AutoLoginMiddleware #218

src/User/AutoLoginMiddleware.php

@@ -1,16 +1,90 @@
 <?php
 
+declare(strict_types=1);
+
 namespace Yiisoft\Yii\Web\User;
 
+use Psr\Http\Server\RequestHandlerInterface;
+use Psr\Http\Message\ResponseInterface;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\MiddlewareInterface;
+use Psr\Log\LoggerInterface;
+use Yiisoft\Auth\IdentityRepositoryInterface;
+use Yiisoft\Yii\Web\User\User;
+
 /**
  * AutoLoginMiddleware automatically logs user in based on "remember me" cookie
  */
-class AutoLoginMiddleware
+final class AutoLoginMiddleware implements MiddlewareInterface
 {
     private User $user;
+    private IdentityRepositoryInterface $identityRepository;
+    private LoggerInterface $logger;
 
-    public function __construct(User $user)
-    {
+    public function __construct(
+        User $user,
+        IdentityRepositoryInterface $identityRepository,
+        LoggerInterface $logger
+    ) {
         $this->user = $user;
+        $this->identityRepository = $identityRepository;
+        $this->logger = $logger;
+    }
+
+    public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
+    {
+        if (!$this->authenticateUserFromRequest($request)) {
+            $this->logger->warning('Unable to authenticate used by cookie.');
+        }
+
+        return $handler->handle($request);
+    }
+
+    /**
+     * Parse and determines if an identity cookie has a valid format.
+     * @param ServerRequestInterface $request Request to handle
+     * @return array Returns an array of 'identity' and 'duration' if valid, otherwise [].
+     */
+    private function parseCredentials(ServerRequestInterface $request): array
+    {
+        try {
+            $cookies = $request->getCookieParams();
+            $data = json_decode($cookies['remember'], true, 512, JSON_THROW_ON_ERROR);
+        } catch (\Exception $e) {
+            return [];
+        }
+
+        if (!is_array($data) || count($data) !== 3) {
+            return [];
+        }
+
+        [$id, $authKey, $duration] = $data;
+        $identity = $this->identityRepository->findIdentity($id);
+        if ($identity === null) {
+            return [];
+        }
+
+        if (!$this->user->validateAuthKey($authKey)) {
+            $this->logger->warning('Unable to authenticate used by cookie. Invalid auth key.');
+            return [];
+        }
+
+        return ['identity' => $identity, 'duration' => $duration];
+    }
+
+    /**
+     * Check if the user can authenticate and if everything is ok, authenticate
+     * @param ServerRequestInterface $request Request to handle
+     * @return bool
+     */
+    private function authenticateUserFromRequest(ServerRequestInterface $request): bool
+    {
+        $data = $this->parseCredentials($request);
+
+        if ($data === []) {
+            return false;
+        }
+
+        return $this->user->login($data['identity'], $data['duration']);
     }
 }

src/User/User.php

@@ -2,17 +2,20 @@
 
 namespace Yiisoft\Yii\Web\User;
 
+use Nyholm\Psr7\Response;
 use Psr\EventDispatcher\EventDispatcherInterface;
 use Yiisoft\Access\AccessCheckerInterface;
 use Yiisoft\Auth\IdentityInterface;
 use Yiisoft\Auth\IdentityRepositoryInterface;
+use Yiisoft\Yii\Web\Cookie;
 use Yiisoft\Yii\Web\Session\SessionInterface;
+use Yiisoft\Yii\Web\User\AuthenticationKeyInterface;
 use Yiisoft\Yii\Web\User\Event\AfterLogin;
 use Yiisoft\Yii\Web\User\Event\AfterLogout;
 use Yiisoft\Yii\Web\User\Event\BeforeLogin;
 use Yiisoft\Yii\Web\User\Event\BeforeLogout;
 
-class User
+class User implements AuthenticationKeyInterface
 {
     private const SESSION_AUTH_ID = '__auth_id';
     private const SESSION_AUTH_EXPIRE = '__auth_expire';
@@ -111,6 +114,51 @@ public function setIdentity(IdentityInterface $identity): void
         $this->identity = $identity;
     }
 
