AuthenticationService.php

Go to the documentation of this file.

<?php
declare(strict_types = 1);
namespace ‪TYPO3\CMS\Install\Authentication;
 
/*
 * This file is part of the TYPO3 CMS project.
 *
 * It is free software; you can redistribute it and/or modify it under
 * the terms of the GNU General Public License, either version 2
 * of the License, or any later version.
 *
 * For the full copyright and license information, please read the
 * LICENSE.txt file that was distributed with this source code.
 *
 * The TYPO3 project - inspiring people to share!
 */
 
use TYPO3\CMS\Core\Configuration\ConfigurationManager;
use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\InvalidPasswordHashException;
use ‪TYPO3\CMS\Core\Crypto\PasswordHashing\PasswordHashFactory;
use ‪TYPO3\CMS\Core\Mail\MailMessage;
use ‪TYPO3\CMS\Core\Utility\GeneralUtility;
use ‪TYPO3\CMS\Install\Service\SessionService;
 
class ‪AuthenticationService
{
    protected ‪$sessionService;
 
    public function ‪__construct(‪SessionService ‪$sessionService)
    {
        $this->sessionService = ‪$sessionService;
    }
 
    public function ‪loginWithPassword($password = null): bool
    {
        $validPassword = false;
        if ($password !== null && $password !== '') {
            $installToolPassword = ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['installToolPassword'];
            $hashFactory = GeneralUtility::makeInstance(PasswordHashFactory::class);
            try {
                $hashInstance = $hashFactory->get($installToolPassword, 'BE');
                $validPassword = $hashInstance->checkPassword($password, $installToolPassword);
            } catch (‪InvalidPasswordHashException $invalidPasswordHashException) {
                // Given hash in global configuration is not a valid salted password
                if (md5($password) === $installToolPassword) {
                    // Update configured install tool hash if it is still "MD5" and password matches
                    // @todo: This should be removed in TYPO3 v10.0 with a dedicated breaking patch
                    // @todo: Additionally, this code should check required hash updates and update the hash if needed
                    $hashInstance = $hashFactory->getDefaultHashInstance('BE');
                    $configurationManager = GeneralUtility::makeInstance(ConfigurationManager::class);
                    $configurationManager->setLocalConfigurationValueByPath(
                        'BE/installToolPassword',
                        $hashInstance->getHashedPassword($password)
                    );
                    $validPassword = true;
                } else {
                    // Still no valid hash instance could be found. Probably the stored hash used a mechanism
                    // that is not available on current system. We throw the previous exception again to be
                    // handled on a higher level. The install tool will render an according exception message
                    // that links to the documentation.
                    throw $invalidPasswordHashException;
                }
            }
        }
        if ($validPassword) {
            $this->sessionService->setAuthorized();
            $this->‪sendLoginSuccessfulMail();
            return true;
        }
        $this->‪sendLoginFailedMail();
        return false;
    }
 
    protected function ‪sendLoginSuccessfulMail()
    {
        $warningEmailAddress = ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'];
        if ($warningEmailAddress) {
            $mailMessage = GeneralUtility::makeInstance(MailMessage::class);
            $mailMessage
                ->addTo($warningEmailAddress)
                ->setSubject('Install Tool Login at \'' . ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '\'')
                ->addFrom($this->‪getSenderEmailAddress(), $this->‪getSenderEmailName())
                ->setBody('There has been an Install Tool login at TYPO3 site'
                    . ' \'' . ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '\''
                    . ' (' . GeneralUtility::getIndpEnv('HTTP_HOST') . ')'
                    . ' from remote address \'' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . '\'')
                ->send();
        }
    }
 
    protected function ‪sendLoginFailedMail()
    {
        $formValues = GeneralUtility::_GP('install');
        $warningEmailAddress = ‪$GLOBALS['TYPO3_CONF_VARS']['BE']['warning_email_addr'];
        if ($warningEmailAddress) {
            $mailMessage = GeneralUtility::makeInstance(MailMessage::class);
            $mailMessage
                ->addTo($warningEmailAddress)
                ->setSubject('Install Tool Login ATTEMPT at \'' . ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '\'')
                ->addFrom($this->‪getSenderEmailAddress(), $this->‪getSenderEmailName())
                ->setBody('There has been an Install Tool login attempt at TYPO3 site'
                    . ' \'' . ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['sitename'] . '\''
                    . ' (' . GeneralUtility::getIndpEnv('HTTP_HOST') . ')'
                    . ' The last 5 characters of the MD5 hash of the password tried was \'' . substr(md5($formValues['password']), -5) . '\''
                    . ' remote address was \'' . GeneralUtility::getIndpEnv('REMOTE_ADDR') . '\'')
                ->send();
        }
    }
 
    protected function ‪getSenderEmailAddress()
    {
        return !empty(‪$GLOBALS['TYPO3_CONF_VARS']['MAIL']['defaultMailFromAddress'])
            ? ‪$GLOBALS['TYPO3_CONF_VARS']['MAIL']['defaultMailFromAddress']
            : 'no-reply@example.com';
    }
 
    protected function ‪getSenderEmailName()
    {
        return !empty(‪$GLOBALS['TYPO3_CONF_VARS']['MAIL']['defaultMailFromName'])
            ? ‪$GLOBALS['TYPO3_CONF_VARS']['MAIL']['defaultMailFromName']
            : 'TYPO3 CMS install tool';
    }
}