main/_abstract_user_authentication_8php_source.html

<?php


/*

 * This file is part of the TYPO3 CMS project.

 *

 * It is free software; you can redistribute it and/or modify it under

 * the terms of the GNU General Public License, either version 2

 * of the License, or any later version.

 *

 * For the full copyright and license information, please read the

 * LICENSE.txt file that was distributed with this source code.

 *

 * The TYPO3 project - inspiring people to share!

 */


namespace ‪TYPO3\CMS\Core\Authentication;


use Psr\EventDispatcher\EventDispatcherInterface;

use Psr\Http\Message\ResponseInterface;

use Psr\Http\Message\ServerRequestInterface;

use Psr\Log\LoggerAwareInterface;

use Psr\Log\LoggerAwareTrait;

use Symfony\Component\HttpFoundation\Cookie;

use ‪TYPO3\CMS\Core\Authentication\Event\AfterUserLoggedOutEvent;

use ‪TYPO3\CMS\Core\Authentication\Event\BeforeRequestTokenProcessedEvent;

use ‪TYPO3\CMS\Core\Authentication\Event\BeforeUserLogoutEvent;

use ‪TYPO3\CMS\Core\Authentication\Event\LoginAttemptFailedEvent;

use ‪TYPO3\CMS\Core\Authentication\Mfa\MfaProviderRegistry;

use ‪TYPO3\CMS\Core\Authentication\Mfa\MfaRequiredException;

use ‪TYPO3\CMS\Core\Context\Context;

use ‪TYPO3\CMS\Core\Context\SecurityAspect;

use ‪TYPO3\CMS\Core\Core\Environment;

use ‪TYPO3\CMS\Core\Database\Connection;

use ‪TYPO3\CMS\Core\Database\ConnectionPool;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\DefaultRestrictionContainer;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\DeletedRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\EndTimeRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\HiddenRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\PageIdListRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\QueryRestrictionContainerInterface;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\RootLevelRestriction;

use ‪TYPO3\CMS\Core\Database\Query\Restriction\StartTimeRestriction;

use ‪TYPO3\CMS\Core\Exception;

use ‪TYPO3\CMS\Core\Http\CookieHeaderTrait;

use ‪TYPO3\CMS\Core\Security\RequestToken;

use ‪TYPO3\CMS\Core\Session\UserSession;

use ‪TYPO3\CMS\Core\Session\UserSessionManager;

use ‪TYPO3\CMS\Core\SysLog\Action\Login as SystemLogLoginAction;

use ‪TYPO3\CMS\Core\SysLog\Error as SystemLogErrorClassification;

use ‪TYPO3\CMS\Core\SysLog\Type as SystemLogType;

use ‪TYPO3\CMS\Core\Utility\GeneralUtility;


abstract class ‪AbstractUserAuthentication implements LoggerAwareInterface

{

    use LoggerAwareTrait;

    use ‪CookieHeaderTrait;


    public ‪$name = '';


    public ‪$user_table = '';


    public ‪$usergroup_table = '';


    public ‪$username_column = '';


    public ‪$userident_column = '';


    public ‪$userid_column = '';


    public ‪$usergroup_column = '';


    public ‪$lastLogin_column = '';


    public ‪$enablecolumns = [

        'rootLevel' => '',

        // Boolean: If TRUE, 'AND pid=0' will be a part of the query...

        'disabled' => '',

        'starttime' => '',

        'endtime' => '',

        'deleted' => '',

    ];


    public ‪$formfield_uname = '';


    public ‪$formfield_uident = '';


    public ‪$formfield_status = '';


    protected ‪$lifetime = 0;


    public ‪$writeStdLog = false;


    public ‪$writeAttemptLog = false;


    public ‪$checkPid = true;


    public ‪$checkPid_value = 0;


    public ‪$loginSessionStarted = false;


    public ‪$user;


    public array ‪$userGroups = [];


    public ‪$dontSetCookie = false;


    public ‪$loginType = '';


    public array ‪$uc = [];


    protected ?‪UserSession ‪$userSession = null;


    protected ‪UserSessionManager ‪$userSessionManager;


    protected ?Cookie ‪$setCookie = null;


    public function ‪__construct()

    {

        // Backend or frontend login - used for auth services

        if (empty($this->loginType)) {

            throw new ‪Exception('No loginType defined, must be set explicitly by subclass', 1476045345);

        }

        $this->lifetime = (int)(‪$GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['lifetime'] ?? 0);

    }


    public function ‪initializeUserSessionManager(?‪UserSessionManager ‪$userSessionManager = null): void

    {

        $this->userSessionManager = ‪$userSessionManager ?? ‪UserSessionManager::create($this->loginType);

        $this->userSession = $this->userSessionManager->createAnonymousSession();

    }


    public function ‪start(ServerRequestInterface $request)

    {

        $this->logger->debug('## Beginning of auth logging.');