+    /**
+     * Return the auth key value
+     *
+     * @return string Auth key value
+     */
+    public function getAuthKey(): string
+    {
+        return 'ABCD1234';
+    }
+
+    /**
+     * Validate auth key
+     *
+     * @param String $authKey Auth key to validate
+     * @return bool True if is valid
+     */
+    public function validateAuthKey($authKey): bool
+    {
+        return $authKey === 'ABCD1234';
+    }
+
+    /**
+     * Sends an identity cookie.
+     *
+     * @param IdentityInterface $identity
+     * @param int $duration number of seconds that the user can remain in logged-in status.
+     */
+    protected function sendIdentityCookie(IdentityInterface $identity, int $duration): void
+    {
+        $data = json_encode(
+            [
+                $identity->getId(),
+                $this->getAuthKey(),
+                $duration,
+            ],
+            JSON_UNESCAPED_SLASHES | JSON_UNESCAPED_UNICODE
+        );
+
+        $expireDateTime = new \DateTime();
+        $expireDateTime->setTimestamp(time() + $duration);
+        $cookieIdentity = (new Cookie('remember', $data))->expireAt($expireDateTime);
+        $response = new Response();
+        $cookieIdentity->addToResponse($response);
+    }
+
     /**
      * Logs in a user.
      *
@@ -135,6 +183,7 @@ public function login(IdentityInterface $identity, int $duration = 0): bool
         if ($this->beforeLogin($identity, $duration)) {
             $this->switchIdentity($identity);
             $this->afterLogin($identity, $duration);
+            $this->sendIdentityCookie($identity, $duration);
         }
         return !$this->isGuest();
     }
@@ -179,6 +228,12 @@ public function logout($destroySession = true): bool
             if ($destroySession && $this->session) {
                 $this->session->destroy();
             }
+
+            // Remove the cookie
+            $expireDateTime = new \DateTime();
+            $expireDateTime->modify("-1 day");
+            (new Cookie('remember', ""))->expireAt($expireDateTime);
+
             $this->afterLogout($identity);
         }
         return $this->isGuest();

