accounts/api/modules/authserver/models/AuthenticationForm.php

<?php
declare(strict_types=1);

namespace api\modules\authserver\models;

use api\components\Tokens\TokensFactory;
use api\models\base\ApiForm;
use api\modules\authserver\exceptions\ForbiddenOperationException;
use api\modules\authserver\Module as Authserver;
use api\modules\authserver\validators\ClientTokenValidator;
use api\modules\authserver\validators\RequiredValidator;
use api\rbac\Permissions as P;
use common\components\Authentication\Entities\Credentials;
use common\components\Authentication\Exceptions;
use common\components\Authentication\Exceptions\AuthenticationException;
use common\components\Authentication\LoginServiceInterface;
use common\models\Account;
use common\models\OauthClient;
use common\models\OauthSession;
use Ramsey\Uuid\Uuid;
use Webmozart\Assert\Assert;

final class AuthenticationForm extends ApiForm {

    public mixed $username = null;

    public mixed $password = null;

    public mixed $clientToken = null;

    public mixed $requestUser = null;

    public function __construct(
        private readonly LoginServiceInterface $loginService,
        private readonly TokensFactory $tokensFactory,
        array $config = [],
    ) {
        parent::__construct($config);
    }

    public function rules(): array {
        return [
            [['username', 'password'], RequiredValidator::class],
            [['clientToken'], ClientTokenValidator::class],
            [['requestUser'], 'boolean'],
        ];
    }

    /**
     * @throws ForbiddenOperationException
     */
    public function authenticate(): AuthenticateData {
        // This validating method will throw an exception in case when validation will not pass successfully
        $this->validate();

        Authserver::info("Trying to authenticate user by login = '{$this->username}'.");

        $password = (string)$this->password;
        $totp = null;
        if (preg_match('/.{8,}:(\d{6})$/', $password, $matches) === 1) {
            $totp = $matches[1];
            $password = mb_substr($password, 0, -7); // :123456 - 7 chars
        }

        login:

        $credentials = new Credentials(
            login: (string)$this->username,
            password: $password,
            totp: $totp,
        );

        try {
            $result = $this->loginService->loginByCredentials($credentials);
        } catch (Exceptions\InvalidPasswordException $e) {
            if ($totp !== null) {
                $password = $this->password;
                goto login;
            }

            $this->convertAuthenticationException($e);
        } catch (AuthenticationException $e) {
            $this->convertAuthenticationException($e);
        }

        $account = $result->account;
        if ($account->status === Account::STATUS_DELETED) {
            throw new ForbiddenOperationException('Invalid credentials. Invalid username or password.');
        }

        $clientToken = $this->clientToken ?: Uuid::uuid4()->toString();
        $token = $this->tokensFactory->createForMinecraftAccount($account, $clientToken);
        $dataModel = new AuthenticateData($account, $token->toString(), $clientToken, (bool)$this->requestUser);
        /** @var OauthSession|null $minecraftOauthSession */
        $minecraftOauthSession = $account->getOauthSessions()
            ->andWhere(['client_id' => OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER])
            ->one();
        if ($minecraftOauthSession === null) {
            $minecraftOauthSession = new OauthSession();
            $minecraftOauthSession->account_id = $account->id;
            $minecraftOauthSession->client_id = OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER;
            $minecraftOauthSession->scopes = [P::MINECRAFT_SERVER_SESSION];
        }

        $minecraftOauthSession->last_used_at = time();
        Assert::true($minecraftOauthSession->save());

        Authserver::info("User with id = {$account->id}, username = '{$account->username}' and email = '{$account->email}' successfully logged in.");

        return $dataModel;
    }

    /**
     * @throws \api\modules\authserver\exceptions\ForbiddenOperationException
     */
    private function convertAuthenticationException(AuthenticationException $e): never {
        throw match ($e::class) {
            Exceptions\AccountBannedException::class => new ForbiddenOperationException('This account has been suspended.'),
            Exceptions\TotpRequiredException::class => new ForbiddenOperationException('Account protected with two factor auth.'),
            default => new ForbiddenOperationException('Invalid credentials. Invalid username or password.'),
        };
    }

}
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`<?php`
Replace separate minecraft access tokens with JWT 2019-12-04 21:10:15 +03:00			`declare(strict_types=1);`

Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`namespace api\modules\authserver\models;`

Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`use api\components\Tokens\TokensFactory;`
Теперь при передаче запроса как json, закодированный в теле, он автоматически парсится 2017-05-31 03:10:22 +03:00			`use api\models\base\ApiForm;`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`use api\modules\authserver\exceptions\ForbiddenOperationException;`
Тесты для AuthorizationForm и кастомного RequiredValidator В модуль Authserver добавлены хелперы для логирования Исправлена ошибка в MinecraftAccessKey Ускорено тестирование всего приложения 2016-08-29 02:17:45 +03:00			`use api\modules\authserver\Module as Authserver;`
Fixes ACCOUNTS-37R 2018-01-02 20:22:56 +03:00			`use api\modules\authserver\validators\ClientTokenValidator;`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`use api\modules\authserver\validators\RequiredValidator;`
Fix revokation validation. Add additional tests cases 2019-12-10 22:51:11 +03:00			`use api\rbac\Permissions as P;`
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`use common\components\Authentication\Entities\Credentials;`
			`use common\components\Authentication\Exceptions;`
			`use common\components\Authentication\Exceptions\AuthenticationException;`
			`use common\components\Authentication\LoginServiceInterface;`
Тесты для AuthorizationForm и кастомного RequiredValidator В модуль Authserver добавлены хелперы для логирования Исправлена ошибка в MinecraftAccessKey Ускорено тестирование всего приложения 2016-08-29 02:17:45 +03:00			`use common\models\Account;`
Fix revokation validation. Add additional tests cases 2019-12-10 22:51:11 +03:00			`use common\models\OauthClient;`
			`use common\models\OauthSession;`
Fixes #35. Make `clientToken` optional during legacy Minecraft auth flow 2024-11-24 10:25:22 +01:00			`use Ramsey\Uuid\Uuid;`
Fix revokation validation. Add additional tests cases 2019-12-10 22:51:11 +03:00			`use Webmozart\Assert\Assert;`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`final class AuthenticationForm extends ApiForm {`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`public mixed $username = null;`
Implemented PHP-CS-Fixer support 2018-04-17 23:47:25 +03:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`public mixed $password = null;`
Implemented PHP-CS-Fixer support 2018-04-17 23:47:25 +03:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`public mixed $clientToken = null;`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`public mixed $requestUser = null;`

			`public function __construct(`
			`private readonly LoginServiceInterface $loginService,`
			`private readonly TokensFactory $tokensFactory,`
			`array $config = [],`
			`) {`
			`parent::__construct($config);`
			`}`
Return user field when requestUser param received on authentication/refresh endpoint [deploy] 2021-03-06 10:37:58 +01:00
Replace separate minecraft access tokens with JWT 2019-12-04 21:10:15 +03:00			`public function rules(): array {`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`return [`
Fixes #35. Make `clientToken` optional during legacy Minecraft auth flow 2024-11-24 10:25:22 +01:00			`[['username', 'password'], RequiredValidator::class],`
Fixes ACCOUNTS-37R 2018-01-02 20:22:56 +03:00			`[['clientToken'], ClientTokenValidator::class],`
Return user field when requestUser param received on authentication/refresh endpoint [deploy] 2021-03-06 10:37:58 +01:00			`[['requestUser'], 'boolean'],`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`];`
			`}`

			`/**`
Upgrade project to PHP 8.3, add PHPStan, upgrade almost every dependency (#36) * start updating to PHP 8.3 * taking off! Co-authored-by: ErickSkrauch <erickskrauch@yandex.ru> Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * dropped this Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * migrate to symfonymailer Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * this is so stupid 😭 Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * ah, free, at last. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * oh, Gabriel. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * now dawns thy reckoning. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * and thy gore shall GLISTEN before the temples of man. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * creature of steel. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * my gratitude upon thee for my freedom. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * but the crimes thy kind has committed against humanity Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * Upgrade PHP-CS-Fixer and do fix the codebase * First review round (maybe I have broken something) * are NOT forgotten. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * Enable parallel PHP-CS-Fixer runner * PHPStan level 1 * PHPStan level 2 * PHPStan level 3 * PHPStan level 4 * PHPStan level 5 * Levels 6 and 7 takes too much effort. Generate a baseline and fix them eventually * Resolve TODO's related to the php-mock * Drastically reduce baseline size with the Rector * More code modernization with help of the Rector * Update GitLab CI --------- Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> Co-authored-by: ErickSkrauch <erickskrauch@yandex.ru> 2024-12-02 15:10:55 +05:00			`* @throws ForbiddenOperationException`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`*/`
Replace separate minecraft access tokens with JWT 2019-12-04 21:10:15 +03:00			`public function authenticate(): AuthenticateData {`
			`// This validating method will throw an exception in case when validation will not pass successfully`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`$this->validate();`

Тесты для AuthorizationForm и кастомного RequiredValidator В модуль Authserver добавлены хелперы для логирования Исправлена ошибка в MinecraftAccessKey Ускорено тестирование всего приложения 2016-08-29 02:17:45 +03:00			`Authserver::info("Trying to authenticate user by login = '{$this->username}'.");`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`$password = (string)$this->password;`
Alternative implementation of passing totp to the legacy Minecraft authorization protocol to not break the yggdrasil's protocol [deploy] 2021-03-08 22:21:10 +01:00			`$totp = null;`
			`if (preg_match('/.{8,}:(\d{6})$/', $password, $matches) === 1) {`
			`$totp = $matches[1];`
			`$password = mb_substr($password, 0, -7); // :123456 - 7 chars`
			`}`

			`login:`

Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`$credentials = new Credentials(`
			`login: (string)$this->username,`
			`password: $password,`
			`totp: $totp,`
			`);`

