src/Controller/SecurityController.php line 32

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\Controller;
  5. use LogicException;
  6. use MedBrief\MSR\Service\Security\IPFailedLogin;
  7. use MedBrief\MSR\Service\Security\SecurityTimeDelayHelperService;
  8. use MedBrief\MSR\Service\Security\UserFailedLogin;
  9. use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
  10. use Symfony\Component\HttpFoundation\Request;
  11. use Symfony\Component\HttpFoundation\Response;
  12. use Symfony\Component\Routing\Annotation\Route;
  13. use Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException;
  14. use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
  16. class SecurityController extends AbstractController
  17. {
  18. private readonly string $clientIpAddress;
  20. public function __construct(private readonly SecurityTimeDelayHelperService $securityTimeDelayHelper)
  21. {
  22. $this->clientIpAddress = Request::createFromGlobals()->getClientIp() ?? 'Unknown';
  23. }
  25. /**
  26. * @Route("/login", name="login")
  27. *
  28. * @param AuthenticationUtils $authenticationUtils
  29. * @param UserFailedLogin $userFailedLogin
  30. * @param IPFailedLogin $IPFailedLogin
  31. */
  32. public function login(AuthenticationUtils $authenticationUtils, UserFailedLogin $userFailedLogin, IPFailedLogin $IPFailedLogin): Response
  33. {
  34. // Start time to measure response duration
  35. $startTime = microtime(true);
  37. // Get the login error if there is one
  38. $error = $authenticationUtils->getLastAuthenticationError();
  40. // Last username entered by the user
  41. $lastUsername = $authenticationUtils->getLastUsername();
  43. // If the user is already logged in, redirect them to the dashboard
  44. if ($this->getUser()) {
  45. // Clear failed logins for authenticated user
  46. $userFailedLogin->loginFailureClear($this->getUser()->getUsername()); //TODO: replace ->getUsername() with ->getUserIdentifier() during next Symfony upgrade.
  48. // Clear failed logins for ip address by username
  49. $IPFailedLogin->loginFailureClear($this->getUser()->getUsername());
  50. return $this->redirectToRoute('infology_medbrief_dashboard');
  51. }
  53. // This is for email enumeration attacks
  54. // Use the SecurityHelper to determine if the user exists
  55. $userExists = $this->securityTimeDelayHelper->determineIfUserExists();
  57. if (!$userExists) {
  58. // Add an extra delay for wrong email to match password timing
  59. usleep(500 * 1000);
  60. }
  62. // Set currentCount and IPcurrentCount to 0
  63. $currentCount = 0;
  64. $IPcurrentCount = 0;
  66. // Determine if there is a login failure and Track the login failure to an IP address as well.
  67. // CSRF token errors (e.g. expired session, multiple tabs, back button) should not count
  68. // as failed login attempts since the user never submitted invalid credentials.
  69. if ($error !== null && !$error instanceof InvalidCsrfTokenException) {
  70. $IPcurrentCount = $IPFailedLogin->loginFailure($lastUsername)['currentCount'];
  71. $currentCount = $userFailedLogin->loginFailure($lastUsername)['currentCount'];
  72. }
  74. // Get the maximum attempts allowed for a failed login attempt
  75. $maxAttempts = $userFailedLogin->getMaxAttempts();
  77. // Get the maximum attempts allowed for a failed login attempt on IP Address
  78. $IPmaxAttempts = $IPFailedLogin->getMaxAttempts();
  80. // Check if the IP Address is blacklisted or exceeded the max login attempts
  81. if ($IPFailedLogin->loginAllow() === false) {
  82. // Get the login lockout time left
  83. $IPloginLockoutTimeLeft = $IPFailedLogin->getLoginLockoutTimer($lastUsername);
  84. // If there is a lockout time left, load the login lockout screen and pass relevant variables
  85. if ($IPloginLockoutTimeLeft !== null) {
  86. // Load the login lockout screen and pass relevant variables
  87. return $this->render('security/IPBlacklisted.html.twig', ['IPloginLockoutTimeLeft' => $IPloginLockoutTimeLeft, 'clientIPAddress' => $this->clientIpAddress]);
  88. }
  89. }
  91. // Check if the user or clientIP is blacklisted
  92. if ($userFailedLogin->loginAllow($lastUsername) === false) {
  93. // Get the login lockout time left
  94. $loginLockoutTimeLeft = $userFailedLogin->getLoginLockoutTimer($lastUsername);
  95. // If there is a lockout time left, load the login lockout screen and pass relevant variables
  96. if ($loginLockoutTimeLeft !== null) {
  97. // Load the login lockout screen and pass relevant variables
  98. return $this->render('security/loginLockout.html.twig', ['loginLockoutTimeLeft' => $loginLockoutTimeLeft]);
  99. }
  100. }
  102. // Use the SecurityHelper to add a random delay
  103. $this->securityTimeDelayHelper->addRandomDelay($startTime);
  105. // Load the login screen and pass relevant variables
  106. return $this->render('security/login.html.twig', [
  107. 'last_username' => $lastUsername,
  108. 'error' => $error,
  109. 'failedLoginCount' => $currentCount,
  110. 'IPfailedLoginCount' => $IPcurrentCount,
  111. 'maxAttempts' => $maxAttempts,
  112. 'IPmaxAttempts' => $IPmaxAttempts,
  113. ]);
  114. }
  116. /**
  117. * @Route("/logout", name="logout")
  118. */
  119. public function logout(): void
  120. {
  121. throw new LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.');
  122. }
  123. }