vendor/pimcore/pimcore/bundles/AdminBundle/Controller/Admin/LoginController.php line 78

Open in your IDE?
  1. <?php
  3. /**
  4. * Pimcore
  5. *
  6. * This source file is available under two different licenses:
  7. * - GNU General Public License version 3 (GPLv3)
  8. * - Pimcore Commercial License (PCL)
  9. * Full copyright and license information is available in
  10. * LICENSE.md which is distributed with this source code.
  11. *
  12. * @copyright Copyright (c) Pimcore GmbH (http://www.pimcore.org)
  13. * @license http://www.pimcore.org/license GPLv3 and PCL
  14. */
  16. namespace Pimcore\Bundle\AdminBundle\Controller\Admin;
  18. use Pimcore\Bundle\AdminBundle\Controller\AdminController;
  19. use Pimcore\Bundle\AdminBundle\Controller\BruteforceProtectedControllerInterface;
  20. use Pimcore\Bundle\AdminBundle\Security\BruteforceProtectionHandler;
  21. use Pimcore\Bundle\AdminBundle\Security\CsrfProtectionHandler;
  22. use Pimcore\Config;
  23. use Pimcore\Controller\KernelControllerEventInterface;
  24. use Pimcore\Controller\KernelResponseEventInterface;
  25. use Pimcore\Event\Admin\Login\LoginRedirectEvent;
  26. use Pimcore\Event\Admin\Login\LostPasswordEvent;
  27. use Pimcore\Event\AdminEvents;
  28. use Pimcore\Extension\Bundle\PimcoreBundleManager;
  29. use Pimcore\Http\ResponseHelper;
  30. use Pimcore\Logger;
  31. use Pimcore\Model\User;
  32. use Pimcore\Tool;
  33. use Pimcore\Tool\Authentication;
  34. use Symfony\Component\HttpFoundation\RedirectResponse;
  35. use Symfony\Component\HttpFoundation\Request;
  36. use Symfony\Component\HttpFoundation\Response;
  37. use Symfony\Component\HttpKernel\Event\ControllerEvent;
  38. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  39. use Symfony\Component\Routing\Annotation\Route;
  40. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  41. use Symfony\Component\Security\Core\Exception\AuthenticationException;
  42. use Symfony\Component\Security\Core\Security;
  43. use Symfony\Component\Security\Core\User\UserInterface;
  44. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  46. /**
  47. * @internal
  48. */
  49. class LoginController extends AdminController implements BruteforceProtectedControllerInterface, KernelControllerEventInterface, KernelResponseEventInterface
  50. {
  51. /**
  52. * @var ResponseHelper
  53. */
  54. protected $reponseHelper;
  56. public function __construct(ResponseHelper $responseHelper)
  57. {
  58. $this->reponseHelper = $responseHelper;
  59. }
  61. /**
  62. * @param ControllerEvent $event
  63. */
  64. public function onKernelControllerEvent(ControllerEvent $event)
  65. {
  66. // use browser language for login page if possible
  67. $locale = 'en';
  69. $availableLocales = Tool\Admin::getLanguages();
  70. foreach ($event->getRequest()->getLanguages() as $userLocale) {
  71. if (in_array($userLocale, $availableLocales)) {
  72. $locale = $userLocale;
  74. break;
  75. }
  76. }
  78. $this->get('translator')->setLocale($locale);
  79. }
  81. /**
  82. * {@inheritdoc}
  83. */
  84. public function onKernelResponseEvent(ResponseEvent $event)
  85. {
  86. $response = $event->getResponse();
  87. $response->headers->set('X-Frame-Options', 'deny', true);
  88. $this->reponseHelper->disableCache($response, true);
  89. }
  91. /**
  92. * @Route("/login", name="pimcore_admin_login")
  93. * @Route("/login/", name="pimcore_admin_login_fallback")
  94. */
  95. public function loginAction(Request $request, CsrfProtectionHandler $csrfProtection, Config $config)
  96. {
  97. if ($request->get('_route') === 'pimcore_admin_login_fallback') {
  98. return $this->redirectToRoute('pimcore_admin_login', $request->query->all(), Response::HTTP_MOVED_PERMANENTLY);
  99. }
  101. $csrfProtection->regenerateCsrfToken();
  103. $user = $this->getAdminUser();
  104. if ($user instanceof UserInterface) {
  105. return $this->redirectToRoute('pimcore_admin_index');
  106. }
