src/EventListener/JWTCreatedListener.php line 34

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\EventListener;
  5. use Lexik\Bundle\JWTAuthenticationBundle\Event\AuthenticationFailureEvent;
  6. use Lexik\Bundle\JWTAuthenticationBundle\Event\JWTCreatedEvent;
  7. use Lexik\Bundle\JWTAuthenticationBundle\Response\JWTAuthenticationFailureResponse;
  8. use MedBrief\MSR\Service\Security\SecurityTimeDelayHelperService;
  10. class JWTCreatedListener
  11. {
  12. public function __construct(private readonly SecurityTimeDelayHelperService $securityTimeDelayHelper)
  13. {
  14. }
  16. /**
  17. * Handles successful JWT creation.
  18. *
  19. * @param JWTCreatedEvent $event
  20. */
  21. public function onJWTAuthenticationSuccess(JWTCreatedEvent $event): void
  22. {
  23. $payload = $event->getData();
  24. $userId = $event->getUser()->getId();
  25. $payload['uid'] = $userId;
  26. $event->setData($payload);
  27. }
  29. /**
  30. * Handles authentication failure events.
  31. *
  32. * @param AuthenticationFailureEvent $event
  33. */
  34. public function onJWTAuthenticationFailed(AuthenticationFailureEvent $event): void
  35. {
  36. // Start time of the request processing
  37. $startTime = microtime(true);
  39. // This is for email enumeration attacks
  40. // Use the SecurityHelper to determine if the user exists
  41. $userExists = $this->securityTimeDelayHelper->determineIfUserExists();
  43. if (!$userExists) {
  44. // Add an extra delay for wrong email to match password timing
  45. usleep(600 * 1000);
  46. }
  48. // Use the SecurityHelper to add a random delay
  49. $this->securityTimeDelayHelper->addRandomDelay($startTime);
  51. $responseMessage = 'Bad credentials, please verify that your username/password are correctly set.';
  53. $response = new JWTAuthenticationFailureResponse($responseMessage);
  55. $event->setResponse($response);
  56. }
  57. }