src/EventListener/TwoFactorAuthenticationListener.php line 135

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\EventListener;
  5. use MedBrief\MSR\Service\Security\IPFailedLogin;
  6. use MedBrief\MSR\Service\Security\UserFailedLogin;
  7. use Scheb\TwoFactorBundle\Model\BackupCodeInterface;
  8. use Symfony\Component\HttpFoundation\RedirectResponse;
  9. use Symfony\Component\HttpFoundation\Request;
  10. use Symfony\Component\HttpFoundation\RequestStack;
  11. use Symfony\Component\RateLimiter\LimiterInterface;
  12. use Symfony\Component\RateLimiter\RateLimiterFactory;
  13. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  14. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  15. use Symfony\Component\Security\Core\User\UserInterface;
  17. // This listener listens for two-factor authentication failures and implements rate limiting.
  18. // Users are allowed a maximum of five incorrect 2FA attempts within a five-minute window.
  19. // If the limit is reached, a "rateLimited" flag is stored in the session.
  21. class TwoFactorAuthenticationListener
  22. {
  23. private readonly LimiterInterface $rateLimiter;
  25. private readonly string $clientIpAddress;
  27. public function __construct(
  28. RateLimiterFactory $authenticatedApiLimiter,
  29. private readonly RequestStack $requestStack,
  30. private readonly UserFailedLogin $userFailedLogin,
  31. private readonly IPFailedLogin $IPFailedLogin,
  32. private readonly TokenStorageInterface $tokenStorage,
  33. private readonly UrlGeneratorInterface $urlGenerator,
  34. string $rateLimiterName = 'authenticated_api'
  35. ) {
  36. $this->rateLimiter = $authenticatedApiLimiter->create($rateLimiterName);
  37. $this->clientIpAddress = Request::createFromGlobals()->getClientIp() ?? 'Unknown';
  39. }
  41. /**
  42. * Handles the event when the two-factor authentication form is shown.
  43. *
  44. * This function checks if the current request should be allowed by invoking
  45. * the allowRequest method, which manages rate limiting and login failures.
  46. */
  47. public function onTwoFactorAuthenticationShowForm(): void
  48. {
  49. $this->allowRequest();
  50. }
  52. /**
  53. * Handles the event when the two-factor authentication form is submitted.
  54. *
  55. * This function checks if the current request should be allowed by invoking
  56. * the allowRequest method, which manages rate limiting and login failures. This
  57. * managed /2fa_check
  58. */
  59. public function onTwoFactorAuthenticationAttempt(): void
  60. {
  61. // Additional security added to prevent CSRF attacks.
  62. // If a HTTP GET is attempted instead of a POST, immediately set the rateLimited flag
  63. if ($this->requestStack->getCurrentRequest()->query->has('_auth_code')) {
  64. $session = $this->requestStack->getSession();
  66. // If the session is not started, start it
  67. if (!$session->isStarted()) {
  68. $session->start();
  69. }
  71. // Set the rateLimited flag and log a failure against the username
  72. $session->set('rateLimited', true);
  73. $username = $this->getCurrentUsername();
  74. if ($username !== null) {
  75. $this->userFailedLogin->loginFailure($username, true, true);
  76. $this->IPFailedLogin->loginFailure($username, true, true);
  77. }
  78. }
  80. // If the request is not allowed, redirect to logout
  81. if ($this->allowRequest() === false) {
  82. $response = new RedirectResponse($this->urlGenerator->generate('logout'));
  83. $response->send();
  84. exit();
  85. }
  86. }
  88. /**
  89. * Handles the event when two-factor authentication is successful.
  90. *
  91. * This function will reset the rate limiter and remove the 'rateLimited' flag
  92. * from the session after a successful two-factor authentication.
