Merge pull request #1068 from wallabag/v2-api-authentication

V2 api authentication

app/config/config_prod.yml

@@ -17,6 +17,11 @@ monolog:
             type:         fingers_crossed
             action_level: error
             handler:      nested
+        wsse:
+            type: stream
+            path: %kernel.logs_dir%/%kernel.environment%.wsse.log
+            level: error
+            channels: [wsse]
         nested:
             type:  stream
             path:  "%kernel.logs_dir%/%kernel.environment%.log"

app/config/security.yml

@@ -16,9 +16,11 @@ security:
     # the main part of the security, where you can set up firewalls
     # for specific sections of your app
     firewalls:
-        #wsse_secured:
-        #    pattern:   /api/.*
-        #    wsse:      true
+        wsse_secured:
+            pattern:      /api/.*
+            wsse:         true
+            stateless:    true
+            anonymous:    true
         login_firewall:
             pattern:    ^/login$
             anonymous:  ~
@@ -54,6 +56,7 @@ security:
                 target: /
 
     access_control:
+        - { path: ^/api/salt, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/api/doc, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/, roles: ROLE_USER }

src/Wallabag/CoreBundle/Controller/EntryController.php

@@ -6,7 +6,6 @@ use Sensio\Bundle\FrameworkExtraBundle\Configuration\Route;
 use Symfony\Bundle\FrameworkBundle\Controller\Controller;
 use Symfony\Component\HttpFoundation\Request;
 use Wallabag\CoreBundle\Entity\Entry;
-use Wallabag\CoreBundle\Repository;
 use Wallabag\CoreBundle\Service\Extractor;
 use Wallabag\CoreBundle\Helper\Url;
 

src/Wallabag/CoreBundle/Controller/WallabagRestController.php

@@ -12,6 +12,29 @@ use Wallabag\CoreBundle\Service\Extractor;
 
 class WallabagRestController extends Controller
 {
+    /**
+     * Retrieve salt for a giver user.
+     *
+     * @ApiDoc(
+     *       parameters={
+     *          {"name"="username", "dataType"="string", "required"=true, "description"="username"}
+     *       }
+     * )
+     * @return string
+     */
+    public function getSaltAction($username)
+    {
+        $user = $this
+            ->getDoctrine()
+            ->getRepository('WallabagCoreBundle:User')
+            ->findOneByUsername($username);
+
+        if (is_null($user)) {
+            throw $this->createNotFoundException();
+        }
+
+        return $user->getSalt();
+    }
     /**
      * Retrieve all entries. It could be filtered by many options.
      *
@@ -43,7 +66,7 @@ class WallabagRestController extends Controller
         $entries = $this
             ->getDoctrine()
             ->getRepository('WallabagCoreBundle:Entry')
-            ->findEntries(1, $isArchived, $isStarred, $isDeleted, $sort, $order);
+            ->findEntries($this->getUser()->getId(), $isArchived, $isStarred, $isDeleted, $sort, $order);
 
         if (!is_array($entries)) {
             throw $this->createNotFoundException();
@@ -85,8 +108,7 @@ class WallabagRestController extends Controller
         $url = $request->request->get('url');
 
         $content = Extractor::extract($url);
-        $entry = new Entry();
-        $entry->setUserId(1);
+        $entry = new Entry($this->getUser());
         $entry->setUrl($url);
         $entry->setTitle($request->request->get('title') ?: $content->getTitle());
         $entry->setContent($content->getBody());

src/Wallabag/CoreBundle/DependencyInjection/WallabagCoreExtension.php

@@ -3,7 +3,7 @@
 namespace Wallabag\CoreBundle\DependencyInjection;
 
 use Symfony\Component\DependencyInjection\ContainerBuilder;
-use Symfony\Component\DependencyInjection\Loader\XmlFileLoader;
+use Symfony\Component\DependencyInjection\Loader\YamlFileLoader;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
 use Symfony\Component\Config\FileLocator;
 
@@ -11,8 +11,8 @@ class WallabagCoreExtension extends Extension
 {
     public function load(array $configs, ContainerBuilder $container)
     {
-        $loader = new XmlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
-        $loader->load('services.xml');
+        $loader = new YamlFileLoader($container, new FileLocator(__DIR__.'/../Resources/config'));
+        $loader->load('services.yml');
     }
 
     public function getAlias()

src/Wallabag/CoreBundle/Repository/EntryRepository.php

@@ -91,12 +91,12 @@ class EntryRepository extends EntityRepository
     /**
      * Find Entries
      *
-     * @param  int    $userId
-     * @param  bool   $isArchived
-     * @param  bool   $isStarred
-     * @param  bool   $isDeleted
-     * @param  string $sort
-     * @param  string $order
+     * @param int    $userId
+     * @param bool   $isArchived
+     * @param bool   $isStarred
+     * @param bool   $isDeleted
+     * @param string $sort
+     * @param string $order
      *
      * @return ArrayCollection
      */

src/Wallabag/CoreBundle/Resources/config/services.xml

@@ -1,27 +0,0 @@
-<?xml version="1.0" ?>
-
-<container xmlns="http://symfony.com/schema/dic/services"
-    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="http://symfony.com/schema/dic/services http://symfony.com/schema/dic/services/services-1.0.xsd">
-
-    <services>
-        <!-- Twig -->
-        <service id="wallabag_core.twig.wallabag" class="Wallabag\CoreBundle\Twig\Extension\WallabagExtension">
-            <tag name="twig.extension" />
-        </service>
-
-        <!-- Security -->
-        <service id="wsse.security.authentication.provider"
-                 class="Wallabag\CoreBundle\Security\Authentication\Provider\WsseProvider" public="false">
-            <argument /> <!-- User Provider -->
-            <argument>%kernel.cache_dir%/security/nonces</argument>
-        </service>
-
-        <service id="wsse.security.authentication.listener"
-                 class="Wallabag\CoreBundle\Security\Firewall\WsseListener" public="false">
-            <argument type="service" id="security.context"/>
-            <argument type="service" id="security.authentication.manager" />
-        </service>
-    </services>
-
-</container>