        // Make certain that NO user is set initially

        $this->user = null;


        if (!isset($this->userSessionManager)) {

            $this->‪initializeUserSessionManager();

        }

        $this->userSession = $this->userSessionManager->createFromRequestOrAnonymous($request, $this->name);


        // Load user session, check to see if anyone has submitted login-information and if so authenticate

        // the user with the session. $this->user[uid] may be used to write log...

        try {

            $this->‪checkAuthentication($request);

        } catch (MfaRequiredException $mfaRequiredException) {

            // Ensure the cookie is still set to keep the user session available

            if (!$this->dontSetCookie || $this->‪isRefreshTimeBasedCookie()) {

                $this->‪setSessionCookie();

            }

            throw $mfaRequiredException;

        }

        // Set cookie if generally enabled or if the current session is a non-session cookie (FE permalogin)

        if (!$this->dontSetCookie || $this->‪isRefreshTimeBasedCookie()) {

            $this->‪setSessionCookie();

        }

        // Hook for alternative ways of filling the $this->user array (is used by the "timtaw" extension)

        foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postUserLookUp'] ?? [] as $funcName) {

            $_params = [

                'pObj' => $this,

            ];

            GeneralUtility::callUserFunction($funcName, $_params, $this);

        }

    }


    public function ‪appendCookieToResponse(ResponseInterface $response): ResponseInterface

    {

        if ($this->setCookie !== null) {

            $response = $response->withAddedHeader('Set-Cookie', $this->setCookie->__toString());

        }

        return $response;

    }


    protected function ‪setSessionCookie()

    {

        $isRefreshTimeBasedCookie = $this->‪isRefreshTimeBasedCookie();

        if ($this->‪isSetSessionCookie() || $isRefreshTimeBasedCookie) {

            // Get the domain to be used for the cookie (if any):

            $cookieDomain = $this->‪getCookieDomain();

            // If no cookie domain is set, use the base path:

            $cookiePath = $cookieDomain ? '/' : GeneralUtility::getIndpEnv('TYPO3_SITE_PATH');

            // If the cookie lifetime is set, use it:

            $cookieExpire = $isRefreshTimeBasedCookie ? ‪$GLOBALS['EXEC_TIME'] + $this->lifetime : 0;

            // Valid options are "strict", "lax" or "none", whereas "none" only works in HTTPS requests (default & fallback is "strict")

            $cookieSameSite = $this->sanitizeSameSiteCookieValue(

                strtolower(‪$GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['cookieSameSite'] ?? Cookie::SAMESITE_STRICT)

            );

            // Use the secure option when the current request is served by a secure connection:

            // SameSite "none" needs the secure option (only allowed on HTTPS)

            $isSecure = $cookieSameSite === Cookie::SAMESITE_NONE || GeneralUtility::getIndpEnv('TYPO3_SSL');

            $sessionId = $this->userSession->getIdentifier();

            $cookieValue = $this->userSession->getJwt();

            $this->setCookie = new Cookie(

                $this->name,

                $cookieValue,

                $cookieExpire,

                $cookiePath,

                $cookieDomain,

                $isSecure,

                true,

                false,

                $cookieSameSite

            );

            $message = $isRefreshTimeBasedCookie ? 'Updated Cookie: {session}, {domain}' : 'Set Cookie: {session}, {domain}';

            $this->logger->debug($message, [

                'session' => sha1($sessionId),

                'domain' => $cookieDomain,

            ]);

        }

    }


    protected function ‪getCookieDomain()

    {

        $result = '';

        $cookieDomain = ‪$GLOBALS['TYPO3_CONF_VARS']['SYS']['cookieDomain'] ?? '';

        // If a specific cookie domain is defined for a given application type, use that domain

        if (!empty(‪$GLOBALS['TYPO3_CONF_VARS'][$this->loginType]['cookieDomain'])) {

            $cookieDomain = ‪$GLOBALS['TYPO3_CONF_VARS'][‪$this->loginType]['cookieDomain'];

        }

        if ($cookieDomain) {

            if ($cookieDomain[0] === '/') {

                $match = [];

                $matchCnt = @preg_match($cookieDomain, GeneralUtility::getIndpEnv('TYPO3_HOST_ONLY'), $match);

                if ($matchCnt === false) {

                    $this->logger->critical('The regular expression for the cookie domain ({domain}) contains errors. The session is not shared across sub-domains.', ['domain' => $cookieDomain]);

                } elseif ($matchCnt) {

                    $result = $match[0];

                }

            } else {

                $result = $cookieDomain;

            }

        }

        return $result;

    }


    public function ‪isSetSessionCookie()

    {

        return $this->userSession->isNew() && $this->lifetime === 0;

    }


    public function ‪isRefreshTimeBasedCookie()

    {

        return $this->lifetime > 0;

    }


    protected function ‪getAuthServiceConfiguration(): array

    {

        if (is_array(‪$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup'] ?? null)) {

            return ‪$GLOBALS['TYPO3_CONF_VARS']['SVCONF']['auth']['setup'];