  93. */
  94. public function onTwoFactorAuthenticationSuccess(): void
  95. {
  96. // Get the current session from the request stack
  97. $session = $this->requestStack->getSession();
  99. // Get the current username from the request stack
  100. $username = $this->getCurrentUsername();
  102. // Reset rate limiter
  103. $session->remove('rateLimited');
  105. // Reset ipBlacklisted and blacklistedIPValue
  106. $session->remove('ipBlacklisted');
  107. $session->remove('blacklistedIPValue');
  109. // Set user login failures to be cleared
  110. $this->userFailedLogin->loginFailureClear($username);
  111. // Set IP address login failures to be cleared
  112. $this->IPFailedLogin->loginFailureClear($username);
  114. // Grab the user and check if they have used their last backup code
  115. $token = $this->tokenStorage->getToken();
  116. $user = $token->getUser();
  118. if ($user instanceof BackupCodeInterface) {
  119. // If no backup codes remain then redirect to re-generation page
  120. if (!$user->hasBackupCodes()) {
  121. $response = new RedirectResponse($this->urlGenerator->generate('mfa_regenerate_backup_codes'));
  122. $response->send();
  123. }
  124. }
  125. }
  127. /**
  128. * Handles the event when two-factor authentication fails.
  129. *
  130. * This function will decrement the rate limiter and set a 'rateLimited' flag
  131. * in the session if the rate limit is exceeded or if the maximum number of
  132. * OTP attempts is reached. If the rate limit is not exceeded, the
  133. * 'rateLimited' flag is removed from the session.
  134. */
  135. public function onTwoFactorAuthenticationFailure(): void
  136. {
  137. $limit = $this->rateLimiter->consume(1);
  138. $session = $this->requestStack->getSession();
  140. if (!$session->isStarted()) {
  141. $session->start();
  142. }
  144. $username = $this->getCurrentUsername();
  145. if ($username !== null) {
  146. $failedOtpCount = $this->userFailedLogin->loginFailure($username, true)['currentOtpCount'];
  147. $failedIPOtpCount = $this->IPFailedLogin->loginFailure($username, true)['currentOtpCount'];
  148. } else {
  149. return;
  150. }
  152. if (!$limit->isAccepted() || $failedOtpCount >= $this->userFailedLogin->getMaxOtpAttempts()) {
  153. // Fails OTP and sets rateLimited flag
  154. $session->set('rateLimited', true);
  155. }
  157. if ($failedIPOtpCount >= $this->IPFailedLogin->getMaxOtpAttempts()) {
  158. // Fails OTP for IP Blacklisting
  159. $session->set('ipBlacklisted', true);
  160. $session->set('blacklistedIPValue', $this->clientIpAddress);
  161. }
  162. }
  164. /**
  165. * Gets the current username if available.
  166. *
  167. * The username is obtained from the currently authenticated user.
  168. * If there is no authenticated user, the method returns null.
  169. *
  170. * @return string|null The current username or null if no user is authenticated.
  171. */
  172. private function getCurrentUsername(): ?string
  173. {
  174. // Get User Token
  175. $token = $this->tokenStorage->getToken();
  176. if (!$token) {
  177. return null;
  178. }
  180. // Get User
  181. $user = $token->getUser();
  182. if (!$user instanceof UserInterface) {
  183. return null;
  184. }
  186. return $user->getUsername() ?? null; // TODO: Replace with `getUserIdentifier()` when upgrading Symfony
  187. }
  189. /**
  190. * Sets the rateLimited session flag if the user has exceeded the maximum otp attempts.
  191. *
  192. * @return bool true if the rateLimited flag was set, false otherwise.
  193. */
  194. private function allowRequest(): bool
  195. {
  196. $session = $this->requestStack->getSession();
  198. if (!$session->isStarted()) {
  199. $session->start();
  200. }
  202. $username = $this->getCurrentUsername();
  203. if ($username !== null && !$this->userFailedLogin->loginAllow($username)) {
  204. $session->set('rateLimited', true);
  205. return false;
  206. }
  208. if (!$this->IPFailedLogin->loginAllow()) {
  209. $session->set('ipBlacklisted', true);
  210. $session->set('blacklistedIPValue', $this->clientIpAddress);
  211. return false;
  212. }
  214. return true;
  215. }
  216. }