/**
* Attempts to authenticate a TokenInterface object.
*
* @param TokenInterface $token The TokenInterface instance to authenticate
*
* @return TokenInterface An authenticated TokenInterface instance, never null
*
* @throws AuthenticationException if the authentication fails
*/
public function authenticate(TokenInterface $token)
{
/** @var SignedTokenInterface $token */
$user = $this->userProvider->loadUserByUsername($token->getUsername());
$signData = $this->getAuthSignData($token->getRequest());
$signData[] = $user->{$this->config['secret_getter']}();
$expectedSignature = hash($this->config['hash_alg'], implode($this->config['data_delimiter'], $signData));
if ($token->getSignature() == $expectedSignature) {
$token->setUser($user);
return $token;
}
$this->logger->critical(sprintf('Invalid auth signature. Expect "%s", got "%s"', $expectedSignature, $token->getSignature()), ['signData' => $signData]);
throw new AuthenticationException("Invalid auth signature " . $token->getSignature());
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
/** @var HmacUserToken $token */
if ($this->validateServiceLabel($token->getServiceLabel())) {
$user = $this->userProvider->loadUserByUsername($token->getUsername());
if ($this->validateSignature($token->getRequest(), $token->getSignature(), $user->getPassword())) {
$authenticatedToken = new HmacUserToken();
$authenticatedToken->setUser($user);
$authenticatedToken->setServiceLabel($token->getServiceLabel());
$authenticatedToken->setRequest($token->getRequest());
return $authenticatedToken;
}
}
throw new AuthenticationException('The HMAC authentication failed.');
}
/**
* {@inheritdoc}
*/
public function authenticate(TokenInterface $token)
{
/** @var SessionlessToken $token */
$signature = $token->getSignature($token);
$user = $this->usersProvider->loadUserByUsername($token->getUsername());
// Prepares new token, that represents authenticated user.
$regeneratedToken = new SessionlessToken($token->getUsername(), $token->getExpirationTime(), $token->getIpAddress(), $this->generateSignature($token), $user->getRoles());
if ($token->getExpirationTime() >= time() && $signature === $regeneratedToken->getSignature()) {
$regeneratedToken->setAuthenticated(true);
$regeneratedToken->setUser($user);
return $regeneratedToken;
} else {
$regeneratedToken->setAuthenticated(false);
}
throw new AuthenticationException('The Sessionless authentication failed.');
}
/**
* Check signature
*
* @param TokenInterface $token
* @param ClientInterface $client
* @return void
*/
protected function checkSignature(TokenInterface $token, ClientInterface $client)
{
if ($client->isSignatureRequired() && !$token->isSigned()) {
throw new OAuthInvalidRequestException('The request is not signed.');
}
if ($client->isSignatureRequired() && $token->isSigned()) {
if (!$this->signature->verify($token->getSignedUrl(), $client->getSecret(), $token->getSignature())) {
throw new OAuthInvalidRequestException('The request signature we calculated does not match the signature you provided.');
}
}
}
