Add CacheTokenVerifier and ability to configure a token_verifier on the remember_me security config

Seldaek · Seldaek · commit ab5303afe24d · 2021-05-12T09:54:32.000+02:00
diff --git a/src/Symfony/Bridge/Doctrine/Security/RememberMe/DoctrineTokenProvider.php b/src/Symfony/Bridge/Doctrine/Security/RememberMe/DoctrineTokenProvider.php
@@ -179,9 +179,6 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue)
      */
     public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void
     {
-        // Update the series with the new token value
-        $this->updateToken($token->getSeries(), $tokenValue, $lastUsed);
-
         if (!$token instanceof PersistentToken) {
             return;
         }
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
@@ -116,10 +116,12 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
                 ->addTag('security.remember_me_handler', ['firewall' => $firewallName]);
         } elseif (isset($config['token_provider'])) {
             $tokenProviderId = $this->createTokenProvider($container, $firewallName, $config['token_provider']);
+            $tokenVerifierId = $config['token_verifier'] ?? null;
             $container->setDefinition($rememberMeHandlerId, new ChildDefinition('security.authenticator.persistent_remember_me_handler'))
                 ->replaceArgument(0, new Reference($tokenProviderId))
                 ->replaceArgument(2, new Reference($userProviderId))
                 ->replaceArgument(4, $config)
+                ->replaceArgument(6, $tokenVerifierId ? new Reference($tokenVerifierId) : null)
                 ->addTag('security.remember_me_handler', ['firewall' => $firewallName]);
         } else {
             $signatureHasherId = 'security.authenticator.remember_me_signature_hasher.'.$firewallName;
@@ -214,6 +216,14 @@ public function addConfiguration(NodeDefinition $node)
                         ->end()
                     ->end()
                 ->end()
+            ->end()
+            ->arrayNode('token_verifier')
+                ->beforeNormalization()
+                    ->ifString()->then(function ($v) { return ['service' => $v]; })
+                ->end()
+                ->children()
+                    ->scalarNode('service')->info('The service ID of a custom rememberme token verifier.')->end()
+                ->end()
             ->end();
 
         foreach ($this->options as $name => $value) {
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/schema/security-1.0.xsd b/src/Symfony/Bundle/SecurityBundle/Resources/config/schema/security-1.0.xsd
@@ -350,6 +350,7 @@
         <xsd:attribute name="secret" type="xsd:string" use="required" />
         <xsd:attribute name="service" type="xsd:string" />
         <xsd:attribute name="token-provider" type="xsd:string" />
+        <xsd:attribute name="token-verifier" type="xsd:string" />
         <xsd:attribute name="catch-exceptions" type="xsd:boolean" />
         <xsd:attribute name="secure" type="remember_me_secure" />
         <xsd:attribute name="samesite" type="remember_me_samesite" />
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_remember_me.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_remember_me.php
@@ -51,6 +51,7 @@
                 service('request_stack'),
                 abstract_arg('options'),
                 service('logger')->nullOnInvalid(),
+                abstract_arg('token verifier'),
             ])
             ->tag('monolog.logger', ['channel' => 'security'])
 
diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/CacheTokenVerifier.php
@@ -0,0 +1,71 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Core\Authentication\RememberMe;
+
+use Psr\Cache\CacheItemPoolInterface;
+
+/**
+ * @author Jordi Boggiano <j.boggiano@seld.be>
+ */
+class CacheTokenVerifier implements TokenVerifierInterface
+{
+    /** @var CacheItemPoolInterface */
+    private $cache;
+    /** @var int */
+    private $outdatedTokenTtl;
+    /** @var string */
+    private $cacheKeyPrefix;
+
+    /**
+     * @param int $outdatedTokenTtl How long should the outdated token be valid, defaults to 60
+     *                              which matches how often the PersistentRememberMeHandler will
+     *                              at most refresh tokens. Increasing to more than that is not
+     *                              recommended, but you may use a lower value.
+     */
+    public function __construct(CacheItemPoolInterface $cache, int $outdatedTokenTtl = 60, string $cacheKeyPrefix = 'rememberme-')
+    {
+        $this->cache = $cache;
+        $this->outdatedTokenTtl = $outdatedTokenTtl;
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool
+    {
+        if (hash_equals($token->getTokenValue(), $tokenValue)) {
+            return true;
+        }
+
+        if (!$this->cache->hasItem($this->cacheKeyPrefix.$token->getSeries())) {
+            return false;
+        }
+
+        $item = $this->cache->getItem($this->cacheKeyPrefix.$token->getSeries());
+        $outdatedToken = $item->get();
+
+        return hash_equals($outdatedToken, $tokenValue);
+    }
+
+    /**
+     * {@inheritDoc}
+     */
+    public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void
+    {
+        // When a token gets updated, persist the outdated token for $outdatedTokenTtl seconds so we can
+        // still accept it as valid in verifyToken
+        $item = $this->cache->getItem($this->cacheKeyPrefix.$token->getSeries());
+        $item->set($token->getTokenValue());
+        $item->expiresAfter($this->outdatedTokenTtl);
+        $this->cache->save($item);
+    }
+}
diff --git a/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenVerifierInterface.php b/src/Symfony/Component/Security/Core/Authentication/RememberMe/TokenVerifierInterface.php
@@ -17,7 +17,7 @@
 interface TokenVerifierInterface
 {
     /**
-     * Verifies that the given $token is valid
+     * Verifies that the given $token is valid.
      *
      * This lets you override the token check logic to for example accept slightly outdated tokens.
      *
@@ -26,7 +26,7 @@ interface TokenVerifierInterface
     public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool;
 
