[RTM] Use Symfony Security for authentication purposes in Contao

composer.json

@@ -22,7 +22,7 @@
         "symfony/http-foundation": "^3.4",
         "symfony/lock": "^3.4",
         "symfony/proxy-manager-bridge": "^3.4",
-        "symfony/security": "^3.4",
+        "symfony/security-bundle": "^3.4",
         "symfony/yaml": "^3.4",
         "sensio/framework-extra-bundle": "^3.0.2",
         "symfony/swiftmailer-bundle": "^2.3.10",

src/Controller/BackendController.php

@@ -85,7 +85,10 @@ public function passwordAction(): Response
      */
     public function previewAction(): Response
     {
+        $request = $this->container->get('request_stack')->getCurrentRequest();
+
         $this->container->get('contao.framework')->initialize();
+        $this->container->get('contao.security.frontend_preview_authenticator')->authenticateFrontendUser($request->get('user'));
 
         $controller = new BackendPreview();
 
@@ -224,4 +227,13 @@ public function pickerAction(Request $request): RedirectResponse
 
         return new RedirectResponse($picker->getCurrentUrl());
     }
+
+    /**
+     * Symfony will un-authenticate the user automatically by calling this route.
+     *
+     * @Route("/contao/logout", name="contao_backend_logout")
+     */
+    public function logoutAction(): void
+    {
+    }
 }

src/Controller/FrontendController.php

@@ -64,4 +64,22 @@ public function shareAction(): RedirectResponse
 
         return $controller->run();
     }
+
+    /**
+     * Symfony will un-authenticate the user automatically by calling this route.
+     *
+     * @Route("/_contao/logout", name="contao_frontend_logout")
+     */
+    public function logoutAction(): void
+    {
+    }
+
+    /**
+     * Symfony will authenticate the user automatically by calling this route.
+     *
+     * @Route("/_contao/login", name="contao_frontend_login")
+     */
+    public function loginAction(): void
+    {
+    }
 }

src/EventListener/InteractiveLoginListener.php

@@ -0,0 +1,71 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of Contao.
+ *
+ * Copyright (c) 2005-2017 Leo Feyer
+ *
+ * @license LGPL-3.0+
+ */
+
+namespace Contao\CoreBundle\EventListener;
+
+use Contao\CoreBundle\Monolog\ContaoContext;
+use Contao\System;
+use Contao\User;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
+
+/**
+ * Interactive login listener to log successful login attempts.
+ */
+class InteractiveLoginListener
+{
+    protected $logger;
+
+    public function __construct(LoggerInterface $logger)
+    {
+        $this->logger = $logger;
+    }
+
+    public function onInteractiveLogin(InteractiveLoginEvent $event): void
+    {
+        /** @var UserInterface $user */
+        $user = $event->getAuthenticationToken()->getUser();
+
+        if (!$user instanceof User) {
+            return;
+        }
+
+        $this->logger->info(
+            sprintf('User %s has logged in.', $user->username),
+            ['contao' => new ContaoContext(__METHOD__, ContaoContext::ACCESS)]
+        );
+
+        $this->triggerLegacyPostLoginHook($user);
+    }
+
+    /**
+     * The postLogin hook is triggered after a user has logged in. This can be either in the back end or the front end.
+     * It passes the user object as argument and does not expect a return value.
+     *
+     * @param User $user
+     *
+     * @deprecated Deprecated since Contao 4.x, to be removed in Contao 5.0.
+     */
+    protected function triggerLegacyPostLoginHook(User $user): void
+    {
+        @trigger_error('Using InteractiveLoginListener::triggerLegacyPostLoginHook() has been deprecated and will no longer work in Contao 5.0. Use the security.interactive_login event instead.', E_USER_DEPRECATED);
+
+        // HOOK: post login callback
+        if (isset($GLOBALS['TL_HOOKS']['postLogin']) && is_array($GLOBALS['TL_HOOKS']['postLogin'])) {
+            foreach ($GLOBALS['TL_HOOKS']['postLogin'] as $callback) {
+                $user->objLogin = System::importStatic($callback[0], 'objLogin', true);
+                $user->objLogin->{$callback[1]}($user);
+            }
+        }
+    }
+}