			`try {`
			`$result = $this->loginService->loginByCredentials($credentials);`
			`} catch (Exceptions\InvalidPasswordException $e) {`
			`if ($totp !== null) {`
			`$password = $this->password;`
			`goto login;`
			`}`
Alternative implementation of passing totp to the legacy Minecraft authorization protocol to not break the yggdrasil's protocol [deploy] 2021-03-08 22:21:10 +01:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`$this->convertAuthenticationException($e);`
			`} catch (AuthenticationException $e) {`
			`$this->convertAuthenticationException($e);`
Alternative implementation of passing totp to the legacy Minecraft authorization protocol to not break the yggdrasil's protocol [deploy] 2021-03-08 22:21:10 +01:00			`}`
Implemented PHP-CS-Fixer support 2018-04-17 23:47:25 +03:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`$account = $result->account;`
			`if ($account->status === Account::STATUS_DELETED) {`
			`throw new ForbiddenOperationException('Invalid credentials. Invalid username or password.');`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`}`

Fixes #35. Make `clientToken` optional during legacy Minecraft auth flow 2024-11-24 10:25:22 +01:00			`$clientToken = $this->clientToken ?: Uuid::uuid4()->toString();`
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`$token = $this->tokensFactory->createForMinecraftAccount($account, $clientToken);`
Upgrade project to PHP 8.3, add PHPStan, upgrade almost every dependency (#36) * start updating to PHP 8.3 * taking off! Co-authored-by: ErickSkrauch <erickskrauch@yandex.ru> Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * dropped this Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * migrate to symfonymailer Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * this is so stupid 😭 Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * ah, free, at last. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * oh, Gabriel. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * now dawns thy reckoning. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * and thy gore shall GLISTEN before the temples of man. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * creature of steel. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * my gratitude upon thee for my freedom. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * but the crimes thy kind has committed against humanity Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * Upgrade PHP-CS-Fixer and do fix the codebase * First review round (maybe I have broken something) * are NOT forgotten. Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> * Enable parallel PHP-CS-Fixer runner * PHPStan level 1 * PHPStan level 2 * PHPStan level 3 * PHPStan level 4 * PHPStan level 5 * Levels 6 and 7 takes too much effort. Generate a baseline and fix them eventually * Resolve TODO's related to the php-mock * Drastically reduce baseline size with the Rector * More code modernization with help of the Rector * Update GitLab CI --------- Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com> Co-authored-by: ErickSkrauch <erickskrauch@yandex.ru> 2024-12-02 15:10:55 +05:00			`$dataModel = new AuthenticateData($account, $token->toString(), $clientToken, (bool)$this->requestUser);`
Fix revokation validation. Add additional tests cases 2019-12-10 22:51:11 +03:00			`/** @var OauthSession\|null $minecraftOauthSession */`
Implemented features to revoke access for previously authorized OAuth 2.0 clients 2020-09-30 20:30:04 +03:00			`$minecraftOauthSession = $account->getOauthSessions()`
Fix revokation validation. Add additional tests cases 2019-12-10 22:51:11 +03:00			`->andWhere(['client_id' => OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER])`
Implemented features to revoke access for previously authorized OAuth 2.0 clients 2020-09-30 20:30:04 +03:00			`->one();`
			`if ($minecraftOauthSession === null) {`
Fix revokation validation. Add additional tests cases 2019-12-10 22:51:11 +03:00			`$minecraftOauthSession = new OauthSession();`
			`$minecraftOauthSession->account_id = $account->id;`
			`$minecraftOauthSession->client_id = OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER;`
			`$minecraftOauthSession->scopes = [P::MINECRAFT_SERVER_SESSION];`
			`}`
Тесты для AuthorizationForm и кастомного RequiredValidator В модуль Authserver добавлены хелперы для логирования Исправлена ошибка в MinecraftAccessKey Ускорено тестирование всего приложения 2016-08-29 02:17:45 +03:00
Implemented features to revoke access for previously authorized OAuth 2.0 clients 2020-09-30 20:30:04 +03:00			`$minecraftOauthSession->last_used_at = time();`
			`Assert::true($minecraftOauthSession->save());`

Тесты для AuthorizationForm и кастомного RequiredValidator В модуль Authserver добавлены хелперы для логирования Исправлена ошибка в MinecraftAccessKey Ускорено тестирование всего приложения 2016-08-29 02:17:45 +03:00			`Authserver::info("User with id = {$account->id}, username = '{$account->username}' and email = '{$account->email}' successfully logged in.");`

			`return $dataModel;`
			`}`
Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00
Extract login logics into a separate component. Not quite clean result but enough for upcoming tasks 2025-01-17 21:37:35 +01:00			`/**`
			`* @throws \api\modules\authserver\exceptions\ForbiddenOperationException`
			`*/`
			`private function convertAuthenticationException(AuthenticationException $e): never {`
			`throw match ($e::class) {`
			`Exceptions\AccountBannedException::class => new ForbiddenOperationException('This account has been suspended.'),`
			`Exceptions\TotpRequiredException::class => new ForbiddenOperationException('Account protected with two factor auth.'),`
			`default => new ForbiddenOperationException('Invalid credentials. Invalid username or password.'),`
			`};`
			`}`

Первичное портирование логики сервера авторизации с PhalconPHP на Yii2 2016-08-21 02:21:39 +03:00			`}`