     /**
-     * Updates an existing token with a new token value and lastUsed time
+     * Updates an existing token with a new token value and lastUsed time.
      */
     public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void;
 }
diff --git a/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php b/src/Symfony/Component/Security/Http/RememberMe/PersistentRememberMeHandler.php
@@ -33,13 +33,19 @@
 final class PersistentRememberMeHandler extends AbstractRememberMeHandler
 {
     private $tokenProvider;
+    /** @var ?TokenVerifierInterface */
+    private $tokenVerifier;
     private $secret;
 
-    public function __construct(TokenProviderInterface $tokenProvider, string $secret, UserProviderInterface $userProvider, RequestStack $requestStack, array $options, ?LoggerInterface $logger = null)
+    public function __construct(TokenProviderInterface $tokenProvider, string $secret, UserProviderInterface $userProvider, RequestStack $requestStack, array $options, ?LoggerInterface $logger = null, ?TokenVerifierInterface $tokenVerifier = null)
     {
         parent::__construct($userProvider, $requestStack, $options, $logger);
 
+        if (!$tokenVerifier && $tokenProvider instanceof TokenVerifierInterface) {
+            $tokenVerifier = $tokenProvider;
+        }
         $this->tokenProvider = $tokenProvider;
+        $this->tokenVerifier = $tokenVerifier;
         $this->secret = $secret;
     }
 
@@ -69,7 +75,7 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
         $persistentToken = $this->tokenProvider->loadTokenBySeries($series);
 
         if (
-            ($this->tokenProvider instanceof TokenVerifierInterface && !$this->tokenProvider->verifyToken($persistentToken, $tokenValue))
+            ($this->tokenVerifier && !$this->tokenVerifier->verifyToken($persistentToken, $tokenValue))
             || !hash_equals($persistentToken->getTokenValue(), $tokenValue)
         ) {
             throw new CookieTheftException('This token was already used. The account is possibly compromised.');
@@ -83,11 +89,12 @@ public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInte
         // if multiple concurrent requests reauthenticate a user we do not want to update the token several times
         if ($persistentToken->getLastUsed()->getTimestamp() + 60 < time()) {
             $tokenValue = base64_encode(random_bytes(64));
-            if ($this->tokenProvider instanceof TokenVerifierInterface) {
-                $this->tokenProvider->updateExistingToken($persistentToken, $this->generateHash($tokenValue), new \DateTime());
-            } else {
-                $this->tokenProvider->updateToken($series, $this->generateHash($tokenValue), new \DateTime());
+            $tokenValueHash = $this->generateHash($tokenValue);
+            $tokenLastUsed = new \DateTime();
+            if ($this->tokenVerifier) {
+                $this->tokenVerifier->updateExistingToken($persistentToken, $tokenValueHash, $tokenLastUsed);
             }
+            $this->tokenProvider->updateToken($series, $tokenValueHash, $tokenLastUsed);
         }
 
         $this->createCookie($rememberMeDetails->withValue($tokenValue));

Original file line number	Diff line number	Diff line change
`@@ -179,9 +179,6 @@ public function verifyToken(PersistentTokenInterface $token, string $tokenValue)`
`179`	`179`	`*/`
`180`	`180`	`public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void`
`181`	`181`	`{`
`182`		`- // Update the series with the new token value`
`183`		`- $this->updateToken($token->getSeries(), $tokenValue, $lastUsed);`
`184`		`-`
`185`	`182`	`if (!$token instanceof PersistentToken) {`
`186`	`183`	`return;`
`187`	`184`	`}`
Original file line number	Diff line number	Diff line change
`@@ -17,7 +17,7 @@`
`17`	`17`	`interface TokenVerifierInterface`
`18`	`18`	`{`
`19`	`19`	`/**`
`20`		`- * Verifies that the given $token is valid`
	`20`	`+ * Verifies that the given $token is valid.`
`21`	`21`	`*`
`22`	`22`	`* This lets you override the token check logic to for example accept slightly outdated tokens.`
`23`	`23`	`*`
`@@ -26,7 +26,7 @@ interface TokenVerifierInterface`
`26`	`26`	`public function verifyToken(PersistentTokenInterface $token, string $tokenValue): bool;`
`27`	`27`
`28`	`28`	`/**`
`29`		`- * Updates an existing token with a new token value and lastUsed time`
	`29`	`+ * Updates an existing token with a new token value and lastUsed time.`
`30`	`30`	`*/`
`31`	`31`	`public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void;`
`32`	`32`	`}`