‪TYPO3CMS  10.4
FrontendUserAuthenticator.php
Go to the documentation of this file.
1 <?php
2 
3 declare(strict_types=1);
4 
5 /*
6  * This file is part of the TYPO3 CMS project.
7  *
8  * It is free software; you can redistribute it and/or modify it under
9  * the terms of the GNU General Public License, either version 2
10  * of the License, or any later version.
11  *
12  * For the full copyright and license information, please read the
13  * LICENSE.txt file that was distributed with this source code.
14  *
15  * The TYPO3 project - inspiring people to share!
16  */
17 
18 namespace ‪TYPO3\CMS\Frontend\Middleware;
19 
20 use Psr\Http\Message\ResponseInterface;
21 use Psr\Http\Message\ServerRequestInterface;
22 use Psr\Http\Server\MiddlewareInterface;
23 use Psr\Http\Server\RequestHandlerInterface;
24 use ‪TYPO3\CMS\Core\Authentication\AbstractUserAuthentication;
25 use ‪TYPO3\CMS\Core\Configuration\Features;
26 use ‪TYPO3\CMS\Core\Context\Context;
27 use ‪TYPO3\CMS\Core\Context\UserAspect;
28 use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
29 use ‪TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication;
30 
34 class ‪FrontendUserAuthenticator implements MiddlewareInterface
35 {
39  protected ‪$context;
40 
41  public function ‪__construct(‪Context ‪$context)
42  {
43  $this->context = ‪$context;
44  }
45 
54  public function ‪process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
55  {
56  $frontendUser = GeneralUtility::makeInstance(FrontendUserAuthentication::class);
57 
58  $pidValue = (string)($request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? '');
59  $pidParts = ‪GeneralUtility::trimExplode('@', $pidValue, true, 2);
60  $pid = $pidParts[0] ?? '';
61  $givenHash = $pidParts[1] ?? '';
62  $expectedHash = GeneralUtility::hmac($pid, FrontendUserAuthentication::class);
63 
64  // List of page IDs where to look for frontend user records
65  if ($pid && (!$this->‪shallEnforceLoginSigning() || hash_equals($expectedHash, $givenHash))) {
66  $frontendUser->checkPid_value = implode(',', ‪GeneralUtility::intExplode(',', $pid));
67  }
68 
69  // Check if a session is transferred, and update the cookie parameters
70  $frontendSessionKey = $request->getParsedBody()['FE_SESSION_KEY'] ?? $request->getQueryParams()['FE_SESSION_KEY'] ?? '';
71  if ($frontendSessionKey) {
72  $request = $this->‪transferFrontendUserSession($frontendUser, $request, $frontendSessionKey);
73  }
74 
75  // Authenticate now
76  $frontendUser->start();
77  $frontendUser->unpack_uc();
78 
79  // Register the frontend user as aspect and within the session
80  $this->‪setFrontendUserAspect($frontendUser);
81  $request = $request->withAttribute('frontend.user', $frontendUser);
82 
83  $response = $handler->handle($request);
84 
85  // Store session data for fe_users if it still exists
86  if ($frontendUser instanceof FrontendUserAuthentication) {
87  $frontendUser->storeSessionData();
88  }
89 
90  return $response;
91  }
92 
103  protected function ‪transferFrontendUserSession(
104  FrontendUserAuthentication $frontendUser,
105  ServerRequestInterface $request,
106  string $frontendSessionKey
107  ): ServerRequestInterface {
108  [$sessionId, $hash] = explode('-', $frontendSessionKey);
109  // If the session key hash check is OK, set the cookie
110  if (hash_equals(md5($sessionId . '/' . ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']), (string)$hash)) {
111  $cookieName = ‪FrontendUserAuthentication::getCookieName();
112 
113  // keep the global cookie overwriting for now, as long as FrontendUserAuthentication does not
114  // use the request object for fetching the cookie information.
