mirror of
https://github.com/elyby/accounts.git
synced 2025-01-11 14:32:12 +05:30
57d492da8a
* start updating to PHP 8.3
* taking off!
Co-authored-by: ErickSkrauch <erickskrauch@yandex.ru>
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* dropped this
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* migrate to symfonymailer
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* this is so stupid 😭
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* ah, free, at last.
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* oh, Gabriel.
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* now dawns thy reckoning.
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* and thy gore shall GLISTEN before the temples of man.
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* creature of steel.
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* my gratitude upon thee for my freedom.
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* but the crimes thy kind has committed against humanity
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* Upgrade PHP-CS-Fixer and do fix the codebase
* First review round (maybe I have broken something)
* are NOT forgotten.
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
* Enable parallel PHP-CS-Fixer runner
* PHPStan level 1
* PHPStan level 2
* PHPStan level 3
* PHPStan level 4
* PHPStan level 5
* Levels 6 and 7 takes too much effort. Generate a baseline and fix them eventually
* Resolve TODO's related to the php-mock
* Drastically reduce baseline size with the Rector
* More code modernization with help of the Rector
* Update GitLab CI
---------
Signed-off-by: Octol1ttle <l1ttleofficial@outlook.com>
Co-authored-by: ErickSkrauch <erickskrauch@yandex.ru>
138 lines
4.9 KiB
PHP
138 lines
4.9 KiB
PHP
<?php
|
|
declare(strict_types=1);
|
|
|
|
namespace api\modules\authserver\models;
|
|
|
|
use api\models\authentication\LoginForm;
|
|
use api\models\base\ApiForm;
|
|
use api\modules\authserver\exceptions\ForbiddenOperationException;
|
|
use api\modules\authserver\Module as Authserver;
|
|
use api\modules\authserver\validators\ClientTokenValidator;
|
|
use api\modules\authserver\validators\RequiredValidator;
|
|
use api\rbac\Permissions as P;
|
|
use common\helpers\Error as E;
|
|
use common\models\Account;
|
|
use common\models\OauthClient;
|
|
use common\models\OauthSession;
|
|
use Ramsey\Uuid\Uuid;
|
|
use Webmozart\Assert\Assert;
|
|
use Yii;
|
|
use yii\db\Exception;
|
|
|
|
class AuthenticationForm extends ApiForm {
|
|
|
|
/**
|
|
* @var string
|
|
*/
|
|
public $username;
|
|
|
|
/**
|
|
* @var string
|
|
*/
|
|
public $password;
|
|
|
|
/**
|
|
* @var string
|
|
*/
|
|
public $clientToken;
|
|
|
|
/**
|
|
* @var string|bool
|
|
*/
|
|
public $requestUser;
|
|
|
|
public function rules(): array {
|
|
return [
|
|
[['username', 'password'], RequiredValidator::class],
|
|
[['clientToken'], ClientTokenValidator::class],
|
|
[['requestUser'], 'boolean'],
|
|
];
|
|
}
|
|
|
|
/**
|
|
* @return AuthenticateData
|
|
* @throws ForbiddenOperationException
|
|
* @throws Exception
|
|
*/
|
|
public function authenticate(): AuthenticateData {
|
|
// This validating method will throw an exception in case when validation will not pass successfully
|
|
$this->validate();
|
|
|
|
Authserver::info("Trying to authenticate user by login = '{$this->username}'.");
|
|
|
|
// The previous authorization server implementation used the nickname field instead of username,
|
|
// so we keep such behavior
|
|
$attribute = !str_contains($this->username, '@') ? 'nickname' : 'email';
|
|
|
|
$password = $this->password;
|
|
$totp = null;
|
|
if (preg_match('/.{8,}:(\d{6})$/', $password, $matches) === 1) {
|
|
$totp = $matches[1];
|
|
$password = mb_substr($password, 0, -7); // :123456 - 7 chars
|
|
}
|
|
|
|
login:
|
|
|
|
$loginForm = new LoginForm();
|
|
$loginForm->login = $this->username;
|
|
$loginForm->password = $password;
|
|
$loginForm->totp = $totp;
|
|
|
|
$isValid = $loginForm->validate();
|
|
// Handle case when user's password matches the template for totp via password
|
|
if (!$isValid && $totp !== null && $loginForm->getFirstError('password') === E::PASSWORD_INCORRECT) {
|
|
$password = "{$password}:{$totp}";
|
|
$totp = null;
|
|
|
|
goto login;
|
|
}
|
|
|
|
if (!$isValid || $loginForm->getAccount()->status === Account::STATUS_DELETED) {
|
|
$errors = $loginForm->getFirstErrors();
|
|
if (isset($errors['login'])) {
|
|
if ($errors['login'] === E::ACCOUNT_BANNED) {
|
|
Authserver::error("User with login = '{$this->username}' is banned");
|
|
throw new ForbiddenOperationException('This account has been suspended.');
|
|
}
|
|
|
|
Authserver::error("Cannot find user by login = '{$this->username}'");
|
|
} elseif (isset($errors['password'])) {
|
|
Authserver::error("User with login = '{$this->username}' passed wrong password.");
|
|
} elseif (isset($errors['totp'])) {
|
|
if ($errors['totp'] === E::TOTP_REQUIRED) {
|
|
Authserver::error("User with login = '{$this->username}' protected by two factor auth.");
|
|
throw new ForbiddenOperationException('Account protected with two factor auth.');
|
|
}
|
|
|
|
Authserver::error("User with login = '{$this->username}' passed wrong totp token");
|
|
}
|
|
|
|
throw new ForbiddenOperationException("Invalid credentials. Invalid {$attribute} or password.");
|
|
}
|
|
|
|
/** @var Account $account */
|
|
$account = $loginForm->getAccount();
|
|
$clientToken = $this->clientToken ?: Uuid::uuid4()->toString();
|
|
$token = Yii::$app->tokensFactory->createForMinecraftAccount($account, $clientToken);
|
|
$dataModel = new AuthenticateData($account, $token->toString(), $clientToken, (bool)$this->requestUser);
|
|
/** @var OauthSession|null $minecraftOauthSession */
|
|
$minecraftOauthSession = $account->getOauthSessions()
|
|
->andWhere(['client_id' => OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER])
|
|
->one();
|
|
if ($minecraftOauthSession === null) {
|
|
$minecraftOauthSession = new OauthSession();
|
|
$minecraftOauthSession->account_id = $account->id;
|
|
$minecraftOauthSession->client_id = OauthClient::UNAUTHORIZED_MINECRAFT_GAME_LAUNCHER;
|
|
$minecraftOauthSession->scopes = [P::MINECRAFT_SERVER_SESSION];
|
|
}
|
|
|
|
$minecraftOauthSession->last_used_at = time();
|
|
Assert::true($minecraftOauthSession->save());
|
|
|
|
Authserver::info("User with id = {$account->id}, username = '{$account->username}' and email = '{$account->email}' successfully logged in.");
|
|
|
|
return $dataModel;
|
|
}
|
|
|
|
}
|