        }

        return [];

    }


    public function ‪checkAuthentication(ServerRequestInterface $request)

    {

        $authConfiguration = $this->‪getAuthServiceConfiguration();

        if (!empty($authConfiguration)) {

            $this->logger->debug('Authentication Service Configuration found.', ['auth_configuration' => $authConfiguration]);

        }

        $userRecordCandidate = false;

        // User is not authenticated by default

        $authenticated = false;

        // User want to login with passed login data (name/password)

        $activeLogin = false;

        $this->logger->debug('Login type: {type}', ['type' => $this->loginType]);

        // Get Login/Logout data submitted by a form or params

        ‪$loginData = $this->‪getLoginFormData($request);

        $this->logger->debug('Login data', $this->‪removeSensitiveLoginDataForLoggingInfo(‪$loginData));

        // Active logout (eg. with "logout" button)

        if (‪$loginData['status'] === ‪LoginType::LOGOUT) {

            if ($this->writeStdLog) {

                // $type,$action,$error,$details_nr,$details,$data,$tablename,$recuid,$recpid

                $this->‪writelog(SystemLogType::LOGIN, SystemLogLoginAction::LOGOUT, SystemLogErrorClassification::MESSAGE, 2, 'User %s logged out', [$this->user['username']], '', 0, 0);

            }

            $this->logger->info('User logged out. Id: {session}', ['session' => sha1($this->userSession->getIdentifier())]);

            $this->‪logoff();

        }

        // Determine whether we need to skip session update.

        // This is used mainly for checking session timeout in advance without refreshing the current session's timeout.

        $skipSessionUpdate = (bool)($request->getQueryParams()['skipSessionUpdate'] ?? false);

        $isExistingSession = false;

        $anonymousSession = false;

        $authenticatedUserFromSession = null;

        if (!$this->userSession->isNew()) {

            // Read user data if this is bound to a user

            // However, if the user data is not valid, or the session has timed out we'll recreate a new anonymous session

            if ($this->userSession->getUserId() > 0) {

                $authenticatedUserFromSession = $this->‪fetchValidUserFromSessionOrDestroySession($skipSessionUpdate);

            }

            $isExistingSession = !$this->userSession->isNew();

            $anonymousSession = $isExistingSession && $this->userSession->isAnonymous();

        }


        // Active login (eg. with login form).

        if (‪$loginData['status'] === ‪LoginType::LOGIN) {

            if (!$isExistingSession) {

                $activeLogin = true;

                $this->logger->debug('Active login (eg. with login form)');

                // check referrer for submitted login values

                if ($this->formfield_status && ‪$loginData['uident'] && ‪$loginData['uname']) {

                    // Delete old user session if any

                    $this->‪logoff();

                }

                // Refuse login for _CLI users, if not processing a CLI request type

                // (although we shouldn't be here in case of a CLI request type)

                if (stripos(‪$loginData['uname'], '_CLI_') === 0 && !‪Environment::isCli()) {

                    throw new \RuntimeException('TYPO3 Fatal Error: You have tried to login using a CLI user. Access prohibited!', 1270853931);

                }

            }

            // Cause elevation of privilege, make sure regenerateSessionId is called later on

            // Note for further research: $anonymousSession actually implies having $isExistingSession = true

            // allowing to further simplify this concern.

            if ($anonymousSession) {

                $activeLogin = true;

            }

        }


        if ($isExistingSession && $authenticatedUserFromSession !== null) {

            $this->logger->debug('User found in session', [

                $this->userid_column => $authenticatedUserFromSession[$this->userid_column] ?? null,

                $this->username_column => $authenticatedUserFromSession[$this->username_column] ?? null,

            ]);

        } else {

            $this->logger->debug('No user session found');

        }


        if ($activeLogin) {

            $context = GeneralUtility::makeInstance(Context::class);

            $securityAspect = ‪SecurityAspect::provideIn($context);

            $requestToken = $securityAspect->getReceivedRequestToken();


            $event = new BeforeRequestTokenProcessedEvent($this, $request, $requestToken);

            GeneralUtility::makeInstance(EventDispatcherInterface::class)->dispatch($event);

            $requestToken = $event->getRequestToken();


            $requestTokenScopeMatches = ($requestToken->scope ?? null) === 'core/user-auth/' . strtolower($this->loginType);

            if (!$requestTokenScopeMatches) {

                $this->logger->debug('Missing or invalid request token during login', ['requestToken' => $requestToken]);

                // important: disable `$activeLogin` state

                $activeLogin = false;

            } elseif ($requestToken instanceof RequestToken && $requestToken->getSigningSecretIdentifier() !== null) {

                $securityAspect->getSigningSecretResolver()->revokeIdentifier(

                    $requestToken->getSigningSecretIdentifier()

                );

            }

        }


        // Fetch users from the database (or somewhere else)

