AutoLoginMiddleware #218

src/User/AutoLogin.php

@@ -0,0 +1,66 @@
+<?php
+
+
+namespace Yiisoft\Yii\Web\User;
+
+use DateInterval;
+use Psr\Http\Message\ResponseInterface;
+use Yiisoft\Yii\Web\Cookie;
+
+/**
+ * The service is used to send or remove auto-login cookie.
+ *
+ * @see AutoLoginIdentityInterface
+ * @see AutoLoginMiddleware
+ */
+class AutoLogin
+{
+    private string $cookieName = 'autoLogin';
+    private DateInterval $duration;
+
+    public function __construct(DateInterval $duration)
+    {
+        $this->duration = $duration;
+    }
+
+    public function withCookieName(string $name): self
+    {
+        $new = clone $this;
+        $new->cookieName = $name;
+        return $new;
+    }
+
+    /**
+     * Add auto-login cookie to response so the user is logged in automatically based on cookie even if session
+     * is expired.
+     *
+     * @param AutoLoginIdentityInterface $identity
+     * @param ResponseInterface $response Response to handle
+     */
+    public function addCookie(AutoLoginIdentityInterface $identity, ResponseInterface $response): void
+    {
+        $data = json_encode([
+            $identity->getId(),
+            $identity->getAutoLoginKey()
+        ], JSON_THROW_ON_ERROR | JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE);
+
+        (new Cookie($this->cookieName, $data))
+            ->withMaxAge($this->duration)
+            ->addToResponse($response);
+    }
+
+    /**
+     * Expire auto-login cookie so user is not logged in automatically anymore.
+     */
+    public function expireCookie(ResponseInterface $response): void
+    {
+        (new Cookie($this->cookieName))
+            ->expire()
+            ->addToResponse($response);
+    }
+
+    public function getCookieName(): string
+    {
+        return $this->cookieName;
+    }
+}

src/User/AutoLoginIdentityInterface.php

@@ -0,0 +1,42 @@
+<?php
+
+namespace Yiisoft\Yii\Web\User;
+
+use Yiisoft\Auth\IdentityInterface;
+
+/**
+ * AutoLoginIdentityInterface should be implemented in order to automatically log user in based on a cookie.
+ *
+ * @see AutoLogin
+ * @see AutoLoginMiddleware
+ */
+interface AutoLoginIdentityInterface extends IdentityInterface
+{
+    /**
+     * Returns a key that can be used to check the validity of a given identity ID.
+     *
+     * The key should be unique for each individual user, and should be persistent
+     * so that it can be used to check the validity of the user identity.
+     *
+     * The space of such keys should be big enough to defeat potential identity attacks.
+     *
+     * The returned key will be stored on the client side as part of a cookie and will be used to authenticate user even
+     * if PHP session has been expired.
+     *
+     * Make sure to invalidate earlier issued keys when you implement force user logout, password change and
+     * other scenarios, that require forceful access revocation for old sessions.
+     *
+     * @return string a key that is used to check the validity of a given identity ID.
+     * @see validateAutoLoginKey()
+     */
+    public function getAutoLoginKey(): string;
+
+    /**
+     * Validates the given key.
+     *
+     * @param string $key the given key
+     * @return bool whether the given key is valid.
+     * @see getAutoLoginKey()
+     */
+    public function validateAutoLoginKey(string $key): bool;
+}

src/User/AutoLoginMiddleware.php

@@ -1,16 +1,99 @@
 <?php
 
+declare(strict_types=1);
+
 namespace Yiisoft\Yii\Web\User;
 
+use Psr\Http\Server\RequestHandlerInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Log\LoggerInterface;
+use Yiisoft\Auth\IdentityRepositoryInterface;
+
 /**
- * AutoLoginMiddleware automatically logs user in based on "remember me" cookie
+ * AutoLoginMiddleware automatically logs user in based on cookie.
  */
-class AutoLoginMiddleware
+final class AutoLoginMiddleware implements MiddlewareInterface
 {
     private User $user;
+    private IdentityRepositoryInterface $identityRepository;
+    private LoggerInterface $logger;
+    private AutoLogin $autoLogin;
 
