implements security on recovering password and redis connector

2025-09-03 13:33:48 +00:00 · 2018-08-17 17:54:17 +02:00
parent 35683a7289
commit 480655f31b
12 changed files with 630 additions and 15 deletions
--- a/Security/PasswordRecover/PasswordRecoverVoter.php
+++ b/Security/PasswordRecover/PasswordRecoverVoter.php
@@ -20,6 +20,7 @@ namespace Chill\MainBundle\Security\PasswordRecover;
 use Symfony\Component\Security\Core\Authorization\Voter\Voter;
 use Chill\MainBundle\Entity\User;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\HttpFoundation\RequestStack;

 /**
 * 
@@ -28,27 +29,74 @@ use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 */
 class PasswordRecoverVoter extends Voter
 {
-    const CHANGE_PASSWORD = 'CHILL_CHANGE_PASSWORD';
+    const TRY_TOKEN = 'CHILL_PASSWORD_TRY_TOKEN';
+    const ASK_TOKEN = 'CHILL_PASSWORD_ASK_TOKEN';
+    
+    protected $supported = [
+        self::TRY_TOKEN,
+        self::ASK_TOKEN
+    ];
+    
+    /**
+     *
+     * @var PasswordRecoverLocker
+     */
+    protected $locker;
+    
+    /**
+     *
+     * @var RequestStack
+     */
+    protected $requestStack;
+    
+    public function __construct(PasswordRecoverLocker $locker, RequestStack $requestStack)
+    {
+        $this->locker = $locker;
+        $this->requestStack = $requestStack;
+    }
+
    
    protected function supports($attribute, $subject): bool
    {
-        if ($attribute !== self::CHANGE_PASSWORD) {
+        if (!in_array($attribute, $this->supported)) {
            return false;
        }
        
-        if (!$subject['user'] instanceof User) {
-            throw new \UnexpectedValueException("The subject must contains an "
-                . "".User::class." under the 'user' key");
-        }
-        
-        if (empty($subject['token'])) {
-            throw new \UnexpectedValueException("The subject must contains a "
-                . "token key");
-        }
+        return true;
    }

    protected function voteOnAttribute($attribute, $subject, TokenInterface $token): bool
    {
-        
+        switch ($attribute) {
+            case self::TRY_TOKEN:
+                if (TRUE === $this->locker->isLocked('invalid_token_global')) {
+                    return false;
+                }
+                
+                $ip = $this->requestStack->getCurrentRequest()->getClientIp();
+                if (TRUE === $this->locker->isLocked('invalid_token_by_ip', $ip)) {
+                    return false;
+                }
+                
+                return true;
+            case self::ASK_TOKEN:
+                if (TRUE === $this->locker->isLocked('ask_token_invalid_form_global')) {
+                    return false;
+                }
+                
+                $ip = $this->requestStack->getCurrentRequest()->getClientIp();
+                if (TRUE === $this->locker->isLocked('ask_token_invalid_form_by_ip', $ip)) {
+                    return false;
+                }
+                
+                if ($subject instanceof User) {
+                    if (TRUE === $this->locker->isLocked('ask_token_success_by_user', $subject)) {
+                        return false;
+                    }
+                }
+                
+                return true;
+                
+        }
    }
 }