        $possibleUsers = $this->‪fetchPossibleUsers(‪$loginData, $activeLogin, $isExistingSession, $authenticatedUserFromSession, $request);


        // If no new user was set we use the already found user session

        if (empty($possibleUsers) && $isExistingSession && !$anonymousSession) {

            // Check if the previous services returned a proper user

            if (is_array($authenticatedUserFromSession)) {

                $possibleUsers[] = $authenticatedUserFromSession;

                $userRecordCandidate = $authenticatedUserFromSession;

                // User is authenticated because we found a user session

                $authenticated = true;

                $this->logger->debug('User session used', [

                    $this->userid_column => $authenticatedUserFromSession[$this->userid_column] ?? '',

                    $this->username_column => $authenticatedUserFromSession[$this->username_column] ?? '',

                ]);

            }

        }


        // Re-auth user when 'auth'-service option is set

        if (!empty($authConfiguration[$this->loginType . '_alwaysAuthUser'])) {

            $authenticated = false;

            $this->logger->debug('alwaysAuthUser option is enabled');

        }

        // Authenticate the user if needed

        if (!empty($possibleUsers) && !$authenticated) {

            foreach ($possibleUsers as $userRecordCandidate) {

                // Use 'auth' service to authenticate the user

                // If one service returns FALSE then authentication failed

                // a service might return 100 which means there's no reason to stop but the user can't be authenticated by that service

                $this->logger->debug('Auth user', $this->‪removeSensitiveLoginDataForLoggingInfo($userRecordCandidate, true));

                $subType = 'authUser' . ‪$this->loginType;


                foreach ($this->‪getAuthServices($subType, ‪$loginData, $authenticatedUserFromSession, $request) as $serviceObj) {

                    if (($ret = (int)$serviceObj->authUser($userRecordCandidate)) > 0) {

                        // If the service returns >=200 then no more checking is needed - useful for IP checking without password

                        if ($ret >= 200) {

                            $authenticated = true;

                            break;

                        }

                        if ($ret < 100) {

                            $authenticated = true;

                        }

                    // $ret is between 100 and 199 which means "I'm not responsible, ask others"

                    } else {

                        // $ret is < 0

                        $authenticated = false;

                        break;

                    }

                }


                if ($authenticated) {

                    // Leave foreach() because a user is authenticated

                    break;

                }

            }

        // mimic user authentication to mitigate observable timing discrepancies

        // @link https://cwe.mitre.org/data/definitions/208.html

        } elseif ($activeLogin) {

            $subType = 'authUser' . ‪$this->loginType;

            foreach ($this->‪getAuthServices($subType, ‪$loginData, $authenticatedUserFromSession, $request) as $serviceObj) {

                if ($serviceObj instanceof MimicServiceInterface && $serviceObj->mimicAuthUser() === false) {

                    break;

                }

            }

        }


        // If user is authenticated, then a valid user is found in $userRecordCandidate

        if ($authenticated) {

            // Insert session record if needed

            if (!$isExistingSession

                || $anonymousSession

                || (int)($userRecordCandidate[$this->userid_column] ?? 0) !== $this->userSession->getUserId()

            ) {

                $sessionData = $this->userSession->getData();

                // Create a new session with a fixated user

                $this->userSession = $this->‪createUserSession($userRecordCandidate);


                // Preserve session data on login

                if ($anonymousSession || $isExistingSession) {

                    $this->userSession->overrideData($sessionData);

                }


                $this->user = array_merge($userRecordCandidate, $this->user ?? []);


                // The login session is started.

                $this->loginSessionStarted = true;

                $this->logger->debug('User session finally read', [

                    $this->userid_column => $this->user[$this->userid_column],

                    $this->username_column => $this->user[$this->username_column],

                ]);

            } else {

                // if we come here the current session is for sure not anonymous as this is a pre-condition for $authenticated = true

                $this->user = $authenticatedUserFromSession;

            }


            if ($activeLogin && !$this->userSession->isNew()) {

                $this->‪regenerateSessionId();

            }


            // Since the user is not fully authenticated we need to unpack UC here to be

            // able to retrieve a possible defined default (preferred) MFA provider.

            $this->‪unpack_uc();


            if ($activeLogin) {

                // User logged in - write that to the log!

                if ($this->writeStdLog) {

                    $this->‪writelog(SystemLogType::LOGIN, SystemLogLoginAction::LOGIN, SystemLogErrorClassification::MESSAGE, 1, 'User %s logged in from ###IP###', [$userRecordCandidate[$this->username_column]], '', '', '');

                }

                $this->logger->info('User {username} logged in from {ip}', [

                    'username' => $userRecordCandidate[$this->username_column],

                    'ip' => GeneralUtility::getIndpEnv('REMOTE_ADDR'),

                ]);

            } else {

                $this->logger->debug('User {username} authenticated from {ip}', [

                    'username' => $userRecordCandidate[$this->username_column],

                    'ip' => GeneralUtility::getIndpEnv('REMOTE_ADDR'),

                ]);

