aboutsummaryrefslogtreecommitdiffhomepage
path: root/src/Wallabag/ApiBundle/Security/Authentication
diff options
context:
space:
mode:
Diffstat (limited to 'src/Wallabag/ApiBundle/Security/Authentication')
-rw-r--r--src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php78
-rw-r--r--src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php23
2 files changed, 101 insertions, 0 deletions
diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php
new file mode 100644
index 00000000..8e49167a
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Security/Authentication/Provider/WsseProvider.php
@@ -0,0 +1,78 @@
1<?php
2namespace Wallabag\ApiBundle\Security\Authentication\Provider;
3
4use Symfony\Component\Security\Core\Authentication\Provider\AuthenticationProviderInterface;
5use Symfony\Component\Security\Core\User\UserProviderInterface;
6use Symfony\Component\Security\Core\Exception\AuthenticationException;
7use Symfony\Component\Security\Core\Exception\NonceExpiredException;
8use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
9use Wallabag\ApiBundle\Security\Authentication\Token\WsseUserToken;
10
11class WsseProvider implements AuthenticationProviderInterface
12{
13 private $userProvider;
14 private $cacheDir;
15
16 public function __construct(UserProviderInterface $userProvider, $cacheDir)
17 {
18 $this->userProvider = $userProvider;
19 $this->cacheDir = $cacheDir;
20
21 // If cache directory does not exist we create it
22 if (!is_dir($this->cacheDir)) {
23 mkdir($this->cacheDir, 0777, true);
24 }
25 }
26
27 public function authenticate(TokenInterface $token)
28 {
29 $user = $this->userProvider->loadUserByUsername($token->getUsername());
30
31 if (!$user) {
32 throw new AuthenticationException("Bad credentials. Did you forgot your username?");
33 }
34
35 if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
36 $authenticatedToken = new WsseUserToken($user->getRoles());
37 $authenticatedToken->setUser($user);
38
39 return $authenticatedToken;
40 }
41
42 throw new AuthenticationException('The WSSE authentication failed.');
43 }
44
45 protected function validateDigest($digest, $nonce, $created, $secret)
46 {
47 // Check created time is not in the future
48 if (strtotime($created) > time()) {
49 throw new AuthenticationException("Back to the future...");
50 }
51
52 // Expire timestamp after 5 minutes
53 if (time() - strtotime($created) > 300) {
54 throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
55 }
56
57 // Validate nonce is unique within 5 minutes
58 if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
59 throw new NonceExpiredException('Previously used nonce detected');
60 }
61
62 file_put_contents($this->cacheDir.'/'.$nonce, time());
63
64 // Validate Secret
65 $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
66
67 if ($digest !== $expected) {
68 throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
69 }
70
71 return $digest === $expected;
72 }
73
74 public function supports(TokenInterface $token)
75 {
76 return $token instanceof WsseUserToken;
77 }
78}
diff --git a/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php
new file mode 100644
index 00000000..aa68dbdc
--- /dev/null
+++ b/src/Wallabag/ApiBundle/Security/Authentication/Token/WsseUserToken.php
@@ -0,0 +1,23 @@
1<?php
2namespace Wallabag\ApiBundle\Security\Authentication\Token;
3
4use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
5
6class WsseUserToken extends AbstractToken
7{
8 public $created;
9 public $digest;
10 public $nonce;
11
12 public function __construct(array $roles = array())
13 {
14 parent::__construct($roles);
15
16 $this->setAuthenticated(count($roles) > 0);
17 }
18
19 public function getCredentials()
20 {
21 return '';
22 }
23}