vendor/scheb/2fa-bundle/Security/Http/Firewall/TwoFactorAccessListener.php line 21

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace Scheb\TwoFactorBundle\Security\Http\Firewall;
  7. use Scheb\TwoFactorBundle\Security\Authentication\Token\TwoFactorTokenInterface;
  8. use Scheb\TwoFactorBundle\Security\Authorization\TwoFactorAccessDecider;
  9. use Scheb\TwoFactorBundle\Security\TwoFactor\TwoFactorFirewallConfig;
  10. use Symfony\Component\HttpFoundation\Request;
  11. use Symfony\Component\HttpKernel\Event\RequestEvent;
  12. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  13. use Symfony\Component\Security\Core\Exception\AccessDeniedException;
  14. use Symfony\Component\Security\Http\Firewall\AbstractListener;
  16. /**
  17. * Handles access control in the "2fa in progress" phase.
  18. *
  19. * @final
  20. */
  21. class TwoFactorAccessListener extends AbstractListener implements FirewallListenerInterface
  22. {
  23. /**
  24. * @var TwoFactorFirewallConfig
  25. */
  26. private $twoFactorFirewallConfig;
  28. /**
  29. * @var TokenStorageInterface
  30. */
  31. private $tokenStorage;
  33. /**
  34. * @var TwoFactorAccessDecider
  35. */
  36. private $twoFactorAccessDecider;
  38. public function __construct(
  39. TwoFactorFirewallConfig $twoFactorFirewallConfig,
  40. TokenStorageInterface $tokenStorage,
  41. TwoFactorAccessDecider $twoFactorAccessDecider
  42. ) {
  43. $this->twoFactorFirewallConfig = $twoFactorFirewallConfig;
  44. $this->tokenStorage = $tokenStorage;
  45. $this->twoFactorAccessDecider = $twoFactorAccessDecider;
  46. }
  48. public function supports(Request $request): ?bool
  49. {
  50. // When the path is explicitly configured for anonymous access, no need to check access (important for lazy
  51. // firewalls, to prevent the response cache control to be flagged "private")
  52. return !$this->twoFactorAccessDecider->isPubliclyAccessible($request);
  53. }
  55. public function authenticate(RequestEvent $event): void
  56. {
  57. // When the firewall is lazy, the token is not initialized in the "supports" stage, so this check does only work
  58. // within the "authenticate" stage.
  59. $token = $this->tokenStorage->getToken();
  60. if (!($token instanceof TwoFactorTokenInterface)) {
  61. // No need to check for firewall name here, the listener is bound to the firewall context
  62. return;
  63. }
  65. /** @var TwoFactorTokenInterface $token */
  66. $token = $this->tokenStorage->getToken();
  67. $request = $event->getRequest();
  68. if ($this->twoFactorFirewallConfig->isCheckPathRequest($request)) {
  69. return;
  70. }
  72. if ($this->twoFactorFirewallConfig->isAuthFormRequest($request)) {
  73. return;
  74. }
  76. if (!$this->twoFactorAccessDecider->isAccessible($request, $token)) {
  77. $exception = new AccessDeniedException('User is in a two-factor authentication process.');
  78. $exception->setSubject($request);
  80. throw $exception;
  81. }
  82. }
  84. public static function getPriority(): int
  85. {
  86. // When the class is injected via FirewallListenerFactoryInterface
  87. // Inject before Symfony's AccessListener (-255) and after the LogoutListener (-127)
  88. return -191;
  89. }
  90. }