            }

            // Check if multi-factor authentication is required

            $this->‪evaluateMfaRequirements();

        } else {

            // Mark the current login attempt as failed

            if (empty($possibleUsers) && $activeLogin) {

                $this->logger->debug('Login failed', [

                    'loginData' => $this->‪removeSensitiveLoginDataForLoggingInfo(‪$loginData),

                ]);

            } elseif (!empty($possibleUsers)) {

                $this->logger->debug('Login failed', [

                    $this->userid_column => $userRecordCandidate[$this->userid_column],

                    $this->username_column => $userRecordCandidate[$this->username_column],

                ]);

            }


            // If there were a login failure, check to see if a warning email should be sent

            if ($activeLogin) {

                GeneralUtility::makeInstance(EventDispatcherInterface::class)->dispatch(

                    new ‪LoginAttemptFailedEvent($this, $request, $this->‪removeSensitiveLoginDataForLoggingInfo(‪$loginData))

                );

                $this->‪handleLoginFailure();

            }

        }

    }


    protected function ‪fetchPossibleUsers(array ‪$loginData, bool $activeLogin, bool $isExistingSession, ?array $authenticatedUserFromSession, ServerRequestInterface $request): array

    {

        $possibleUsers = [];

        $authConfiguration = $this->‪getAuthServiceConfiguration();

        $alwaysFetchUsers = !empty($authConfiguration[$this->loginType . '_alwaysFetchUser']);

        $fetchUsersIfNoSessionIsGiven = !empty($authConfiguration[$this->loginType . '_fetchUserIfNoSession']);

        if (

            $activeLogin

            || $alwaysFetchUsers

            || (!$isExistingSession && $fetchUsersIfNoSessionIsGiven)

        ) {

            // Use 'auth' service to find the user

            // First found user will be used

            $subType = 'getUser' . ‪$this->loginType;

            foreach ($this->‪getAuthServices($subType, ‪$loginData, $authenticatedUserFromSession, $request) as $serviceObj) {

                $row = $serviceObj->getUser();

                if (is_array($row)) {

                    $possibleUsers[] = $row;

                    $this->logger->debug('User found', [

                        $this->userid_column => $row[$this->userid_column],

                        $this->username_column => $row[$this->username_column],

                    ]);

                    // User found, just stop to search for more if not configured to go on

                    if (empty($authConfiguration[$this->loginType . '_fetchAllUsers'])) {

                        break;

                    }

                }

            }


            if ($alwaysFetchUsers) {

                $this->logger->debug($this->loginType . '_alwaysFetchUser option is enabled');

            }

            if (empty($possibleUsers)) {

                $this->logger->debug('No user found by services');

            } else {

                $this->logger->debug('{count} user records found by services', ['count' => count($possibleUsers)]);

            }

        }

        return $possibleUsers;

    }


    protected function ‪evaluateMfaRequirements(): void

    {

        // MFA has been validated already, nothing to do

        if ($this->‪getSessionData('mfa')) {

            return;

        }

        // If the user session does not contain the 'mfa' key - indicating that MFA is already

        // passed - get the first provider for authentication, which is either the default provider

        // or the first active provider (based on the providers configured ordering).

        $provider = GeneralUtility::makeInstance(MfaProviderRegistry::class)->getFirstAuthenticationAwareProvider($this);

        // Throw an exception (hopefully caught in a middleware) when an active provider for the user exists

        if ($provider !== null) {

            throw new ‪MfaRequiredException($provider, 1613687097);

        }

    }


    public function ‪isMfaSetupRequired(): bool

    {

        return false;

    }


    protected function ‪handleLoginFailure(): void

    {

        if ((‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] ?? []) !== []) {

            trigger_error(

                'The hook $TYPO3_CONF_VARS[\'SC_OPTIONS\'][\'t3lib/class.t3lib_userauth.php\'][\'postLoginFailureProcessing\']'

                . ' will be removed in TYPO3 v13.0. Use the PSR-14 event LoginAttemptFailedEvent.',

                E_USER_DEPRECATED

            );

        }

        $_params = [];

        foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['postLoginFailureProcessing'] ?? [] as $hookIdentifier => $_funcRef) {

            GeneralUtility::callUserFunction($_funcRef, $_params, $this);

        }

    }


    protected function ‪getAuthServices(string $subType, array ‪$loginData, ?array $authenticatedUserFromSession, ServerRequestInterface $request): \Traversable

    {

        $serviceChain = [];

        // The info array provide additional information for auth services

        $authInfo = $this->‪getAuthInfoArray($request);

        if ($authenticatedUserFromSession !== null) {

            $authInfo['user'] = $authenticatedUserFromSession;

        }

        while (is_object($serviceObj = GeneralUtility::makeInstanceService('auth', $subType, $serviceChain))) {

