vendor/pimcore/portal-engine/src/Controller/AuthController.php line 44

Open in your IDE?
  1. <?php
  3. /**
  4.  * Pimcore
  5.  *
  6.  * This source file is available under following license:
  7.  * - Pimcore Commercial License (PCL)
  8.  *
  9.  *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  10.  *  @license    http://www.pimcore.org/license     PCL
  11.  */
  13. namespace Pimcore\Bundle\PortalEngineBundle\Controller;
  15. use GuzzleHttp\ClientInterface;
  16. use Pimcore\Bundle\OpenIdConnectBundle\Client\Provider\OpenIdConnectProvider;
  17. use Pimcore\Bundle\OpenIdConnectBundle\Session\Configurator;
  18. use Pimcore\Bundle\PortalEngineBundle\Exception\OutputErrorException;
  19. use Pimcore\Bundle\PortalEngineBundle\Form\LoginForm;
  20. use Pimcore\Bundle\PortalEngineBundle\Form\RecoverPasswordForm;
  21. use Pimcore\Bundle\PortalEngineBundle\Model\View\Notification;
  22. use Pimcore\Bundle\PortalEngineBundle\Service\Content\HeadTitleService;
  23. use Pimcore\Bundle\PortalEngineBundle\Service\Frontend\FrontendNotificationService;
  24. use Pimcore\Bundle\PortalEngineBundle\Service\PortalConfig\PortalConfigService;
  25. use Pimcore\Bundle\PortalEngineBundle\Service\Security\Authentication\OpenIdConnectAuthenticator;
  26. use Pimcore\Bundle\PortalEngineBundle\Service\Security\Authentication\User\PasswordChangeableService;
  27. use Pimcore\Bundle\PortalEngineBundle\Service\Security\Authentication\User\RecoverPasswordService;
  28. use Pimcore\Tool;
  29. use Pimcore\Tool\Session;
  30. use Symfony\Component\Form\FormFactoryInterface;
  31. use Symfony\Component\Form\FormInterface;
  32. use Symfony\Component\HttpFoundation\Request;
  33. use Symfony\Component\HttpFoundation\Response;
  34. use Symfony\Component\HttpFoundation\Session\Attribute\AttributeBagInterface;
  35. use Symfony\Component\HttpFoundation\Session\Attribute\NamespacedAttributeBag;
  36. use Symfony\Component\HttpKernel\Exception\NotFoundHttpException;
  37. use Symfony\Component\Routing\Annotation\Route;
  38. use Symfony\Contracts\Translation\LocaleAwareInterface;
  39. use Symfony\Contracts\Translation\TranslatorInterface;
  41. /**
  42.  * @Route("/auth", condition="request.attributes.get('isPortalEngineSite')")
  43.  */
  44. class AuthController extends AbstractSiteController
  45. {
  46.     protected ClientInterface $httpClient;
  48.     /**
  49.      * @param ClientInterface $httpClient
  50.      */
  51.     public function __construct(ClientInterface $httpClient)
  52.     {
  53.         $this->httpClient $httpClient;
  54.     }
  56.     /**
  57.      * @Route("/login",
  58.      *     name="pimcore_portalengine_auth_login"
  59.      * )
  60.      *
  61.      * @return Response
  62.      */
  63.     public function loginAction(Request $requestFormFactoryInterface $formFactoryHeadTitleService $headTitleServiceTranslatorInterface $translatorPortalConfigService $portalConfigServicePasswordChangeableService $passwordChangeableService)
  64.     {
  65.         /** @var string $locale */
  66.         $locale $request->getPreferredLanguage(Tool::getValidLanguages());
  67.         if ($translator instanceof LocaleAwareInterface) {
  68.             $translator->setLocale($locale);
  69.         }
  70.         $request->setLocale($locale);
  72.         $portalName $portalConfigService->getPortalName();
  73.         $oidcProviders $portalConfigService->getCurrentPortalConfig()->getOidcConfigs();
  74.         $guestUserActivated = !empty($portalConfigService->getCurrentPortalConfig()->getGuestUser());
  75.         $headTitleService->setTitle($translator->trans('portal-engine.content.title.auth-login', ['%name%' => $portalName]));
  77.         $loginForm $formFactory->create(LoginForm::class);
  79.         return $this->renderTemplate('@PimcorePortalEngine/auth/login.html.twig', [