src/EventListener/SwitchUserListener.php

@@ -0,0 +1,54 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of Contao.
+ *
+ * Copyright (c) 2005-2017 Leo Feyer
+ *
+ * @license LGPL-3.0+
+ */
+
+namespace Contao\CoreBundle\EventListener;
+
+use Contao\BackendUser;
+use Contao\CoreBundle\Monolog\ContaoContext;
+use Psr\Log\LoggerInterface;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
+use Symfony\Component\Security\Http\Event\SwitchUserEvent;
+
+/**
+ * SwitchUserListener allows a user to impersonate another one temporarily
+ * (like the Unix su command).
+ */
+class SwitchUserListener
+{
+    protected $logger;
+    protected $tokenStorage;
+
+    public function __construct(LoggerInterface $logger, TokenStorageInterface $tokenStorage)
+    {
+        $this->logger = $logger;
+        $this->tokenStorage = $tokenStorage;
+    }
+
+    /**
+     * Logs the switch to another user.
+     *
+     * @param SwitchUserEvent $event
+     */
+    public function onSwitchUser(SwitchUserEvent $event): void
+    {
+        /** @var BackendUser $user */
+        $user = $this->tokenStorage->getToken()->getUser();
+
+        /** @var BackendUser $targetUser */
+        $targetUser = $event->getTargetUser();
+
+        $this->logger->info(
+            sprintf('User %s has switched to user %s.', $user->username, $targetUser->username),
+            ['contao' => new ContaoContext(__METHOD__, ContaoContext::ACCESS)]
+        );
+    }
+}

src/Exception/UserNotFoundException.php

@@ -0,0 +1,20 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of Contao.
+ *
+ * Copyright (c) 2005-2017 Leo Feyer
+ *
+ * @license LGPL-3.0+
+ */
+
+namespace Contao\CoreBundle\Exception;
+
+/**
+ * UserNotFoundException is thrown if a User cannot be found.
+ */
+class UserNotFoundException extends \RuntimeException
+{
+}

src/Resources/config/listener.yml

@@ -163,3 +163,19 @@ services:
         tags:
             - { name: kernel.event_listener, event: kernel.request, method: onKernelRequest }
             - { name: kernel.event_listener, event: kernel.response, method: onKernelResponse }
+
+    contao.security.switch_user_listener:
+        class: Contao\CoreBundle\EventListener\SwitchUserListener
+        arguments:
+            - "@logger"
+            - "@security.token_storage"
+        tags:
+            - { name: kernel.event_listener, event: security.switch_user, method: onSwitchUser }
+            - { name: monolog.logger, channel: contao }
+
+    contao.security.interactive_login_listener:
+        class: Contao\CoreBundle\EventListener\InteractiveLoginListener
+        arguments:
+            - "@logger"
+        tags:
+            - { name: kernel.event_listener, event: security.interactive_login, method: onInteractiveLogin }

src/Resources/config/security.yml

@@ -0,0 +1,76 @@
+security:
+    providers:
+        contao.security.backend_user_provider:
+            id: contao.security.backend_user_provider
+
+        contao.security.frontend_user_provider:
+            id: contao.security.frontend_user_provider
+
+    encoders:
+        default:
+            algorithm: bcrypt
+
+        legacy:
+            id: contao.security.legacy_password_encoder
+
+    firewalls:
+        dev:
+            pattern: ^/(_(profiler|wdt|error)|css|images|js)/
+            security: false
+
+        install:
+            pattern: ^/contao/install
+            security: false
+
+        contao_backend:
+            request_matcher: contao.routing.backend_matcher
+            provider: contao.security.backend_user_provider
+            user_checker: contao.security.user_checker
+            anonymous: ~
+            switch_user: true
+
+            form_login:
+                login_path: contao_backend_login
+                check_path: contao_backend_login
+                default_target_path: contao_backend
+                success_handler: contao.security.authentication_success_handler
+                username_parameter: username
+                password_parameter: password
+
+            logout:
+                path: contao_backend_logout
+                target: contao_backend
+                success_handler: contao.security.logout_success_handler
+                handlers:
+                    - contao.security.logout_handler
+
+        contao_frontend:
+            request_matcher: contao.routing.frontend_matcher
+            provider: contao.security.frontend_user_provider
+            user_checker: contao.security.user_checker
+            anonymous: ~
+            switch_user: false
+
+            form_login:
+                login_path: contao_frontend_login
+                check_path: contao_frontend_login
+                default_target_path: contao_index
+                failure_handler: contao.security.authentication_failure_handler
+                success_handler: contao.security.authentication_success_handler
+                username_parameter: username
+                password_parameter: password
+                remember_me: true
+
+            remember_me:
+                secret:   '%secret%'
+                remember_me_parameter: autologin
+
+            logout:
+                path: contao_frontend_logout
+                success_handler: contao.security.logout_success_handler
+                handlers:
+                    - contao.security.logout_handler
+
+    access_control:
+        - { path: ^/contao/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/contao, roles: ROLE_USER }