Log an error level message when user auth fail

When a user login using the form we know log an error level information with information about the user:
- username used
- IP
- User agent

For example:

> Authentication failure for user "eza", from IP "127.0.0.1", with UA: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36".

It’ll allows server admin using fail2ban to configure it to block these people if they generate too much failure authentication.

diff --git a/app/config/security.yml b/app/config/security.yml
index ffb1d356fd29d8b081a78a088c47afc04176ba49..171a69e2e0596d9aded5895f2421b9c02194097c 100644 (file)
--- a/app/config/security.yml
+++ b/app/config/security.yml
@@ -41,6 +41,7 @@ security:
             form_login:
                 provider: fos_userbundle
                 csrf_token_generator: security.csrf.token_manager
+                failure_handler: wallabag_user.security.custom_auth_failure_handler
 
             anonymous: true
             remember_me:

diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml
index 72f6f12c1bb5f47c4191977ae41bb77af17c8f73..6ab463e36a39b06ce53faa611a93102ea7b7ca9d 100644 (file)
--- a/src/Wallabag/UserBundle/Resources/config/services.yml
+++ b/src/Wallabag/UserBundle/Resources/config/services.yml
@@ -35,3 +35,11 @@ services:
             - "%wallabag_core.list_mode%"
         tags:
             - { name: kernel.event_subscriber }
+
+    wallabag_user.security.custom_auth_failure_handler:
+        class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler
+        arguments:
+            - "@http_kernel"
+            - "@security.http_utils"
+            - {  }
+            - "@logger"

diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
new file mode 100644 (file)
index 0000000..93e2d17
--- /dev/null
+++ b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
@@ -0,0 +1,62 @@
+<?php
+
+namespace Wallabag\UserBundle\Security;
+
+use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\ParameterBagUtils;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Security\Core\Security;
+
+/**
+ * This is a custom authentication failure.
+ * It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
+ *
+ * This only changing thing is the logError() addition
+ */
+class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
+    {
+        if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
+            $this->options['failure_path'] = $failureUrl;
+        }
+
+        if (null === $this->options['failure_path']) {
+            $this->options['failure_path'] = $this->options['login_path'];
+        }
+
+        if ($this->options['failure_forward']) {
+            $this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]);
+
+            $this->logError($request);
+
+            $subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']);
+            $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
+
+            return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
+        }
+
+        $this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]);
+
+        $this->logError($request);
+
+        $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
+
+        return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']);
+    }
+
+    /**
+     * Log error information about fialure
+     *
+     * @param  Request $request
+     */
+    private function logError(Request $request)
+    {
+        $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
+    }
+}