tests/User/AutoLoginMiddlewareTest.php

@@ -0,0 +1,201 @@
+<?php
+
+namespace Yiisoft\Yii\Web\Tests\User;
+
+use Nyholm\Psr7\Response;
+use PHPUnit\Framework\TestCase;
+use Psr\Http\Message\ServerRequestInterface;
+use Psr\Http\Server\RequestHandlerInterface;
+use Psr\Log\LogLevel;
+use Yiisoft\Log\Logger;
+use Yiisoft\Auth\IdentityInterface;
+use Yiisoft\Auth\IdentityRepositoryInterface;
+use Yiisoft\Yii\Web\User\User;
+use Yiisoft\Yii\Web\User\AutoLoginMiddleware;
+
+class AutoLoginMiddlewareTest extends TestCase
+{
+    /**
+     * @var RequestHandlerInterface
+     */
+    private $requestHandlerMock;
+
+    /**
+     * @var ServerRequestInterface
+     */
+    private $requestMock;
+
+    /**
+     * @var AutoLoginMiddleware
+     */
+    private $autoLoginMiddlewareMock;
+
+    /**
+     * @var IdentityRepositoryInterface
+     */
+    private $identityRepositoryInterfaceMock;
+
+    /**
+     * @var IdentityInterface
+     */
+    private $identityInterfaceMock;
+
+    /**
+     * @var Logger
+     */
+    private $loggerMock;
+
+    /**
+     * @var User
+     */
+    private $userMock;
+
+    public function testProcessOK(): void
+    {
+        $this->mockDataRequest();
+        $this->mockDataCookie(["remember" => json_encode(['1', 'ABCD1234', 60])]);
+        $this->mockFindIdentity();
+
+        $this->userMock
+            ->expects($this->once())
+            ->method('validateAuthKey')
+            ->willReturn(true);
+
+        $this->userMock
+            ->expects($this->once())
+            ->method('login')
+            ->willReturn(true);
+
+        $response = new Response();
+        $this->requestHandlerMock
+            ->expects($this->once())
+            ->method('handle')
+            ->willReturn($response);
+
+        $this->assertEquals($this->autoLoginMiddlewareMock->process($this->requestMock, $this->requestHandlerMock), $response);
+    }
+
+    public function testProcessErrorLogin(): void
+    {
+        $this->mockDataRequest();
+        $this->mockDataCookie(["remember" => json_encode(['1', 'ABCD1234', 60])]);
+        $this->mockFindIdentity();
+
+        $this->userMock
+            ->expects($this->once())
+            ->method('validateAuthKey')
+            ->willReturn(true);
+
+        $this->userMock
+            ->expects($this->once())
+            ->method('login')
+            ->willReturn(false);
+
+        $memory = memory_get_usage();
+        $this->loggerMock->setTraceLevel(3);
+
+        $this->autoLoginMiddlewareMock->process($this->requestMock, $this->requestHandlerMock);
+
+        $messages = $this->getInaccessibleProperty($this->loggerMock, 'messages');
+        $this->assertEquals($messages[0][1], 'Unable to authenticate used by cookie.');
+    }
+
+    public function testProcessInvalidAuthKey(): void
+    {
+        $this->mockDataRequest();
+        $this->mockDataCookie(["remember" => json_encode(['1', '123456', 60])]);
+        $this->mockFindIdentity();
+
+        $memory = memory_get_usage();
+        $this->loggerMock->setTraceLevel(3);
+
+        $this->autoLoginMiddlewareMock->process($this->requestMock, $this->requestHandlerMock);
+
+        $messages = $this->getInaccessibleProperty($this->loggerMock, 'messages');
+        $this->assertEquals($messages[0][1], 'Unable to authenticate used by cookie. Invalid auth key.');
+    }
+
+    public function testProcessCookieEmpty(): void
+    {
+        $this->mockDataRequest();
+        $this->mockDataCookie([]);
+        $this->mockFindIdentity();
+
+        $memory = memory_get_usage();
+        $this->loggerMock->setTraceLevel(3);
+
+        $this->autoLoginMiddlewareMock->process($this->requestMock, $this->requestHandlerMock);
+
+        $messages = $this->getInaccessibleProperty($this->loggerMock, 'messages');
+        $this->assertEquals($messages[0][1], 'Unable to authenticate used by cookie.');
+    }
+
+    public function testProcessCookieWithInvalidParams(): void
+    {
+        $this->mockDataRequest();
+        $this->mockDataCookie(["remember" => json_encode(['1', '123456', 60, "paramInvalid"])]);
+        $this->mockFindIdentity();
+
+        $memory = memory_get_usage();
+        $this->loggerMock->setTraceLevel(3);
+
+        $this->autoLoginMiddlewareMock->process($this->requestMock, $this->requestHandlerMock);
+
+        $messages = $this->getInaccessibleProperty($this->loggerMock, 'messages');
+        $this->assertEquals($messages[0][1], 'Unable to authenticate used by cookie.');
+    }
+
+    private function mockDataRequest(): void
+    {
+        $this->requestHandlerMock = $this->createMock(RequestHandlerInterface::class);
+        $this->userMock = $this->createMock(User::class);
+        $this->identityInterfaceMock = $this->createMock(IdentityInterface::class);
+
+        $this->loggerMock = $this->getMockBuilder(Logger::class)
+            ->onlyMethods(['dispatch'])
+            ->getMock();
+
+        $this->identityRepositoryInterfaceMock = $this->createMock(IdentityRepositoryInterface::class);
+        $this->autoLoginMiddlewareMock = new AutoLoginMiddleware($this->userMock, $this->identityRepositoryInterfaceMock, $this->loggerMock);
+        $this->requestMock = $this->createMock(ServerRequestInterface::class);
+    }
+
+    private function mockDataCookie(array $cookie): void
+    {
+        $this->requestMock
+            ->expects($this->any())
+            ->method('getCookieParams')
+            ->willReturn($cookie);
+    }
+
+    private function mockFindIdentity(): void
+    {
+        $this->identityRepositoryInterfaceMock
+            ->expects($this->any())
+            ->method('findIdentity')
+            ->willReturn($this->identityInterfaceMock);
+    }
+
+    /**
+     * Gets an inaccessible object property.
+     * @param $object
+     * @param $propertyName
+     * @param bool $revoke whether to make property inaccessible after getting
+     * @return mixed
+     * @throws \ReflectionException
+     */
+    protected function getInaccessibleProperty($object, $propertyName, bool $revoke = true)
+    {
+        $class = new \ReflectionClass($object);
+        while (!$class->hasProperty($propertyName)) {
+            $class = $class->getParentClass();
+        }
+        $property = $class->getProperty($propertyName);
+        $property->setAccessible(true);
+        $result = $property->getValue($object);
+        if ($revoke) {
+            $property->setAccessible(false);
+        }
+        return $result;
+    }
+}