src/Wallabag/CoreBundle/Resources/config/services.yml

@@ -0,0 +1,15 @@
+services:
+    wallabag_core.twig.wallabag:
+        class: Wallabag\CoreBundle\Twig\Extension\WallabagExtension
+        tags:
+            - { name: twig.extension }
+    wsse.security.authentication.provider:
+        class: Wallabag\CoreBundle\Security\Authentication\Provider\WsseProvider
+        public: false
+        arguments: ['', '%kernel.cache_dir%/security/nonces']
+    wsse.security.authentication.listener:
+        class: Wallabag\CoreBundle\Security\Firewall\WsseListener
+        public: false
+        tags:
+            - { name: monolog.logger, channel: wsse }
+        arguments: ['@security.context', '@security.authentication.manager', '@logger']

src/Wallabag/CoreBundle/Security/Authentication/Provider/WsseProvider.php

@@ -17,12 +17,21 @@ class WsseProvider implements AuthenticationProviderInterface
     {
         $this->userProvider = $userProvider;
         $this->cacheDir     = $cacheDir;
+
+        // If cache directory does not exist we create it
+        if (!is_dir($this->cacheDir)) {
+            mkdir($this->cacheDir, 0777, true);
+        }
     }
 
     public function authenticate(TokenInterface $token)
     {
         $user = $this->userProvider->loadUserByUsername($token->getUsername());
 
+        if (!$user) {
+            throw new AuthenticationException("Bad credentials. Did you forgot your username?");
+        }
+
         if ($user && $this->validateDigest($token->digest, $token->nonce, $token->created, $user->getPassword())) {
             $authenticatedToken = new WsseUserToken($user->getRoles());
             $authenticatedToken->setUser($user);
@@ -35,20 +44,30 @@ class WsseProvider implements AuthenticationProviderInterface
 
     protected function validateDigest($digest, $nonce, $created, $secret)
     {
-        // Expire le timestamp après 5 minutes
-        if (time() - strtotime($created) > 300) {
-            return false;
+        // Check created time is not in the future
+        if (strtotime($created) > time()) {
+            throw new AuthenticationException("Back to the future...");
         }
 
-        // Valide que le nonce est unique dans les 5 minutes
+        // Expire timestamp after 5 minutes
+        if (time() - strtotime($created) > 300) {
+            throw new AuthenticationException("Too late for this timestamp... Watch your watch.");
+        }
+
+        // Validate nonce is unique within 5 minutes
         if (file_exists($this->cacheDir.'/'.$nonce) && file_get_contents($this->cacheDir.'/'.$nonce) + 300 > time()) {
             throw new NonceExpiredException('Previously used nonce detected');
         }
+
         file_put_contents($this->cacheDir.'/'.$nonce, time());
 
-        // Valide le Secret
+        // Validate Secret
         $expected = base64_encode(sha1(base64_decode($nonce).$created.$secret, true));
 
+        if ($digest !== $expected) {
+            throw new AuthenticationException("Bad credentials ! Digest is not as expected.");
+        }
+
         return $digest === $expected;
     }
 

src/Wallabag/CoreBundle/Security/Firewall/WsseListener.php

@@ -9,16 +9,19 @@ use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\SecurityContextInterface;
 use Symfony\Component\Security\Core\Authentication\AuthenticationManagerInterface;
 use Wallabag\CoreBundle\Security\Authentication\Token\WsseUserToken;
+use Psr\Log\LoggerInterface;
 
 class WsseListener implements ListenerInterface
 {
     protected $securityContext;
     protected $authenticationManager;
+    protected $logger;
 
-    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager)
+    public function __construct(SecurityContextInterface $securityContext, AuthenticationManagerInterface $authenticationManager, LoggerInterface $logger)
     {
         $this->securityContext = $securityContext;
         $this->authenticationManager = $authenticationManager;
+        $this->logger = $logger;
     }
 
     public function handle(GetResponseEvent $event)
@@ -41,17 +44,19 @@ class WsseListener implements ListenerInterface
             $authToken = $this->authenticationManager->authenticate($token);
 
             $this->securityContext->setToken($authToken);
-        } catch (AuthenticationException $failed) {
-            // ... you might log something here
 
-            // To deny the authentication clear the token. This will redirect to the login page.
-            // $this->securityContext->setToken(null);
-            // return;
+            return;
+        } catch (AuthenticationException $failed) {
+            $failedMessage = 'WSSE Login failed for '.$token->getUsername().'. Why ? '.$failed->getMessage();
+            $this->logger->err($failedMessage);
 
             // Deny authentication with a '403 Forbidden' HTTP response
             $response = new Response();
             $response->setStatusCode(403);
+            $response->setContent($failedMessage);
             $event->setResponse($response);
+
+            return;
         }
     }
 }

src/Wallabag/CoreBundle/Tests/WallabagTestCase.php

@@ -3,8 +3,6 @@
 namespace Wallabag\CoreBundle\Tests;
 
 use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
-use Symfony\Component\BrowserKit\Cookie;
-use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
 
 class WallabagTestCase extends WebTestCase
 {