3 files changed, 71 insertions, 0 deletions
diff --git a/app/config/security.yml b/app/config/security.yml
index ffb1d356..171a69e2 100644
--- a/app/config/security.yml
+++ b/app/config/security.yml
@@ -41,6 +41,7 @@ security:
            form_login:
                provider: fos_userbundle
                csrf_token_generator: security.csrf.token_manager
+                failure_handler: wallabag_user.security.custom_auth_failure_handler
            anonymous: true
            remember_me:
diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml
index 72f6f12c..6ab463e3 100644
--- a/src/Wallabag/UserBundle/Resources/config/services.yml
+++ b/src/Wallabag/UserBundle/Resources/config/services.yml
@@ -35,3 +35,11 @@ services:
            - "%wallabag_core.list_mode%"
        tags:
            - { name: kernel.event_subscriber }
+    wallabag_user.security.custom_auth_failure_handler:
+        class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler
+        arguments:
+            - "@http_kernel"
+            - "@security.http_utils"
+            - {  }
+            - "@logger"
diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
new file mode 100644
index 00000000..93e2d17b
--- /dev/null
+++ b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
@@ -0,0 +1,62 @@
+<?php
+namespace Wallabag\UserBundle\Security;
+use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\ParameterBagUtils;
+use Symfony\Component\HttpKernel\HttpKernelInterface;
+use Symfony\Component\Security\Core\Security;
+/**
+ * This is a custom authentication failure.
+ * It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
+ *
+ * This only changing thing is the logError() addition
+ */
+class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler
+{
+    /**
+     * {@inheritdoc}
+     */
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
+    {
+        if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
+            $this->options['failure_path'] = $failureUrl;
+        }
+        if (null === $this->options['failure_path']) {
+            $this->options['failure_path'] = $this->options['login_path'];
+        }
+        if ($this->options['failure_forward']) {
+            $this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]);
+            $this->logError($request);
+            $subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']);
+            $subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
+            return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
+        }
+        $this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]);
+        $this->logError($request);
+        $request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
+        return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']);
+    }
+    /**
+     * Log error information about fialure
+     *
+     * @param  Request $request
+     */
+    private function logError(Request $request)
+    {
+        $this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
+    }
+}

diff --git a/app/config/security.yml b/app/config/security.yml index ffb1d356..171a69e2 100644 --- a/app/config/security.yml +++ b/app/config/security.yml
@@ -41,6 +41,7 @@ security:
41	form_login:	41	form_login:
42	provider: fos_userbundle	42	provider: fos_userbundle
43	csrf_token_generator: security.csrf.token_manager	43	csrf_token_generator: security.csrf.token_manager
		44	failure_handler: wallabag_user.security.custom_auth_failure_handler
44		45
45	anonymous: true	46	anonymous: true
46	remember_me:	47	remember_me:


diff --git a/src/Wallabag/UserBundle/Resources/config/services.yml b/src/Wallabag/UserBundle/Resources/config/services.yml index 72f6f12c..6ab463e3 100644 --- a/src/Wallabag/UserBundle/Resources/config/services.yml +++ b/src/Wallabag/UserBundle/Resources/config/services.yml
@@ -35,3 +35,11 @@ services:
35	- "%wallabag_core.list_mode%"	35	- "%wallabag_core.list_mode%"
36	tags:	36	tags:
37	- { name: kernel.event_subscriber }	37	- { name: kernel.event_subscriber }
		38
		39	wallabag_user.security.custom_auth_failure_handler:
		40	class: Wallabag\UserBundle\Security\CustomAuthenticationFailureHandler
		41	arguments:
		42	- "@http_kernel"
		43	- "@security.http_utils"
		44	- { }
		45	- "@logger"


diff --git a/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php new file mode 100644 index 00000000..93e2d17b --- /dev/null +++ b/src/Wallabag/UserBundle/Security/CustomAuthenticationFailureHandler.php
@@ -0,0 +1,62 @@
		1	<?php
		2
		3	namespace Wallabag\UserBundle\Security;
		4
		5	use Symfony\Component\Security\Http\Authentication\DefaultAuthenticationFailureHandler;
		6	use Symfony\Component\HttpFoundation\Request;
		7	use Symfony\Component\Security\Core\Exception\AuthenticationException;
		8	use Symfony\Component\Security\Http\ParameterBagUtils;
		9	use Symfony\Component\HttpKernel\HttpKernelInterface;
		10	use Symfony\Component\Security\Core\Security;
		11
		12	/**
		13	* This is a custom authentication failure.
		14	* It only aims to add a custom error in log so server admin can configure fail2ban to block IP from people who try to login too much.
		15	*
		16	* This only changing thing is the logError() addition
		17	*/
		18	class CustomAuthenticationFailureHandler extends DefaultAuthenticationFailureHandler
		19	{
		20	/**
		21	* {@inheritdoc}
		22	*/
		23	public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
		24	{
		25	if ($failureUrl = ParameterBagUtils::getRequestParameterValue($request, $this->options['failure_path_parameter'])) {
		26	$this->options['failure_path'] = $failureUrl;
		27	}
		28
		29	if (null === $this->options['failure_path']) {
		30	$this->options['failure_path'] = $this->options['login_path'];
		31	}
		32
		33	if ($this->options['failure_forward']) {
		34	$this->logger->debug('Authentication failure, forward triggered.', ['failure_path' => $this->options['failure_path']]);
		35
		36	$this->logError($request);
		37
		38	$subRequest = $this->httpUtils->createRequest($request, $this->options['failure_path']);
		39	$subRequest->attributes->set(Security::AUTHENTICATION_ERROR, $exception);
		40
		41	return $this->httpKernel->handle($subRequest, HttpKernelInterface::SUB_REQUEST);
		42	}
		43
		44	$this->logger->debug('Authentication failure, redirect triggered.', ['failure_path' => $this->options['failure_path']]);
		45
		46	$this->logError($request);
		47
		48	$request->getSession()->set(Security::AUTHENTICATION_ERROR, $exception);
		49
		50	return $this->httpUtils->createRedirectResponse($request, $this->options['failure_path']);
		51	}
		52
		53	/**
		54	* Log error information about fialure
		55	*
		56	* @param Request $request
		57	*/
		58	private function logError(Request $request)
		59	{
		60	$this->logger->error('Authentication failure for user "'.$request->request->get('_username').'", from IP "'.$request->getClientIp().'", with UA: "'.$request->server->get('HTTP_USER_AGENT').'".');
		61	}
		62	}