115  $_COOKIE[$cookieName] = $sessionId;
116  if (isset($_SERVER['HTTP_COOKIE'])) {
117  // See https://forge.typo3.org/issues/27740
118  $_SERVER['HTTP_COOKIE'] .= ';' . $cookieName . '=' . $sessionId;
119  }
120  // Add the cookie to the Server Request object
121  $cookieParams = $request->getCookieParams();
122  $cookieParams[$cookieName] = $sessionId;
123  $request = $request->withCookieParams($cookieParams);
124  $frontendUser->forceSetCookie = true;
125  $frontendUser->dontSetCookie = false;
126  }
127  return $request;
128  }
129 
135  protected function ‪setFrontendUserAspect(AbstractUserAuthentication $user)
136  {
137  $this->context->setAspect('frontend.user', GeneralUtility::makeInstance(UserAspect::class, $user));
138  }
139 
140  protected function ‪shallEnforceLoginSigning(): bool
141  {
142  return GeneralUtility::makeInstance(Features::class)
143  ->isFeatureEnabled('security.frontend.enforceLoginSigning');
144  }
145 }
‪TYPO3\CMS\Frontend\Middleware\FrontendUserAuthenticator\$context
‪Context $context
Definition: FrontendUserAuthenticator.php:38
‪TYPO3\CMS\Frontend\Middleware\FrontendUserAuthenticator\transferFrontendUserSession
‪ServerRequestInterface transferFrontendUserSession(FrontendUserAuthentication $frontendUser, ServerRequestInterface $request, string $frontendSessionKey)
Definition: FrontendUserAuthenticator.php:102
‪TYPO3\CMS\Core\Context\Context
Definition: Context.php:53
‪TYPO3\CMS\Frontend\Middleware\FrontendUserAuthenticator\shallEnforceLoginSigning
‪shallEnforceLoginSigning()
Definition: FrontendUserAuthenticator.php:139
‪TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication\getCookieName
‪static string getCookieName()
Definition: FrontendUserAuthentication.php:186
‪TYPO3\CMS\Frontend\Middleware
Definition: BackendUserAuthenticator.php:18
‪TYPO3\CMS\Core\Configuration\Features
Definition: Features.php:56
‪TYPO3\CMS\Frontend\Middleware\FrontendUserAuthenticator\__construct
‪__construct(Context $context)
Definition: FrontendUserAuthenticator.php:40
‪TYPO3\CMS\Core\Utility\GeneralUtility\trimExplode
‪static string[] trimExplode($delim, $string, $removeEmptyValues=false, $limit=0)
Definition: GeneralUtility.php:1059
‪TYPO3\CMS\Frontend\Middleware\FrontendUserAuthenticator\process
‪ResponseInterface process(ServerRequestInterface $request, RequestHandlerInterface $handler)
Definition: FrontendUserAuthenticator.php:53
‪$GLOBALS
‪$GLOBALS['TYPO3_CONF_VARS']['EXTCONF']['adminpanel']['modules']
Definition: ext_localconf.php:5
‪TYPO3\CMS\Core\Utility\GeneralUtility\intExplode
‪static int[] intExplode($delimiter, $string, $removeEmptyValues=false, $limit=0)
Definition: GeneralUtility.php:988
‪TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication
Definition: FrontendUserAuthentication.php:30
‪TYPO3\CMS\Frontend\Middleware\FrontendUserAuthenticator
Definition: FrontendUserAuthenticator.php:35
‪TYPO3\CMS\Core\Utility\GeneralUtility
Definition: GeneralUtility.php:46
‪TYPO3\CMS\Core\Context\UserAspect
Definition: UserAspect.php:38
‪TYPO3\CMS\Core\Authentication\AbstractUserAuthentication
Definition: AbstractUserAuthentication.php:51
‪TYPO3\CMS\Frontend\Middleware\FrontendUserAuthenticator\setFrontendUserAspect
‪setFrontendUserAspect(AbstractUserAuthentication $user)
Definition: FrontendUserAuthenticator.php:134