From 2a94b1d1b74b4e776e76a522621b67b45d115fe7 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Nicolas=20L=C5=93uillet?= <nicolas@loeuillet.org>
Date: Mon, 9 Feb 2015 22:07:39 +0100
Subject: log for authentication on API

---
 .../Authentication/Provider/WsseProvider.php        | 21 +++++++++++++++++----
 .../CoreBundle/Security/Firewall/WsseListener.php   | 20 ++++++++++++++------
 2 files changed, 31 insertions(+), 10 deletions(-)

(limited to 'src/Wallabag/CoreBundle/Security')

diff --git a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
index eaad9c63..c9b9b692 100644
--- a/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
+++ b/src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php
@@ -23,6 +23,10 @@ class WsseProvider implements AuthenticationProviderInterface
     {
         $user = $this->userProvider->loadUserByUsername($token->getUsername());
 
+        if (!$user) {
+            throw new AuthenticationException("Bad credentials. Did you forgot your username?");
+        }
+
         if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
             $authenticatedToken = new WsseUserToken($user->getRoles());
             $authenticatedToken->setUser($user);
@@ -35,12 +39,17 @@ class WsseProvider implements AuthenticationProviderInterface
 
     protected function validateDigest($digest, $nonce, $created, $secret)
     {
-        // Expire le timestamp après 5 minutes
+        // Check created time is not in the future
+        if (strtotime($created) > time()) {
+            throw new AuthenticationException("Back to the future...");
+        }
+
+        // Expire timestamp after 5 minutes
         if (time() - strtotime($created) > 300) {
-            return false;
+            throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
         }
 
-        // Valide que le nonce est unique dans les 5 minutes
+        // Validate nonce is unique within 5 minutes
         if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
             throw new NonceExpiredException('Previously used nonce detected');
         }
@@ -52,9 +61,13 @@ class WsseProvider implements AuthenticationProviderInterface
 
         file_put_contents($this->cacheDir.'/'.$nonce, time());
 
-        // Valide le Secret
+        // Validate Secret
         $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
 
+        if ($digest !== $expected) {
+            throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
+        }
+
         return $digest === $expected;
     }
 
diff --git a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
index 4d4f2145..d815d536 100644
--- a/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
+++ b/src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php
@@ -9,16 +9,19 @@ use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
+use Symfony\Component\HttpKernel\Log\LoggerInterface;
 
 class WsseListener implements ListenerInterface
 {
     protected $securityContext;
     protected $authenticationManager;
+    protected $logger;
 
-    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)
+    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
     {
         $this->securityContext = $securityContext;
         $this->authenticationManager = $authenticationManager;
+        $this->logger = $logger;
     }
 
     public function handle(GetResponseEvent $event)
@@ -42,16 +45,21 @@ class WsseListener implements ListenerInterface
 
             $this->securityContext->setToken($authToken);
         } catch (AuthenticationException $failed) {
-            // ... you might log something here
-
-            // To deny the authentication clear the token. This will redirect to the login page.
-            // $this->securityContext->setToken(null);
-            // return;
+            $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
+            $this->logger->err($failedMessage);
 
             // Deny authentication with a '403 Forbidden' HTTP response
             $response = new Response();
             $response->setStatusCode(403);
+            $response->setContent($failedMessage);
             $event->setResponse($response);
+
+            return;
         }
+
+        // By default deny authorization
+        $response = new Response();
+        $response->setStatusCode(403);
+        $event->setResponse($response);
     }
 }
-- 
cgit v1.2.3