  80.             'form' => $loginForm->createView(),
  81.             'loginFailed' => (bool)$request->query->get('loginFailed'),
  82.             'portalName' => $portalName,
  83.             'oidcProviderNames' => array_keys($oidcProviders),
  84.             'guestUserActivated' => $guestUserActivated,
  85.             'showRecoverPassword' => $passwordChangeableService->isPasswordChangeable()
  86.         ]);
  87.     }
  89.     /**
  90.      * @Route("/logout",
  91.      *     name="pimcore_portalengine_auth_logout"
  92.      * )
  93.      *
  94.      * @return \Symfony\Component\HttpFoundation\RedirectResponse
  95.      */
  96.     public function logoutAction(Request $request)
  97.     {
  98.         return $this->redirectToRoute('pimcore_portalengine_auth_login');
  99.     }
  101.     /**
  102.      * @Route("/recover-password",
  103.      *     name="pimcore_portalengine_auth_recover_password"
  104.      * )
  105.      *
  106.      * @return Response
  107.      */
  108.     public function recoverPasswordAction(Request $requestTranslatorInterface $translatorFormFactoryInterface $formFactoryFrontendNotificationService $frontendNotificationServiceRecoverPasswordService $recoverPasswordServicePasswordChangeableService $passwordChangeableServiceHeadTitleService $headTitleService)
  109.     {
  110.         if (!$passwordChangeableService->isPasswordChangeable()) {
  111.             throw new NotFoundHttpException('password not changeable');
  112.         }
  114.         /** @var string $locale */
  115.         $locale $request->getPreferredLanguage(Tool::getValidLanguages());
  116.         if ($translator instanceof LocaleAwareInterface) {
  117.             $translator->setLocale($locale);
  118.         }
  119.         $request->setLocale($locale);
  121.         $headTitleService->setTitle($translator->trans('portal-engine.content.title.auth-recover-password'));
  123.         /** @var FormInterface $recoverPasswordForm */
  124.         $recoverPasswordForm $formFactory
  125.             ->create(RecoverPasswordForm::class)
  126.             ->handleRequest($request);
  128.         if ($request->isMethod(Request::METHOD_POST) && $recoverPasswordForm->isSubmitted() && $recoverPasswordForm->isValid()) {
  129.             try {
  130.                 /** @var string $userIdentifier */
  131.                 $userIdentifier = (string)$recoverPasswordForm->get('userIdentifier')->getData();
  132.                 if (empty($userIdentifier)) {
  133.                     throw new OutputErrorException($translator->trans('portal-engine.auth.user-not-found'));
  134.                 }
  136.                 $recoverPasswordService->recoverPassword($userIdentifier);
  138.                 $frontendNotificationService
  139.                     ->addNotification($translator->trans('portal-engine.auth.password-recover-email'), Notification::HTML_CLASS_SUCCESS);
  140.             } catch (\Exception $e) {
  141.                 if ($e instanceof OutputErrorException) {
  142.                     $frontendNotificationService->addNotification($e->getMessage(), Notification::HTML_CLASS_DANGER);
  143.                 }
  144.             }
  145.         }
  147.         return $this->renderTemplate('@PimcorePortalEngine/auth/recover_password.html.twig', [
  148.             'recoverPasswordForm' => $recoverPasswordForm->createView(),
  149.             'notification' => $frontendNotificationService->getNotification()
  150.         ]);
  151.     }
  153.     /**
  154.      * @Route("/oidc/endpoint",
  155.      *     name="pimcore_portalengine_auth_oidc"
  156.      * )
  157.      *
  158.      * @return \Symfony\Component\HttpFoundation\RedirectResponse|Response
  159.      *
