src/EventSubscriber/Enforce2FASubscriber.php line 122

Open in your IDE?
  1. <?php
  3. namespace MedBrief\MSR\EventSubscriber;
  5. use Override;
  6. use Doctrine\ORM\EntityManagerInterface;
  7. use MedBrief\MSR\Entity\User;
  8. use MedBrief\MSR\Entity\UserPolicy;
  9. use MedBrief\MSR\Security\MedBriefLoginAuthenticator;
  10. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvent;
  11. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvents;
  12. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  13. use Symfony\Component\HttpFoundation\RedirectResponse;
  14. use Symfony\Component\HttpKernel\Event\RequestEvent;
  15. use Symfony\Component\HttpKernel\KernelEvents;
  16. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  17. use Symfony\Component\Routing\RouterInterface;
  18. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  20. class Enforce2FASubscriber implements EventSubscriberInterface
  21. {
  22. public function __construct(private readonly RouterInterface $router, private readonly TokenStorageInterface $tokenStorage, private readonly EntityManagerInterface $entityManager)
  23. {
  24. }
  26. #[Override]
  27. public static function getSubscribedEvents(): array
  28. {
  29. return [
  30. KernelEvents::REQUEST => [
  31. ['enforce2FA', 0],
  32. ],
  33. TwoFactorAuthenticationEvents::COMPLETE => [
  34. ['onTwoFactorAuthenticationComplete', 0],
  35. ],
  36. ];
  37. }
  39. public function enforce2FA(RequestEvent $event): void
  40. {
  41. $request = $event->getRequest();
  43. // Check if we need to redirect for policy acceptance
  44. if ($request->getSession()->has('policy_redirect_needed')
  45. && $request->getSession()->get('policy_redirect_needed') === true) {
  47. $redirectUrl = $request->getSession()->get('policy_redirect_url');
  48. $request->getSession()->remove('policy_redirect_needed');
  49. $request->getSession()->remove('policy_redirect_url');
  51. $event->setResponse(new RedirectResponse($redirectUrl));
  52. return; // Exit early
  53. }
  55. $token = $this->tokenStorage->getToken();
  56. $user = null;
  57. if ($token) {
  58. /** @var User $user */
  59. $user = $token->getUser();
  60. }
  62. $enforce2FADetail = $request->getSession()->get(MedBriefLoginAuthenticator::ENFORCE_2FA_DETAIL_SESSION_KEY);
  64. // Check if 2FA is required from the session variable.
  65. // If the user is set, and the user has enabled 2FA...
  66. if (is_array($enforce2FADetail) && $enforce2FADetail['2faRequired'] === true && $user) {
  67. if ($user->hasEnabledMfa()) {
  68. // Redirect to the target path or the dashboard, and remove the session indicator for 2FA required.
  69. $targetPath = $enforce2FADetail['targetPath'];
  70. if ($targetPath !== null) {
  71. $event->setResponse(new RedirectResponse($targetPath));
  72. } else {
  73. $event->setResponse(new RedirectResponse($this->router->generate('infology_medbrief_dashboard')));
  74. }
  76. $request->getSession()->remove(MedBriefLoginAuthenticator::ENFORCE_2FA_DETAIL_SESSION_KEY);
  77. } else {
  78. // Allowed routes that do not require 2FA
  79. $allowedRoutes = [
  80. 'mfa_enable',
  81. 'mfa_enable_force',
  82. 'mfa_generate_codes',
  83. 'mfa_generate_initial_codes',
  84. 'auth_app_enable',
  85. 'auth_app_disable',
  86. 'email_mfa_enable',
  87. 'email_mfa_disable',
  88. 'user_policy_accept_decline',
  89. 'user_policy_accept_policies',
  90. 'user_policy_decline_policies',
  91. 'logout',
  92. ];
  94. // Redirect to the 2FA setup page if the current route is not allowed
  95. if (!in_array($request->attributes->get('_route'), $allowedRoutes, true)) {
  97. // Create the redirect URL
  98. $redirectUrl = $this->router->generate('mfa_enable_force');
  100. // Only proceed with policy checks for users WITHOUT 2FA
  101. $relevantPolicies = $this->entityManager->getRepository(UserPolicy::class)
  102. ->findUnacceptedActivePoliciesForUser($user->getId())
  103. ;
  105. // If the user has any pending policies, store them in the session along with the targetPath
  106. if ($relevantPolicies != null && $relevantPolicies != []) {
  108. $request->getSession()->set('pending-policies', $relevantPolicies);
  109. $request->getSession()->set('pending-policies-detail', [
  110. 'targetPath' => $redirectUrl,
  111. ]);
  113. }
  115. // Set the response with the combined URL
  116. $event->setResponse(new RedirectResponse($redirectUrl));
  117. }
  118. }
  119. }
  120. }
  122. public function onTwoFactorAuthenticationComplete(TwoFactorAuthenticationEvent $event): void
  123. {
  124. $request = $event->getRequest();
  125. $token = $this->tokenStorage->getToken();
  126. $user = null;
  127. if ($token) {
  128. /** @var User $user */
  129. $user = $token->getUser();
  130. }
  132. $targetPath = $request->getSession()->get('_security.main.target_path');
  134. $relevantPolicies = $this->entityManager->getRepository(UserPolicy::class)
  135. ->findUnacceptedActivePoliciesForUser($user->getId())
  136. ;
  138. // If the user has any pending policies, store them in the session along with the targetPath
  139. if ($relevantPolicies != null && $relevantPolicies != []) {
  140. $request->getSession()->set('pending-policies', $relevantPolicies);
  141. $request->getSession()->set('pending-policies-detail', [
  142. 'targetPath' => $targetPath,
  143. ]);
  145. // Store the redirect URL in the session
  146. $request->getSession()->set('policy_redirect_needed', true);
  147. $request->getSession()->set(
  148. 'policy_redirect_url',
  149. $targetPath
  150. );
  151. }
  152. }
  153. }