szurubooru/src/Services/AuthService.php

<?php
namespace Szurubooru\Services;
use Szurubooru\Config;
use Szurubooru\Entities\Token;
use Szurubooru\Entities\User;
use Szurubooru\Services\PasswordService;
use Szurubooru\Services\TimeService;
use Szurubooru\Services\TokenService;
use Szurubooru\Services\UserService;

class AuthService
{
	private $loggedInUser = null;
	private $loginToken = null;

	private $config;
	private $passwordService;
	private $timeService;
	private $userService;
	private $tokenService;

	public function __construct(
		Config $config,
		PasswordService $passwordService,
		TimeService $timeService,
		TokenService $tokenService,
		UserService $userService)
	{
		$this->config = $config;
		$this->passwordService = $passwordService;
		$this->timeService = $timeService;
		$this->tokenService = $tokenService;
		$this->userService = $userService;

		$this->loggedInUser = $this->getAnonymousUser();
	}

	public function isLoggedIn()
	{
		return $this->loginToken !== null;
	}

	public function getLoggedInUser()
	{
		return $this->loggedInUser;
	}

	public function getLoginToken()
	{
		return $this->loginToken;
	}

	public function loginFromCredentials($formData)
	{
		$user = $this->userService->getByNameOrEmail($formData->userNameOrEmail);
		$this->doFinalChecksOnUser($user);

		$hashValid = $this->passwordService->isHashValid(
			$formData->password,
			$user->getPasswordSalt(),
			$user->getPasswordHash());

		if (!$hashValid)
			throw new \InvalidArgumentException('Specified password is invalid.');

		$this->loginToken = $this->createAndSaveLoginToken($user);
		$this->loggedInUser = $user;
	}

	public function loginFromToken(Token $token)
	{
		if ($token->getPurpose() !== Token::PURPOSE_LOGIN)
			throw new \Exception('This token is not a login token.');

		$user = $this->userService->getById($token->getAdditionalData());
		$this->doFinalChecksOnUser($user);

		$this->loginToken = $token;
		$this->loggedInUser = $user;
	}

	public function getAnonymousUser()
	{
		$user = new User();
		$user->setName('Anonymous user');
		$user->setAccessRank(User::ACCESS_RANK_ANONYMOUS);
		$user->setAvatarStyle(User::AVATAR_STYLE_BLANK);
		return $user;
	}

	public function loginAnonymous()
	{
		$this->loginToken = null;
		$this->loggedInUser = $this->getAnonymousUser();
	}

	public function logout()
	{
		if (!$this->isLoggedIn())
			throw new \Exception('Not logged in.');

		$this->tokenService->invalidateByName($this->loginToken);
		$this->loginToken = null;
	}

	private function createAndSaveLoginToken(User $user)
	{
		return $this->tokenService->createAndSaveToken($user->getId(), Token::PURPOSE_LOGIN);
	}

	private function doFinalChecksOnUser($user)
	{
		if (!$user->isAccountConfirmed() and $this->config->security->needEmailActivationToRegister)
			throw new \DomainException('User didn\'t confirm account yet.');

		if ($user->isBanned())
			throw new \DomainException('Banned!');
	}
}
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`<?php`
			`namespace Szurubooru\Services;`
Added "use ..." statements This version ditches backwards compatibility with PHP earlier than 5.6. 2014-10-08 14:47:47 +02:00			`use Szurubooru\Config;`
			`use Szurubooru\Entities\Token;`
			`use Szurubooru\Entities\User;`
			`use Szurubooru\Services\PasswordService;`
			`use Szurubooru\Services\TimeService;`
			`use Szurubooru\Services\TokenService;`
			`use Szurubooru\Services\UserService;`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00
Added passive authorization 2014-09-04 19:21:18 +02:00			`class AuthService`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`{`
			`private $loggedInUser = null;`
			`private $loginToken = null;`

