUsername());
  49. return $this->redirectToRoute('infology_medbrief_dashboard');
  50. }
  52. // This is for email enumeration attacks
  53. // Use the SecurityHelper to determine if the user exists
  54. $userExists = $this->securityTimeDelayHelper->determineIfUserExists();
  56. if (!$userExists) {
  57. // Add an extra delay for wrong email to match password timing
  58. usleep(500 * 1000);
  59. }
  61. // Set currentCount and IPcurrentCount to 0
  62. $currentCount = 0;
  63. $IPcurrentCount = 0;
  65. // Determine if there is a login failure and Track the login failure to an IP address as well
  66. if ($error !== null) {
  67. $IPcurrentCount = $IPFailedLogin->loginFailure($lastUsername)['currentCount'];
  68. $currentCount = $userFailedLogin->loginFailure($lastUsername)['currentCount'];
  69. }
  71. // Get the maximum attempts allowed for a failed login attempt
  72. $maxAttempts = $userFailedLogin->getMaxAttempts();
  74. // Get the maximum attempts allowed for a failed login attempt on IP Address
  75. $IPmaxAttempts = $IPFailedLogin->getMaxAttempts();
  77. // Check if the IP Address is blacklisted or exceeded the max login attempts
  78. if ($IPFailedLogin->loginAllow() === false) {
  79. // Get the login lockout time left
  80. $IPloginLockoutTimeLeft = $IPFailedLogin->getLoginLockoutTimer($lastUsername);
  81. // If there is a lockout time left, load the login lockout screen and pass relevant variables
  82. if ($IPloginLockoutTimeLeft !== null) {
  83. // Load the login lockout screen and pass relevant variables
  84. return $this->render('security/IPBlacklisted.html.twig', ['IPloginLockoutTimeLeft' => $IPloginLockoutTimeLeft, 'clientIPAddress' => $this->clientIpAddress]);
  85. }
  86. }
  88. // Check if the user or clientIP is blacklisted
  89. if ($userFailedLogin->loginAllow($lastUsername) === false) {
  90. // Get the login lockout time left
  91. $loginLockoutTimeLeft = $userFailedLogin->getLoginLockoutTimer($lastUsername);
  92. // If there is a lockout time left, load the login lockout screen and pass relevant variables
  93. if ($loginLockoutTimeLeft !== null) {
  94. // Load the login lockout screen and pass relevant variables
  95. return $this->render('security/loginLockout.html.twig', ['loginLockoutTimeLeft' => $loginLockoutTimeLeft]);
  96. }
  97. }
  99. // Use the SecurityHelper to add a random delay
  100. $this->securityTimeDelayHelper->addRandomDelay($startTime);
  102. // Load the login screen and pass relevant variables
  103. return $this->render('security/login.html.twig', [
  104. 'last_username' => $lastUsername,
  105. 'error' => $error,
  106. 'failedLoginCount' => $currentCount,
  107. 'IPfailedLoginCount' => $IPcurrentCount,
  108. 'maxAttempts' => $maxAttempts,
  109. 'IPmaxAttempts' => $IPmaxAttempts,
  110. ]);
  111. }
  113. /**
  114. * @Route("/logout", name="logout")
  115. */
  116. public function logout(): void
  117. {
  118. throw new LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
  119. }
  120. }