  160.      * @throws \Exception
  161.      */
  162.     public function oidcAction(Request $requestPortalConfigService $portalConfigService)
  163.     {
  164.         if (($request->get('code') || $request->get('error')) && !$request->get('redirect')) {
  165.             $url $request->getSchemeAndHttpHost() . $request->getRequestUri() . '&redirect=1';
  167.             $content = <<<RESPONSE
  168. <html>
  169. <head>
  170. <meta http-equiv="refresh" content="0;URL=' {$url}'"/>
  171. </head>
  172. <body><p>Redirecting to <a href="{$url}">{$url}</a>.</p></body>
  173. </html>
  174. RESPONSE;
  176.             return new Response($content);
  177.         }
  179.         if (!class_exists('Pimcore\\Bundle\\OpenIdConnectBundle\\PimcoreOpenIdConnectBundle')) {
  180.             throw new \Exception('OpenID Connect Bundle not available');
  181.         }
  183.         if ($request->get('error')) {
  184.             throw new \Exception(strip_tags($request->get('error')) . ': ' strip_tags($request->get('error_description')));
  185.         }
  187.         $portalConfig $portalConfigService->getCurrentPortalConfig();
  189.         $session $request->getSession();
  191.         /** @var NamespacedAttributeBag $sessionBag */
  192.         $sessionBag $session->getBag(Configurator::SESSION_BAG_NAME); // @phpstan-ignore-line
  194.         // if coming back from provider, use provider from session
  195.         if ($request->get('code')) {
  196.             $providerName $sessionBag->get(OpenIdConnectAuthenticator::SESSION_KEY_PROVIDER);
  197.         } else {
  198.             $providerName $request->get('provider');
  200.             Session::useSession(function (AttributeBagInterface $sessionBag) use ($providerName) {
  201.                 $sessionBag->set(OpenIdConnectAuthenticator::SESSION_KEY_PROVIDER$providerName);
  202.             }, Configurator::SESSION_BAG_NAME); // @phpstan-ignore-line
  204.             Session::writeClose();
  205.         }
  207.         $oidcConfig $portalConfig->getOidcConfig($providerName);
  208.         if (empty($oidcConfig)) {
  209.             throw new \InvalidArgumentException(sprintf('Provider `%s` unknown.'strip_tags($request->get('provider'))));
  210.         }
  212.         $provider = new OpenIdConnectProvider([   // @phpstan-ignore-line
  213.             'clientId' => $oidcConfig->getClientId(),
  214.             'clientSecret' => $oidcConfig->getClientSecret(),
  215.             'urlDiscovery' => $oidcConfig->getDiscoveryUrl(),
  216.             'redirectUri' => $request->getSchemeAndHttpHost() . $request->getPathInfo(),
  217.             'scopes' => $oidcConfig->getScopes()
  218.         ]);
  219.         $provider->setHttpClient($this->httpClient); // @phpstan-ignore-line
  221.         if (!$request->get('code')) {
  223.             // If we don't have an authorization code then get one
  224.             $authUrl $provider->getAuthorizationUrl(); // @phpstan-ignore-line
  226.             Session::useSession(function (AttributeBagInterface $sessionBag) use ($provider) {
  227.                 $sessionBag->set(OpenIdConnectAuthenticator::SESSION_KEY_STATE$provider->getState()); // @phpstan-ignore-line
  228.             }, Configurator::SESSION_BAG_NAME); // @phpstan-ignore-line
  230.             return $this->redirect($authUrl);
  231.         } elseif (!$request->get('state') || ($request->get('state') !== $sessionBag->get('oauth2state'))) {
  232.             // Check given state against previously stored one to mitigate CSRF attack
  233.             $sessionBag->remove(OpenIdConnectAuthenticator::SESSION_KEY_STATE);
  234.             throw new \Exception('Invalid state');
  235.         }
  237.         return $this->redirectToRoute('pimcore_portalengine_auth_login');
  238.     }
  239. }