Added e-mail confirmation and password reset 2014-09-08 13:06:32 +02:00			`private $config;`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`private $passwordService;`
Worked on user registration 2014-08-31 17:42:48 +02:00			`private $timeService;`
Refactored AuthService and UserService 2014-09-08 08:20:31 +02:00			`private $userService;`
			`private $tokenService;`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00
			`public function __construct(`
Added "use ..." statements This version ditches backwards compatibility with PHP earlier than 5.6. 2014-10-08 14:47:47 +02:00			`Config $config,`
			`PasswordService $passwordService,`
			`TimeService $timeService,`
			`TokenService $tokenService,`
			`UserService $userService)`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`{`
Added e-mail confirmation and password reset 2014-09-08 13:06:32 +02:00			`$this->config = $config;`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`$this->passwordService = $passwordService;`
Worked on user registration 2014-08-31 17:42:48 +02:00			`$this->timeService = $timeService;`
Refactored AuthService and UserService 2014-09-08 08:20:31 +02:00			`$this->tokenService = $tokenService;`
			`$this->userService = $userService;`

			`$this->loggedInUser = $this->getAnonymousUser();`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`}`

			`public function isLoggedIn()`
			`{`
			`return $this->loginToken !== null;`
			`}`

			`public function getLoggedInUser()`
			`{`
			`return $this->loggedInUser;`
			`}`

			`public function getLoginToken()`
			`{`
Added fallback anonymous user to authorization 2014-08-31 13:16:29 +02:00			`return $this->loginToken;`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`}`

Added IValidatable; moved validation to FormData I still struggle to find out how to deal with arguments like $userNameOrEmail. Should I trim() them in controllers, or in service? If I do it in service, shouldn't all of such validation belong in there? 2014-09-09 19:38:16 +02:00			`public function loginFromCredentials($formData)`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`{`
Added IValidatable; moved validation to FormData I still struggle to find out how to deal with arguments like $userNameOrEmail. Should I trim() them in controllers, or in service? If I do it in service, shouldn't all of such validation belong in there? 2014-09-09 19:38:16 +02:00			`$user = $this->userService->getByNameOrEmail($formData->userNameOrEmail);`
			`$this->doFinalChecksOnUser($user);`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00
Added support for legacy passwords 2014-10-05 22:26:56 +02:00			`$hashValid = $this->passwordService->isHashValid(`
			`$formData->password,`
			`$user->getPasswordSalt(),`
			`$user->getPasswordHash());`

			`if (!$hashValid)`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`throw new \InvalidArgumentException('Specified password is invalid.');`

			`$this->loginToken = $this->createAndSaveLoginToken($user);`
Worked on user registration 2014-08-31 17:42:48 +02:00			`$this->loggedInUser = $user;`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`}`

Added "use ..." statements This version ditches backwards compatibility with PHP earlier than 5.6. 2014-10-08 14:47:47 +02:00			`public function loginFromToken(Token $token)`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`{`
Added "use ..." statements This version ditches backwards compatibility with PHP earlier than 5.6. 2014-10-08 14:47:47 +02:00			`if ($token->getPurpose() !== Token::PURPOSE_LOGIN)`
Added token purpose check to authentication 2014-09-07 18:07:24 +02:00			`throw new \Exception('This token is not a login token.');`

Introduced entity property getters/setters 2014-09-13 23:58:13 +02:00			`$user = $this->userService->getById($token->getAdditionalData());`
Added IValidatable; moved validation to FormData I still struggle to find out how to deal with arguments like $userNameOrEmail. Should I trim() them in controllers, or in service? If I do it in service, shouldn't all of such validation belong in there? 2014-09-09 19:38:16 +02:00			`$this->doFinalChecksOnUser($user);`
Refactored AuthService and UserService 2014-09-08 08:20:31 +02:00
Added IValidatable; moved validation to FormData I still struggle to find out how to deal with arguments like $userNameOrEmail. Should I trim() them in controllers, or in service? If I do it in service, shouldn't all of such validation belong in there? 2014-09-09 19:38:16 +02:00			`$this->loginToken = $token;`
Refactored AuthService and UserService 2014-09-08 08:20:31 +02:00			`$this->loggedInUser = $user;`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`}`