-    public function __construct(User $user)
-    {
+    public function __construct(
+        User $user,
+        IdentityRepositoryInterface $identityRepository,
+        LoggerInterface $logger,
+        AutoLogin $autoLogin
+    ) {
         $this->user = $user;
+        $this->identityRepository = $identityRepository;
+        $this->logger = $logger;
+        $this->autoLogin = $autoLogin;
+    }
+
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        $this->authenticateUserByCookieFromRequest($request);
+        $guestBeforeHandle = $this->user->isGuest();
+        $response = $handler->handle($request);
+        $guestAfterHandle = $this->user->isGuest();
+
+        if ($guestBeforeHandle && !$guestAfterHandle) {
+            $this->autoLogin->addCookie($this->user->getIdentity(false), $response);
+        }
+
+        if (!$guestBeforeHandle && $guestAfterHandle) {
+            $this->autoLogin->expireCookie($response);
+        }
+
+        return $response;
+    }
+
+    /**
+     * Authenticate user by auto login cookie from request.
+     *
+     * @param ServerRequestInterface $request Request instance containing auto login cookie.
+     */
+    private function authenticateUserByCookieFromRequest(ServerRequestInterface $request): void
+    {
+        $cookieName = $this->autoLogin->getCookieName();
+        $cookies = $request->getCookieParams();
+
+        if (!array_key_exists($cookieName, $cookies)) {
+            return;
+        }
+
+        try {
+            $data = json_decode($cookies[$cookieName], true, 512, JSON_THROW_ON_ERROR);
+        } catch (\Exception $e) {
+            $this->logger->warning('Unable to authenticate user by cookie. Invalid cookie.');
+            return;
+        }
+
+        if (!is_array($data) || count($data) !== 2) {
+            $this->logger->warning('Unable to authenticate user by cookie. Invalid cookie.');
+            return;
+        }
+
+        [$id, $key] = $data;
+        $identity = $this->identityRepository->findIdentity($id);
+
+        if ($identity === null) {
+            $this->logger->warning("Unable to authenticate user by cookie. Identity \"$id\" not found.");
+            return;
+        }
+
+        if (!$identity instanceof AutoLoginIdentityInterface) {
+            throw new \RuntimeException('Identity repository must return an instance of \Yiisoft\Yii\Web\User\AutoLoginIdentityInterface in order for auto-login to function.');
+        }
+
+        if (!$identity->validateAutoLoginKey($key)) {
+            $this->logger->warning('Unable to authenticate user by cookie. Invalid key.');
+            return;
+        }
+
+        $this->user->login($identity);
     }
 }

src/User/Event/AfterLogin.php

@@ -7,21 +7,14 @@
 class AfterLogin
 {
     private IdentityInterface $identity;
-    private int $duration;
 
-    public function __construct(IdentityInterface $identity, int $duration)
+    public function __construct(IdentityInterface $identity)
     {
         $this->identity = $identity;
-        $this->duration = $duration;
     }
 
     public function getIdentity(): IdentityInterface
     {
         return $this->identity;
     }
-
-    public function getDuration(): int
-    {
-        return $this->duration;
-    }
 }

src/User/Event/BeforeLogin.php

@@ -7,13 +7,11 @@
 class BeforeLogin
 {
     private IdentityInterface $identity;
-    private int $duration;
     private bool $isValid = true;
 
-    public function __construct(IdentityInterface $identity, int $duration)
+    public function __construct(IdentityInterface $identity)
     {
         $this->identity = $identity;
-        $this->duration = $duration;
     }
 
     public function invalidate(): void
@@ -30,9 +28,4 @@ public function getIdentity(): IdentityInterface
     {
         return $this->identity;
     }
-
-    public function getDuration(): int
-    {
-        return $this->duration;
-    }
 }