            $serviceChain[] = $serviceObj->getServiceKey();

            $serviceObj->initAuth($subType, ‪$loginData, $authInfo, $this);

            yield $serviceObj;

        }

        if (!empty($serviceChain)) {

            $this->logger->debug('{subtype} auth services called: {chain}', [

                'subtype' => $subType,

                'chain' => implode(',', $serviceChain),

            ]);

        }

    }


    protected function ‪regenerateSessionId()

    {

        $this->userSession = $this->userSessionManager->regenerateSession($this->userSession->getIdentifier());

    }


    /*************************

     *

     * User Sessions

     *

     *************************/


    public function ‪createUserSession(array $userRecordCandidate): UserSession

    {

        // Needed for testing framework

        if (!isset($this->userSessionManager)) {

            $this->‪initializeUserSessionManager();

        }

        $userRecordCandidateId = (int)($userRecordCandidate[$this->userid_column] ?? 0);

        $session = $this->userSessionManager->elevateToFixatedUserSession($this->userSession, $userRecordCandidateId);

        // Updating lastLogin_column carrying information about last login.

        $this->‪updateLoginTimestamp($userRecordCandidateId);

        return $session;

    }


    protected function ‪updateLoginTimestamp(int $userId)

    {

        if ($this->lastLogin_column) {

            $connection = GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable($this->user_table);

            $connection->update(

                $this->user_table,

                [$this->lastLogin_column => ‪$GLOBALS['EXEC_TIME']],

                [$this->userid_column => $userId]

            );

            $this->user[‪$this->lastLogin_column] = ‪$GLOBALS['EXEC_TIME'];

        }

    }


    protected function ‪fetchValidUserFromSessionOrDestroySession(bool $skipSessionUpdate = false): ?array

    {

        if ($this->userSession->isAnonymous()) {

            return null;

        }

        // Fetch the user from the DB

        $userRecord = $this->‪getRawUserByUid($this->userSession->getUserId() ?? 0);

        if ($userRecord) {

            // A user was found

            $userRecord['is_online'] = $this->userSession->getLastUpdated();

            if (!$this->userSessionManager->hasExpired($this->userSession)) {

                if (!$skipSessionUpdate) {

                    $this->userSession = $this->userSessionManager->updateSessionTimestamp($this->userSession);

                }

            } else {

                // Delete any user set...

                $this->‪logoff();

                $userRecord = false;

                $this->userSession = $this->userSessionManager->createAnonymousSession();

            }

        }

        return is_array($userRecord) ? $userRecord : null;

    }


    public function ‪enforceNewSessionId()

    {

        $this->‪regenerateSessionId();

        $this->‪setSessionCookie();

    }


    public function ‪logoff()

    {

        $this->logger->debug('logoff: ses_id = {session}', ['session' => sha1($this->userSession->getIdentifier())]);


        $dispatcher = GeneralUtility::makeInstance(EventDispatcherInterface::class);


        $event = new BeforeUserLogoutEvent($this);

        $event = $dispatcher->dispatch($event);


        if (!empty(‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_pre_processing'] ?? null)) {

            trigger_error(

                '$GLOBALS[\'TYPO3_CONF_VARS\'][\'SC_OPTIONS\'][\'t3lib/class.t3lib_userauth.php\'][\'logoff_pre_processing\'] will be removed in TYPO3 v13.0. Use the PSR-14 "BeforeUserLogoutEvent" instead.',

                E_USER_DEPRECATED

            );

        }


        if ($event->shouldLogout()) {

            $_params = [];

            foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_pre_processing'] ?? [] as $_funcRef) {

                if ($_funcRef) {

                    GeneralUtility::callUserFunction($_funcRef, $_params, $this);

                }

            }

            $this->‪performLogoff();

        }


        $dispatcher->dispatch(new ‪AfterUserLoggedOutEvent($this));


        if (!empty(‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_post_processing'] ?? null)) {

            trigger_error(

                '$GLOBALS[\'TYPO3_CONF_VARS\'][\'SC_OPTIONS\'][\'t3lib/class.t3lib_userauth.php\'][\'logoff_post_processing\'] will be removed in TYPO3 v13.0. Use the PSR-14 "BeforeUserLogoutEvent" instead.',

                E_USER_DEPRECATED

            );

        }

        foreach (‪$GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['t3lib/class.t3lib_userauth.php']['logoff_post_processing'] ?? [] as $_funcRef) {

            if ($_funcRef) {

                GeneralUtility::callUserFunction($_funcRef, $_params, $this);

            }

        }

    }


    protected function ‪performLogoff()

    {

        if ($this->userSession) {

            $this->userSessionManager->removeSession($this->userSession);

        }

        $this->userSession = $this->userSessionManager->createAnonymousSession();

        $this->user = null;

        if ($this->‪isCookieSet()) {

            $this->‪removeCookie();

        }

    }


    public function ‪removeCookie($cookieName = null)

