145 lines
6.2 KiB
PHP
145 lines
6.2 KiB
PHP
<?php
|
|
|
|
namespace App\Controller;
|
|
|
|
use App\Repository\UserRepository;
|
|
use App\Repository\UsersOrganizationsRepository;
|
|
use App\Service\AccessTokenService;
|
|
use App\Service\UserService;
|
|
use Doctrine\ORM\EntityManagerInterface;
|
|
use Psr\Log\LoggerInterface;
|
|
use Psr\Log\LogLevel;
|
|
use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
|
|
use Symfony\Bundle\SecurityBundle\Security;
|
|
use Symfony\Component\HttpFoundation\RequestStack;
|
|
use Symfony\Component\HttpFoundation\Response;
|
|
use Symfony\Component\Routing\Attribute\Route;
|
|
use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;
|
|
use Symfony\Component\HttpFoundation\Request;
|
|
use App\Service\CguUserService;
|
|
|
|
class SecurityController extends AbstractController
|
|
{
|
|
const NOT_FOUND = "NOT FOUND";
|
|
private CguUserService $cguUserService;
|
|
|
|
public function __construct(CguUserService $cguUserService,
|
|
private readonly UserRepository $userRepository,
|
|
private readonly UserService $userService,
|
|
private readonly UsersOrganizationsRepository $uoRepository,
|
|
private readonly LoggerInterface $logger, private readonly EntityManagerInterface $entityManager)
|
|
{
|
|
$this->cguUserService = $cguUserService;
|
|
}
|
|
|
|
#[Route(path: '/login', name: 'app_login')]
|
|
public function login(AuthenticationUtils $authenticationUtils): Response
|
|
{
|
|
// get the login error if there is one
|
|
$error = $authenticationUtils->getLastAuthenticationError();
|
|
|
|
// last username entered by the user
|
|
$lastUsername = $authenticationUtils->getLastUsername();
|
|
|
|
|
|
|
|
return $this->render('security/login.html.twig', [
|
|
'last_username' => $lastUsername,
|
|
'error' => $error,
|
|
]);
|
|
}
|
|
|
|
#[Route(path: '/sso_logout', name: 'sso_logout')]
|
|
public function ssoLogout(RequestStack $stack, LoggerInterface $logger, AccessTokenService $accessTokenService, Security $security): Response
|
|
{
|
|
// Invalidate the session and revoke tokens
|
|
try{
|
|
if( $stack->getSession()->invalidate()){
|
|
$accessTokenService->revokeTokens($security->getUser()->getUserIdentifier());
|
|
$security->logout(false);
|
|
$logger->info("Logout successfully");
|
|
// Redirect back to the client (or to a “you are logged out” page)
|
|
return $this->redirect('/');
|
|
}
|
|
}catch (\Exception $e){
|
|
$logger->log(LogLevel::ERROR, 'Error invalidating session: ' . $e->getMessage());
|
|
}
|
|
// If something goes wrong, redirect to the index page
|
|
return $this->redirectToRoute('app_index');
|
|
}
|
|
|
|
#[Route(path: '/consent', name: 'app_consent')]
|
|
public function consent(Request $request): Response
|
|
{
|
|
// Handle form submission
|
|
if ($request->isMethod('POST')) {
|
|
// Check if user declined consent
|
|
if (!$request->request->has('decline')) {
|
|
// User accepted the CGU, save this in the database
|
|
$this->cguUserService->acceptLatestCgu($this->getUser());
|
|
}
|
|
|
|
// Redirect back to the OAuth authorization endpoint with all the query parameters
|
|
return $this->redirectToRoute('oauth2_authorize', $request->query->all());
|
|
}
|
|
|
|
// For GET requests, just show the consent form
|
|
return $this->render('security/consent.html.twig');
|
|
}
|
|
|
|
#[Route('/password_setup/{id}', name: 'password_setup', methods: ['GET'])]
|
|
public function password_setup(int $id, Request $request): Response
|
|
{
|
|
$error = $request->get('error');
|
|
$user = $this->userRepository->find($id);
|
|
if (!$user) {
|
|
throw $this->createNotFoundException(self::NOT_FOUND);
|
|
}
|
|
$token = $request->get('token');
|
|
if (empty($token) || !$this->userService->isPasswordTokenValid($user, $token)) {
|
|
$error = 'Le lien de définition du mot de passe est invalide ou a expiré. Veuillez en demander un nouveau.';
|
|
$this->logger->warning($user->getUserIdentifier(). " tried to use an invalid or expired password setup token.");
|
|
}
|
|
return $this->render('security/password_setup.html.twig', [
|
|
'id' => $id,
|
|
'token' => $token,
|
|
'error' => $error,
|
|
]);
|
|
}
|
|
|
|
#[Route('/password_reset/{id}', name: 'password_reset', methods: ['POST'])]
|
|
public function password_reset(int $id): Response
|
|
{
|
|
$user = $this->userRepository->find($id);
|
|
if (!$user) {
|
|
throw $this->createNotFoundException(self::NOT_FOUND);
|
|
}
|
|
$newPassword = $_POST['_password'] ?? null;
|
|
$confirmPassword = $_POST['_passwordConfirm'] ?? null;
|
|
if ($newPassword !== $confirmPassword) {
|
|
$error = 'Les mots de passe ne correspondent pas. Veuillez réessayer.';
|
|
$this->logger->warning($user->getUserIdentifier(). " provided non-matching passwords during password reset.");
|
|
return $this->redirectToRoute('password_setup', [
|
|
'id' => $id,
|
|
'token' => $_POST['token'] ?? '',
|
|
'error'=> $error]);
|
|
}
|
|
if (!$this->userService->isPasswordStrong($newPassword)) {
|
|
$error = 'Le mot de passe ne respecte pas les critères de sécurité. Veuillez en choisir un autre.';
|
|
$this->logger->warning($user->getUserIdentifier(). " provided a weak password during password reset.");
|
|
return $this->redirectToRoute('password_setup', ['id' => $id, 'token' => $_POST['token'] ?? '', 'error'=> $error]);
|
|
}
|
|
$this->userService->updateUserPassword($user, $newPassword);
|
|
$orgId = $this->userService->getOrgFromToken( $_POST['token']);
|
|
$uo = $this->uoRepository->findOneBy(['users' => $user, 'organization' => $orgId]);
|
|
if($uo){
|
|
$uo->setStatut("ACCEPTED");
|
|
$uo->setIsActive(true);
|
|
$this->entityManager->persist($uo);
|
|
$this->entityManager->flush();
|
|
}
|
|
return $this->redirectToRoute('app_index');
|
|
}
|
|
|
|
}
|