implements security on recovering password and redis connector

2025-08-28 10:33:49 +00:00 · 2018-08-17 17:54:17 +02:00
parent 35683a7289
commit 480655f31b
12 changed files with 630 additions and 15 deletions
--- a/Security/PasswordRecover/PasswordRecoverLocker.php
+++ b/Security/PasswordRecover/PasswordRecoverLocker.php
@@ -0,0 +1,170 @@
+<?php
+/*
+ * Copyright (C) 2018 Champs Libres Cooperative <info@champs-libres.coop>
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program.  If not, see <http://www.gnu.org/licenses/>.
+ */
+namespace Chill\MainBundle\Security\PasswordRecover;
+
+use Chill\MainBundle\Redis\ChillRedis;
+use Psr\Log\LoggerInterface;
+
+/**
+ * 
+ *
+ * @author Julien Fastré <julien.fastre@champs-libres.coop>
+ */
+class PasswordRecoverLocker
+{
+    
+    /**
+     * The maximum of invalid token globally (across all ip)
+     */
+    const MAX_INVALID_TOKEN_GLOBAL = 50;
+    
+    /**
+     * The maximum of invalid token by ip
+     */
+    const MAX_INVALID_TOKEN_BY_IP = 10;
+    
+    /**
+     * TTL to keep invalid token recorded
+     */
+    const INVALID_TOKEN_TTL = 3600;
+    
+    const MAX_ASK_TOKEN_INVALID_FORM_GLOBAL = 50;
+    
+    const MAX_ASK_TOKEN_INVALID_FORM_BY_IP = 10;
+    
+    const MAX_ASK_TOKEN_BY_USER = 10;
+    
+    const ASK_TOKEN_INVALID_FORM_TTL = 3600;
+    
+    /**
+     *
+     * @var ChillRedis
+     */
+    protected $chillRedis;
+    
+    /**
+     *
+     * @var LoggerInterface
+     */
+    protected $logger;
+    
+    public function __construct(ChillRedis $chillRedis, LoggerInterface $logger)
+    {
+        $this->chillRedis = $chillRedis;
+        $this->logger = $logger;
+    }
+
+    
+    public function createLock($usage, $discriminator = null)
+    {
+        $max = $this->getMax($usage);
+        $ttl = $this->getTtl($usage);
+        
+        for ($i = 0; $i < $max; $i++) {
+            $key = self::generateLockKey($usage, $i, $discriminator);
+            
+            if (0 === $this->chillRedis->exists($key)) {
+                $this->chillRedis->set($key, 1);
+                $this->chillRedis->setTimeout($key, $ttl);
+                
+                break;
+            }
+        }
+    }
+    
+    public function isLocked($usage, $discriminator = null) 
+    {
+        $max = $this->getMax($usage);
+        
+        for ($i = 0; $i < $max; $i++) {
+            $key = self::generateLockKey($usage, $i, $discriminator);
+
+            if ($this->chillRedis->exists($key) === 0) {
+                return false;
+            }
+        }
+        
+        $this->logger->warning("locking reaching for password recovery", [
+            'usage' => $usage,
+            'discriminator' => $discriminator
+        ]);
+        
+        return true;
+    }
+    
+    public function getMax($usage)
+    {
+        switch ($usage) {
+            case 'invalid_token_global':
+                return self::MAX_INVALID_TOKEN_GLOBAL;
+            case 'invalid_token_by_ip':
+                return self::MAX_INVALID_TOKEN_BY_IP;
+            case 'ask_token_invalid_form_global':
+                return self::MAX_ASK_TOKEN_INVALID_FORM_GLOBAL;
+            case 'ask_token_invalid_form_by_ip':
+                return self::MAX_ASK_TOKEN_INVALID_FORM_BY_IP;
+            case 'ask_token_success_by_user':
+                return self::MAX_ASK_TOKEN_BY_USER;
+                
+            default:
+                throw new \UnexpectedValueException("this usage '$usage' is not yet implemented");
+        }
+    }
+    
+    public function getTtl($usage)
+    {
+        switch ($usage) {
+            case 'invalid_token_global':
+            case 'invalid_token_by_ip':
+                return self::INVALID_TOKEN_TTL;
+                
+            case 'ask_token_invalid_form_global':
+            case 'ask_token_invalid_form_by_ip':
+                return self::ASK_TOKEN_INVALID_FORM_TTL;
+                
+            case 'ask_token_success_by_user':
+                return self::ASK_TOKEN_INVALID_FORM_TTL * 24;
+                
+            default:
+                throw new \UnexpectedValueException("this usage '$usage' is not yet implemented");
+        }
+    }
+    
+    /**
+     * 
+     * @param string $usage 'invalid_token_global' or ...
+     * @param int $number
+     */
+    public static function generateLockKey($usage, int $number, $discriminator = null)
+    {
+        switch($usage) {
+            case "invalid_token_global":
+                return sprintf('invalid_token_global_%d', $number);
+            case "invalid_token_by_ip":
+                return sprintf('invalid_token_ip_%s_%d', $discriminator, $number);
+            case "ask_token_invalid_form_global":
+                return sprintf('ask_token_invalid_form_global_%d', $number);
+            case "ask_token_invalid_form_by_ip":
+                return sprintf('ask_token_invalid_form_by_ip_%s_%d', $discriminator, $number);
+            case 'ask_token_success_by_user':
+                return sprintf('ask_token_success_by_user_%s_%d', $discriminator->getId(), $number);
+            default:
+                throw new \LogicException("this usage is not implemented");
+        }
+    }
+}