aboutsummaryrefslogtreecommitdiffhomepage
diff options
context:
space:
mode:
authorJeremy Benoist <jeremy.benoist@gmail.com>2017-06-08 22:24:49 +0200
committerJeremy Benoist <jeremy.benoist@gmail.com>2017-06-08 22:24:49 +0200
commit63f9f22fa37b14171c6f92d24f99ccf01ae7af00 (patch)
treeddefd381025de91686995c883bb7122dd986898b
parent3f474025d889c3eff20b481f005f4d292f1ef29d (diff)
downloadwallabag-63f9f22fa37b14171c6f92d24f99ccf01ae7af00.tar.gz
wallabag-63f9f22fa37b14171c6f92d24f99ccf01ae7af00.tar.zst
wallabag-63f9f22fa37b14171c6f92d24f99ccf01ae7af00.zip
Log an error level message when user auth fail
When a user login using the form we know log an error level information with information about the user: - username used - IP - User agent For example: > Authentication failure for user "eza", from IP "127.0.0.1", with UA: "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36". It’ll allows server admin using fail2ban to configure it to block these people if they generate too much failure authentication.
-rw-r--r--app/config/security.yml1
-rw-r--r--src/Wallabag/UserBundle/Resources/config/services.yml8
-rw-r--r--src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php62
3 files changed, 71 insertions, 0 deletions
diff --git a/app/config/security.yml b/app/config/security.yml
index ffb1d356..171a69e2 100644
--- a/app/config/security.yml
+++ b/app/config/security.yml
@@ -41,6 +41,7 @@ security:
41 form_login: 41 form_login:
42 provider: fos_userbundle 42 provider: fos_userbundle
43 csrf_token_generator: security.csrf.token_manager 43 csrf_token_generator: security.csrf.token_manager
44 failure_handler: wallabag_user.security.custom_auth_failure_handler
44 45
45 anonymous: true 46 anonymous: true
46 remember_me: 47 remember_me:
diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml
index 72f6f12c..6ab463e3 100644
--- a/src/Wallabag/UserBundle/Resources/config/services.yml
+++ b/src/Wallabag/UserBundle/Resources/config/services.yml
@@ -35,3 +35,11 @@ services:
35 - "%wallabag_core.list_mode%" 35 - "%wallabag_core.list_mode%"
36 tags: 36 tags:
37 - { name: kernel.event_subscriber } 37 - { name: kernel.event_subscriber }
38
39 wallabag_user.security.custom_auth_failure_handler:
40 class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler
41 arguments:
42 - "@http_kernel"
43 - "@security.http_utils"
44 - { }
45 - "@logger"
diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
new file mode 100644
index 00000000..93e2d17b
--- /dev/null
+++ b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
@@ -0,0 +1,62 @@
1<?php
2
3namespace Wallabag\UserBundle\Security;
4
5use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
6use Symfony\Component\HttpFoundation\Request;
7use Symfony\Component\Security\Core\Exception\AuthenticationException;
8use Symfony\Component\Security\Http\ParameterBagUtils;
9use Symfony\Component\HttpKernel\HttpKernelInterface;
10use Symfony\Component\Security\Core\Security;
11
12/**
13 * This is a custom authentication failure.
14 * It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
15 *
16 * This only changing thing is the logError() addition
17 */
18class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler
19{
20 /**
21 * {@inheritdoc}
22 */
23 public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
24 {
25 if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
26 $this->options['failure_path'] = $failureUrl;
27 }
28
29 if (null === $this->options['failure_path']) {
30 $this->options['failure_path'] = $this->options['login_path'];
31 }
32
33 if ($this->options['failure_forward']) {
34 $this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]);
35
36 $this->logError($request);
37
38 $subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']);
39 $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
40
41 return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
42 }
43
44 $this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]);
45
46 $this->logError($request);
47
48 $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
49
50 return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']);
51 }
52
53 /**
54 * Log error information about fialure
55 *
56 * @param Request $request
57 */
58 private function logError(Request $request)
59 {
60 $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
61 }
62}