Merge pull request #28 from activecollab/authentication-intent

Authentication intent

Author: ilijastuden

src/Adapter/BrowserSessionAdapter.php

@@ -56,15 +56,19 @@ public function initialize(ServerRequestInterface $request): ?TransportInterface
 
         $session = $this->session_repository->getById($session_id);
 
-        if ($session instanceof SessionInterface) {
-            if ($user = $session->getAuthenticatedUser($this->user_repository)) {
-                $this->session_repository->recordUsageBySession($session);
+        if (!$session) {
+            return new CleanUpTransport($this);
+        }
 
-                return new AuthenticationTransport($this, $user, $session);
-            }
+        $user = $session->getAuthenticatedUser($this->user_repository);
+
+        if (!$user) {
+            return new CleanUpTransport($this);
         }
 
-        return new CleanUpTransport($this);
+        $this->session_repository->recordUsageBySession($session);
+
+        return new AuthenticationTransport($this, $user, $session);
     }
 
     public function applyToResponse(ResponseInterface $response, TransportInterface $transport): ResponseInterface

src/AuthenticatedUser/AuthenticatedUserInterface.php

@@ -10,14 +10,15 @@
 
 namespace ActiveCollab\Authentication\AuthenticatedUser;
 
+use ActiveCollab\Authentication\AuthenticatedUser\Username\UsernameInterface;
 use ActiveCollab\User\UserInterface;
 
 interface AuthenticatedUserInterface extends UserInterface
 {
     /**
      * Return username that is used for authentication (email, unique username, phone number...).
      */
-    public function getUsername(): string;
+    public function getUsername(): UsernameInterface;
 
     /**
      * Check if $password is a valid password of this user.
@@ -28,4 +29,9 @@ public function isValidPassword(string $password): bool;
      * Return true if this user can authenticate.
      */
     public function canAuthenticate(): bool;
+
+    /**
+     * Return true if this user requires second factor to authenticate.
+     */
+    public function requiresSecondFactor(): bool;
 }

src/AuthenticatedUser/Username/UsernameInterface.php

@@ -0,0 +1,18 @@
+<?php
+
+/*
+ * This file is part of the Active Collab Authentication project.
+ *
+ * (c) A51 doo <[email protected]>. All rights reserved.
+ */
+
+declare(strict_types=1);
+
+namespace ActiveCollab\Authentication\AuthenticatedUser\Username;
+
+use Stringable;
+
+interface UsernameInterface extends Stringable
+{
+    public function getUsername(): string;
+}

src/Authentication.php

@@ -15,28 +15,45 @@
 use ActiveCollab\Authentication\AuthenticationResult\AuthenticationResultInterface;
 use ActiveCollab\Authentication\AuthenticationResult\Transport\Authentication\AuthenticationTransportInterface;
 use ActiveCollab\Authentication\AuthenticationResult\Transport\Authorization\AuthorizationTransport;
+use ActiveCollab\Authentication\AuthenticationResult\Transport\Authorization\AuthorizationTransportInterface;
 use ActiveCollab\Authentication\AuthenticationResult\Transport\Transport;
 use ActiveCollab\Authentication\AuthenticationResult\Transport\TransportInterface;
 use ActiveCollab\Authentication\Authorizer\AuthorizerInterface;
+use ActiveCollab\Authentication\Exception\IntentExpiredException;
+use ActiveCollab\Authentication\Exception\IntentFulfilledException;
 use ActiveCollab\Authentication\Exception\InvalidAuthenticationRequestException;
+use ActiveCollab\Authentication\Exception\InvalidIntentUserException;
+use ActiveCollab\Authentication\Exception\SecondFactorNotRequiredException;
+use ActiveCollab\Authentication\Intent\IntentInterface;
+use ActiveCollab\Authentication\Intent\RepositoryInterface as IntentRepositoryInterface;
 use Exception;
+use LogicException;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\RequestHandlerInterface;
 
 class Authentication implements AuthenticationInterface
 {
+    private IntentRepositoryInterface $intent_repository;
     private array $adapters;
     private ?AuthenticatedUserInterface $authenticated_user = null;
     private ?AuthenticationResultInterface $authenticated_with = null;
     private array $on_user_authenticated = [];
     private array $on_user_authorized = [];
     private array $on_user_authorization_failed = [];
+    private array $on_intent_authorized = [];
+    private array $on_intent_authorization_failed = [];
+    private array $on_intent_fulfilled = [];
+    private array $on_intent_fulfillment_failed = [];
     private array $on_user_set = [];
     private array $on_user_deauthenticated = [];
 