    {

        $cookieName = $cookieName ?? ‪$this->name;

        $cookieDomain = $this->‪getCookieDomain();

        // If no cookie domain is set, use the base path

        $cookiePath = $cookieDomain ? '/' : GeneralUtility::getIndpEnv('TYPO3_SITE_PATH');

        $this->setCookie = new Cookie(

            $cookieName,

            '',

            -1,

            $cookiePath,

            $cookieDomain

        );

    }


    public function ‪isCookieSet()

    {

        return $this->setCookie instanceof Cookie || isset($_COOKIE[$this->name]);

    }


    /*************************

     *

     * SQL Functions

     *

     *************************/

    protected function ‪userConstraints(): QueryRestrictionContainerInterface

    {

        $restrictionContainer = GeneralUtility::makeInstance(DefaultRestrictionContainer::class);


        if (empty($this->enablecolumns['disabled'])) {

            $restrictionContainer->removeByType(HiddenRestriction::class);

        }


        if (empty($this->enablecolumns['deleted'])) {

            $restrictionContainer->removeByType(DeletedRestriction::class);

        }


        if (empty($this->enablecolumns['starttime'])) {

            $restrictionContainer->removeByType(StartTimeRestriction::class);

        }


        if (empty($this->enablecolumns['endtime'])) {

            $restrictionContainer->removeByType(EndTimeRestriction::class);

        }


        if (!empty($this->enablecolumns['rootLevel'])) {

            $restrictionContainer->add(GeneralUtility::makeInstance(RootLevelRestriction::class, [$this->user_table]));

        }


        if ($this->checkPid && $this->checkPid_value !== null) {

            $restrictionContainer->add(

                GeneralUtility::makeInstance(

                    PageIdListRestriction::class,

                    [$this->user_table],

                    ‪GeneralUtility::intExplode(',', (string)$this->checkPid_value, true)

                )

            );

        }


        return $restrictionContainer;

    }


    /*************************

     *

     * Session and Configuration Handling

     *

     *************************/

    public function ‪writeUC()

    {

        if (is_array($this->user) && $this->user[$this->userid_column]) {

            $this->logger->debug('writeUC: {userid_column}={value}', [

                'userid_column' => $this->userid_column,

                'value' => $this->user[$this->userid_column],

            ]);

            GeneralUtility::makeInstance(ConnectionPool::class)->getConnectionForTable($this->user_table)->update(

                $this->user_table,

                ['uc' => serialize($this->uc)],

                [$this->userid_column => (int)$this->user[$this->userid_column]],

                ['uc' => ‪Connection::PARAM_LOB]

            );

        }

    }


    public function ‪unpack_uc()

    {

        if (isset($this->user['uc'])) {

            $theUC = unserialize($this->user['uc'], ['allowed_classes' => false]);

            if (is_array($theUC)) {

                $this->uc = $theUC;

            }

        }

    }


    public function ‪pushModuleData(string $module, mixed $data, bool $dontPersistImmediately = false): void

    {

        $sessionHash = ‪GeneralUtility::hmac(

            $this->userSession->getIdentifier(),

            'core-session-hash'

        );

        $this->uc['moduleData'][$module] = $data;

        $this->uc['moduleSessionID'][$module] = $sessionHash;

        if ($dontPersistImmediately === false) {

            $this->‪writeUC();

        }

    }


    public function ‪getModuleData(string $module, string $type = ''): mixed

    {

        $sessionHash = ‪GeneralUtility::hmac(

            $this->userSession->getIdentifier(),

            'core-session-hash'

        );

        $sessionData = $this->uc['moduleData'][$module] ?? null;

        $moduleSessionIdHash = $this->uc['moduleSessionID'][$module] ?? null;

        if ($type !== 'ses' || ($sessionData !== null && $moduleSessionIdHash === $sessionHash)) {

            return $sessionData;

        }

        return null;

    }


    public function ‪getSessionData($key)

    {

        return $this->userSession ? $this->userSession->get($key) : '';

    }


    public function ‪setSessionData($key, $data)

    {

        $this->userSession->set($key, $data);

    }


    public function ‪setAndSaveSessionData($key, $data)

    {

        $this->userSession->set($key, $data);

        $this->logger->debug('setAndSaveSessionData: ses_id = {session}', ['session' => sha1($this->userSession->getIdentifier())]);

        $this->userSession = $this->userSessionManager->updateSession($this->userSession);

    }


    /*************************

     *

     * Misc

     *

     *************************/

    public function ‪getLoginFormData(ServerRequestInterface $request)

    {

        ‪$loginData = [

            'status' => $request->getParsedBody()[‪$this->formfield_status] ?? $request->getQueryParams()[‪$this->formfield_status] ?? null,

            'uname'  => $request->getParsedBody()[‪$this->formfield_uname] ?? null,

            'uident' => $request->getParsedBody()[‪$this->formfield_uident] ?? null,

        ];

