type: fingers_crossed
action_level: error
handler: nested
+ wsse:
+ type: stream
+ path: %kernel.logs_dir%/%kernel.environment%.wsse.log
+ level: error
+ channels: [wsse]
nested:
type: stream
path: "%kernel.logs_dir%/%kernel.environment%.log"
use Symfony\Bundle\FrameworkBundle\Controller\Controller;
use Symfony\Component\HttpFoundation\Request;
use Wallabag\CoreBundle\Entity\Entry;
-use Wallabag\CoreBundle\Repository;
use Wallabag\CoreBundle\Service\Extractor;
use Wallabag\CoreBundle\Helper\Url;
/**
* Find Entries
*
- * @param int $userId
- * @param bool $isArchived
- * @param bool $isStarred
- * @param bool $isDeleted
- * @param string $sort
- * @param string $order
+ * @param int $userId
+ * @param bool $isArchived
+ * @param bool $isStarred
+ * @param bool $isDeleted
+ * @param string $sort
+ * @param string $order
*
* @return ArrayCollection
*/
class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">
<argument type="service" id="security.context"/>
<argument type="service" id="security.authentication.manager" />
+ <argument type="service" id="logger" />
+ <tag name="monolog.logger" channel="wsse" />
</service>
</services>
{
$user = $this->userProvider->loadUserByUsername($token->getUsername());
+ if (!$user) {
+ throw new AuthenticationException("Bad credentials. Did you forgot your username?");
+ }
+
if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
$authenticatedToken = new WsseUserToken($user->getRoles());
$authenticatedToken->setUser($user);
protected function validateDigest($digest, $nonce, $created, $secret)
{
- // Expire le timestamp après 5 minutes
+ // Check created time is not in the future
+ if (strtotime($created) > time()) {
+ throw new AuthenticationException("Back to the future...");
+ }
+
+ // Expire timestamp after 5 minutes
if (time() - strtotime($created) > 300) {
- return false;
+ throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
}
- // Valide que le nonce est unique dans les 5 minutes
+ // Validate nonce is unique within 5 minutes
if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
throw new NonceExpiredException('Previously used nonce detected');
}
file_put_contents($this->cacheDir.'/'.$nonce, time());
- // Valide le Secret
+ // Validate Secret
$expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
+ if ($digest !== $expected) {
+ throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
+ }
+
return $digest === $expected;
}
use Symfony\Component\Security\Core\SecurityContextInterface;
use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
+use Symfony\Component\HttpKernel\Log\LoggerInterface;
class WsseListener implements ListenerInterface
{
protected $securityContext;
protected $authenticationManager;
+ protected $logger;
- public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)
+ public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
{
$this->securityContext = $securityContext;
$this->authenticationManager = $authenticationManager;
+ $this->logger = $logger;
}
public function handle(GetResponseEvent $event)
$this->securityContext->setToken($authToken);
} catch (AuthenticationException $failed) {
- // ... you might log something here
-
- // To deny the authentication clear the token. This will redirect to the login page.
- // $this->securityContext->setToken(null);
- // return;
+ $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
+ $this->logger->err($failedMessage);
// Deny authentication with a '403 Forbidden' HTTP response
$response = new Response();
$response->setStatusCode(403);
+ $response->setContent($failedMessage);
$event->setResponse($response);
+
+ return;
}
+
+ // By default deny authorization
+ $response = new Response();
+ $response->setStatusCode(403);
+ $event->setResponse($response);
}
}
namespace Wallabag\CoreBundle\Tests;
use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
-use Symfony\Component\BrowserKit\Cookie;
-use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
class WallabagTestCase extends WebTestCase
{
projects / github / wallabag / wallabag.git / commitdiff