  108. $params = $this->buildLoginPageViewParams($config);
  110. $session_gc_maxlifetime = ini_get('session.gc_maxlifetime');
  111. if (empty($session_gc_maxlifetime)) {
  112. $session_gc_maxlifetime = 120;
  113. }
  115. $params['csrfTokenRefreshInterval'] = ((int)$session_gc_maxlifetime - 60) * 1000;
  117. if ($request->get('auth_failed')) {
  118. $params['error'] = 'error_auth_failed';
  119. }
  120. if ($request->get('session_expired')) {
  121. $params['error'] = 'error_session_expired';
  122. }
  123. if ($request->get('deeplink')) {
  124. $params['deeplink'] = true;
  125. }
  127. $params['browserSupported'] = $this->detectBrowser();
  128. $params['debug'] = \Pimcore::inDebugMode();
  130. return $this->render('@PimcoreAdmin/Admin/Login/login.html.twig', $params);
  131. }
  133. /**
  134. * @Route("/login/csrf-token", name="pimcore_admin_login_csrf_token")
  135. */
  136. public function csrfTokenAction(Request $request, CsrfProtectionHandler $csrfProtection)
  137. {
  138. if (!$this->getAdminUser()) {
  139. $csrfProtection->regenerateCsrfToken();
  140. }
  142. return $this->json([
  143. 'csrfToken' => $csrfProtection->getCsrfToken(),
  144. ]);
  145. }
  147. /**
  148. * @Route("/logout", name="pimcore_admin_logout")
  149. */
  150. public function logoutAction()
  151. {
  152. // this route will never be matched, but will be handled by the logout handler
  153. }
  155. /**
  156. * Dummy route used to check authentication
  157. *
  158. * @Route("/login/login", name="pimcore_admin_login_check")
  159. *
  160. * @see AdminAuthenticator for the security implementation
  161. */
  162. public function loginCheckAction()
  163. {
  164. // just in case the authenticator didn't redirect
  165. return new RedirectResponse($this->generateUrl('pimcore_admin_login'));
  166. }
  168. /**
  169. * @Route("/login/lostpassword", name="pimcore_admin_login_lostpassword")
  170. */
  171. public function lostpasswordAction(Request $request, BruteforceProtectionHandler $bruteforceProtectionHandler, CsrfProtectionHandler $csrfProtection, Config $config, EventDispatcherInterface $eventDispatcher)
  172. {
  173. $params = $this->buildLoginPageViewParams($config);
  174. $error = null;
  176. if ($request->getMethod() === 'POST' && $username = $request->get('username')) {
  177. $user = User::getByName($username);
  179. if ($user instanceof User) {
  180. if (!$user->isActive()) {
  181. $error = 'user_inactive';
  182. }
  184. if (!$user->getEmail()) {
  185. $error = 'user_no_email_address';
  186. }
  188. if (!$user->getPassword()) {
  189. $error = 'user_no_password';
  190. }
  191. } else {
  192. $error = 'user_unknown';
  193. }
  195. if (!$error && $user instanceof User) {
  196. $token = Authentication::generateToken($user->getName());
  198. $loginUrl = $this->generateUrl('pimcore_admin_login_check', [
  199. 'token' => $token,
  200. 'reset' => 'true',
  201. ], UrlGeneratorInterface::ABSOLUTE_URL);
  203. try {
  204. $event = new LostPasswordEvent($user, $loginUrl);
  205. $eventDispatcher->dispatch($event, AdminEvents::LOGIN_LOSTPASSWORD);
  207. // only send mail if it wasn't prevented in event
  208. if ($event->getSendMail()) {
  209. $mail = Tool::getMail([$user->getEmail()], 'Pimcore lost password service');
  210. $mail->setIgnoreDebugMode(true);
  211. $mail->text("Login to pimcore and change your password using the following link. This temporary login link will expire in 24 hours: \r\n\r\n" . $loginUrl);
  212. $mail->send();
  213. }
  215. // directly return event response
  216. if ($event->hasResponse()) {
  217. return $event->getResponse();
  218. }
  219. } catch (\Exception $e) {
  220. Logger::error('Error sending password recovery email: ' . $e->getMessage());
  221. $error = 'lost_password_email_error';
  222. }
  223. }
  225. if ($error) {
  226. Logger::error('Lost password service: ' . $error);
  227. $bruteforceProtectionHandler->addEntry($request->get('username'), $request);