        // Only process the login data if a login is requested

        if (‪$loginData['status'] === ‪LoginType::LOGIN) {

            ‪$loginData = $this->‪processLoginData($loginData, $request);

        }

        return ‪$loginData;

    }


    public function ‪isActiveLogin(ServerRequestInterface $request): bool

    {

        $status = $request->getParsedBody()[‪$this->formfield_status] ?? $request->getQueryParams()[‪$this->formfield_status] ?? '';

        return $status === ‪LoginType::LOGIN;

    }


    public function ‪processLoginData(array ‪$loginData, ServerRequestInterface $request): array

    {

        $this->logger->debug('Login data before processing', $this->‪removeSensitiveLoginDataForLoggingInfo($loginData));

        $subType = 'processLoginData' . ‪$this->loginType;

        $isLoginDataProcessed = false;

        $processedLoginData = ‪$loginData;

        foreach ($this->‪getAuthServices($subType, ‪$loginData, null, $request) as $serviceObject) {

            $serviceResult = $serviceObject->processLoginData($processedLoginData, 'normal');

            if (!empty($serviceResult)) {

                $isLoginDataProcessed = true;

                // If the service returns >=200 then no more processing is needed

                if ((int)$serviceResult >= 200) {

                    break;

                }

            }

        }

        if ($isLoginDataProcessed) {

            ‪$loginData = $processedLoginData;

            $this->logger->debug('Processed login data', $this->‪removeSensitiveLoginDataForLoggingInfo($processedLoginData));

        }

        return ‪$loginData;

    }


    protected function ‪removeSensitiveLoginDataForLoggingInfo($data, bool $isUserRecord = false)

    {

        if ($isUserRecord && is_array($data)) {

            $fieldNames = ['uid', 'pid', 'tstamp', 'crdate', 'deleted', 'disabled', 'starttime', 'endtime', 'username', 'admin', 'usergroup', 'db_mountpoints', 'file_mountpoints', 'file_permissions', 'workspace_perms', 'lastlogin', 'workspace_id', 'category_perms'];

            $data = array_intersect_key($data, array_combine($fieldNames, $fieldNames));

        }

        if (isset($data['uident'])) {

            $data['uident'] = '********';

        }

        if (isset($data['uident_text'])) {

            $data['uident_text'] = '********';

        }

        if (isset($data['password'])) {

            $data['password'] = '********';

        }

        return $data;

    }


    public function ‪getAuthInfoArray(ServerRequestInterface $request)

    {

        $queryBuilder = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->user_table);

        $expressionBuilder = $queryBuilder->expr();

        $authInfo = [];

        $authInfo['loginType'] = ‪$this->loginType;

        $authInfo['request'] = $request;

        $authInfo['refInfo'] = parse_url(GeneralUtility::getIndpEnv('HTTP_REFERER'));

        $authInfo['HTTP_HOST'] = GeneralUtility::getIndpEnv('HTTP_HOST');

        $authInfo['REMOTE_ADDR'] = GeneralUtility::getIndpEnv('REMOTE_ADDR');

        $authInfo['REMOTE_HOST'] = GeneralUtility::getIndpEnv('REMOTE_HOST');

        // Can be overridden in localconf by SVCONF:

        $authInfo['db_user']['table'] = ‪$this->user_table;

        $authInfo['db_user']['userid_column'] = ‪$this->userid_column;

        $authInfo['db_user']['username_column'] = ‪$this->username_column;

        $authInfo['db_user']['userident_column'] = ‪$this->userident_column;

        $authInfo['db_user']['enable_clause'] = $this->‪userConstraints()->buildExpression(

            [$this->user_table => $this->user_table],

            $expressionBuilder

        );

        return $authInfo;

    }


    public function ‪writelog($type, $action, $error, $details_nr, $details, $data, $tablename, $recuid, $recpid)

    {

    }


    public function ‪setBeUserByUid(‪$uid)

    {

        $this->user = $this->‪getRawUserByUid(‪$uid);

    }


    public function ‪setBeUserByName(‪$name)

    {

        $this->user = $this->‪getRawUserByName(‪$name) ?: null;

    }


    public function ‪getRawUserByUid(‪$uid)

    {

        $query = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->user_table);

        $query->setRestrictions($this->‪userConstraints());

        $query->select('*')

            ->from($this->user_table)

            ->where($query->expr()->eq($this->userid_column, $query->createNamedParameter(‪$uid, ‪Connection::PARAM_INT)));


        return $query->executeQuery()->fetchAssociative();

    }


    public function ‪getRawUserByName(‪$name)

    {

        $query = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->user_table);

        $query->setRestrictions($this->‪userConstraints());

        $query->select('*')

            ->from($this->user_table)

            ->where($query->expr()->eq($this->username_column, $query->createNamedParameter(‪$name)));


        return $query->executeQuery()->fetchAssociative();

    }


    public function ‪getSession(): UserSession

    {

        return ‪$this->userSession;

    }

}