Worked on user registration 2014-08-31 17:42:48 +02:00			`public function getAnonymousUser()`
			`{`
Added "use ..." statements This version ditches backwards compatibility with PHP earlier than 5.6. 2014-10-08 14:47:47 +02:00			`$user = new User();`
Introduced entity property getters/setters 2014-09-13 23:58:13 +02:00			`$user->setName('Anonymous user');`
Added "use ..." statements This version ditches backwards compatibility with PHP earlier than 5.6. 2014-10-08 14:47:47 +02:00			`$user->setAccessRank(User::ACCESS_RANK_ANONYMOUS);`
			`$user->setAvatarStyle(User::AVATAR_STYLE_BLANK);`
Worked on user registration 2014-08-31 17:42:48 +02:00			`return $user;`
			`}`

Added fallback anonymous user to authorization 2014-08-31 13:16:29 +02:00			`public function loginAnonymous()`
			`{`
			`$this->loginToken = null;`
Worked on user registration 2014-08-31 17:42:48 +02:00			`$this->loggedInUser = $this->getAnonymousUser();`
Added fallback anonymous user to authorization 2014-08-31 13:16:29 +02:00			`}`

Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`public function logout()`
			`{`
			`if (!$this->isLoggedIn())`
			`throw new \Exception('Not logged in.');`

Added e-mail confirmation and password reset 2014-09-08 13:06:32 +02:00			`$this->tokenService->invalidateByName($this->loginToken);`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`$this->loginToken = null;`
			`}`

Added "use ..." statements This version ditches backwards compatibility with PHP earlier than 5.6. 2014-10-08 14:47:47 +02:00			`private function createAndSaveLoginToken(User $user)`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`{`
Added "use ..." statements This version ditches backwards compatibility with PHP earlier than 5.6. 2014-10-08 14:47:47 +02:00			`return $this->tokenService->createAndSaveToken($user->getId(), Token::PURPOSE_LOGIN);`
Added e-mail confirmation and password reset 2014-09-08 13:06:32 +02:00			`}`

Added IValidatable; moved validation to FormData I still struggle to find out how to deal with arguments like $userNameOrEmail. Should I trim() them in controllers, or in service? If I do it in service, shouldn't all of such validation belong in there? 2014-09-09 19:38:16 +02:00			`private function doFinalChecksOnUser($user)`
Added e-mail confirmation and password reset 2014-09-08 13:06:32 +02:00			`{`
Fixed account activation for first user Until now, AuthService used to check for empty e-mail in order to tell whether an account is activated. This was wrong for following scenario: 1. User doesn't enter any e-mail. 2. Because he is about to become the first user to register, he will become an administrator. 3. Administrators don't need to confirm their e-mail address. Activation e-mail is not sent, code for e-mail activation is run instead. 4. The user succeeds to create an e-mail-less administrator account. 5. The user fails to login due to unconfirmed e-mail. 6. The code that activates an e-mail just moves unconfirmed e-mail to primary e-mail. That was the bug, there's no e-mail to confirm. Things got (hopefully) simpler now, since I added separate column for indicating whether account is activated. 2014-09-14 16:44:57 +02:00			`if (!$user->isAccountConfirmed() and $this->config->security->needEmailActivationToRegister)`
			`throw new \DomainException('User didn\'t confirm account yet.');`
Added user banning 2014-09-30 13:22:11 +02:00
			`if ($user->isBanned())`
			`throw new \DomainException('Banned!');`
Worked on user registration 2014-08-31 17:42:48 +02:00			`}`
Added proof of concept for authorization system 2014-08-30 18:11:32 +02:00			`}`