  228. }
  229. }
  231. $csrfProtection->regenerateCsrfToken();
  233. return $this->render('@PimcoreAdmin/Admin/Login/lostpassword.html.twig', $params);
  234. }
  236. /**
  237. * @Route("/login/deeplink", name="pimcore_admin_login_deeplink")
  238. */
  239. public function deeplinkAction(Request $request, EventDispatcherInterface $eventDispatcher)
  240. {
  241. // check for deeplink
  242. $queryString = $_SERVER['QUERY_STRING'];
  244. if (preg_match('/(document|asset|object)_([0-9]+)_([a-z]+)/', $queryString, $deeplink)) {
  245. $deeplink = $deeplink[0];
  246. $perspective = strip_tags($request->get('perspective'));
  248. if (strpos($queryString, 'token')) {
  249. $event = new LoginRedirectEvent('pimcore_admin_login', [
  250. 'deeplink' => $deeplink,
  251. 'perspective' => $perspective,
  252. ]);
  253. $eventDispatcher->dispatch($event, AdminEvents::LOGIN_REDIRECT);
  255. $url = $this->generateUrl($event->getRouteName(), $event->getRouteParams());
  256. $url .= '&' . $queryString;
  258. return $this->redirect($url);
  259. } elseif ($queryString) {
  260. $event = new LoginRedirectEvent('pimcore_admin_login', [
  261. 'deeplink' => 'true',
  262. 'perspective' => $perspective,
  263. ]);
  264. $eventDispatcher->dispatch($event, AdminEvents::LOGIN_REDIRECT);
  266. return $this->render('@PimcoreAdmin/Admin/Login/deeplink.html.twig', [
  267. 'tab' => $deeplink,
  268. 'redirect' => $this->generateUrl($event->getRouteName(), $event->getRouteParams()),
  269. ]);
  270. }
  271. }
  272. }
  274. protected function buildLoginPageViewParams(Config $config): array
  275. {
  276. $bundleManager = $this->get(PimcoreBundleManager::class);
  278. return [
  279. 'config' => $config,
  280. 'pluginCssPaths' => $bundleManager->getCssPaths(),
  281. ];
  282. }
  284. /**
  285. * @Route("/login/2fa", name="pimcore_admin_2fa")
  286. */
  287. public function twoFactorAuthenticationAction(Request $request, BruteforceProtectionHandler $bruteforceProtectionHandler, Config $config)
  288. {
  289. $params = $this->buildLoginPageViewParams($config);
  291. if ($request->hasSession()) {
  293. // we have to call the check here manually, because BruteforceProtectionListener uses the 'username' from the request
  294. $bruteforceProtectionHandler->checkProtection($this->getAdminUser()->getName(), $request);
  296. $session = $request->getSession();
  297. $authException = $session->get(Security::AUTHENTICATION_ERROR);
  298. if ($authException instanceof AuthenticationException) {
  299. $session->remove(Security::AUTHENTICATION_ERROR);
  301. $params['error'] = $authException->getMessage();
  303. $bruteforceProtectionHandler->addEntry($this->getAdminUser()->getName(), $request);
  304. }
  305. } else {
  306. $params['error'] = 'No session available, it either timed out or cookies are not enabled.';
  307. }
  309. return $this->render('@PimcoreAdmin/Admin/Login/twoFactorAuthentication.html.twig', $params);
  310. }
  312. /**
  313. * @Route("/login/2fa-verify", name="pimcore_admin_2fa-verify")
  314. *
  315. * @param Request $request
  316. */
  317. public function twoFactorAuthenticationVerifyAction(Request $request)
  318. {
  319. }
  321. /**
  322. * @return bool
  323. */
  324. public function detectBrowser()
  325. {
  326. $supported = false;
  327. $browser = new \Browser();
  328. $browserVersion = (int)$browser->getVersion();
  330. if ($browser->getBrowser() == \Browser::BROWSER_FIREFOX && $browserVersion >= 72) {
  331. $supported = true;
  332. }
  333. if ($browser->getBrowser() == \Browser::BROWSER_CHROME && $browserVersion >= 84) {
  334. $supported = true;
  335. }
  336. if ($browser->getBrowser() == \Browser::BROWSER_SAFARI && $browserVersion >= 13.1) {
  337. $supported = true;
  338. }
  339. if ($browser->getBrowser() == \Browser::BROWSER_EDGE && $browserVersion >= 90) {
  340. $supported = true;
  341. }
  343. return $supported;
  344. }
  345. }