-    public function __construct(AdapterInterface ...$adapters)
+    public function __construct(
+        IntentRepositoryInterface $intent_repository,
+        AdapterInterface ...$adapters,
+    )
     {
+        $this->intent_repository = $intent_repository;
         $this->adapters = $adapters;
     }
 
@@ -114,26 +131,93 @@ public function authorize(
         AuthorizerInterface $authorizer,
         AdapterInterface $adapter,
         array $credentials,
-        $payload = null
-    ): TransportInterface
+        array $payload = null,
+    ): TransportInterface|IntentInterface
     {
         try {
             $user = $authorizer->verifyCredentials($credentials);
-            $authenticatedWith = $adapter->authenticate($user, $credentials);
 
-            $this->triggerEvent('user_authorized', $user, $authenticatedWith);
+            if ($user->requiresSecondFactor()) {
+                $intent = $this->intent_repository->createSecondFactorIntent(
+                    $user,
+                );
+
+                $this->triggerEvent('intent_authorized', $user, $intent);
 
-            $authorizationResult = new AuthorizationTransport($adapter, $user, $authenticatedWith, $payload);
-            $this->lastProcessingResult = $authorizationResult;
+                return $intent;
+            }
 
-            return $authorizationResult;
+            return $this->completeAuthentication(
+                $adapter,
+                $user,
+                $credentials,
+                $payload,
+            );
         } catch (Exception $e) {
             $this->triggerEvent('user_authorization_failed', $credentials, $e);
 
             throw $e;
         }
     }
 
+    public function fulfillIntent(
+        AuthorizerInterface $authorizer,
+        AdapterInterface $adapter,
+        IntentInterface $intent,
+        AuthenticatedUserInterface $user,
+        array $credentials,
+        array $payload = null,
+    ): TransportInterface
+    {
+        try {
+            if ($intent->isFulfilled()) {
+                throw new IntentFulfilledException();
+            }
+
+            if ($intent->isExpired()) {
+                throw new IntentExpiredException();
+            }
+
+            if (!$intent->belongsToUser($user)) {
+                throw new InvalidIntentUserException();
+            }
+
+            if (!$user->requiresSecondFactor()) {
+                throw new SecondFactorNotRequiredException();
+            }
+
+            $intent->fulfill($user, $credentials);
+            $this->triggerEvent('intent_fulfilled', $user, $intent);
+
+            return $this->completeAuthentication(
+                $adapter,
+                $user,
+                $credentials,
+                $payload,
+            );
+        } catch (Exception $e) {
+            $this->triggerEvent('intent_fulfillment_failed', $credentials, $e);
+            throw $e;
+        }
+    }
+
+    private function completeAuthentication(
+        AdapterInterface $adapter,
+        AuthenticatedUserInterface $user,
+        array $credentials,
+        ?array $payload,
+    ): AuthorizationTransportInterface
+    {
+        $authenticatedWith = $adapter->authenticate($user, $credentials);
+
+        $this->triggerEvent('user_authorized', $user, $authenticatedWith);
+
+        $authorizationResult = new AuthorizationTransport($adapter, $user, $authenticatedWith, $payload);
+        $this->lastProcessingResult = $authorizationResult;
+
+        return $authorizationResult;
+    }
+
     public function terminate(
         AdapterInterface $adapter,
         AuthenticationResultInterface $authenticatedWith
@@ -217,6 +301,10 @@ private function triggerEvent(string $event_name, ...$arguments): void
     {
         $property_name = sprintf("on_%s", $event_name);
 
+        if (!property_exists($this, $property_name)) {
+            throw new LogicException(sprintf('Event %s does not exist.', $event_name));
+        }
+
         /** @var callable $handler */
         foreach ($this->$property_name as $handler) {
             call_user_func_array($handler, $arguments);
@@ -244,6 +332,34 @@ public function onUserAuthorizationFailed(callable $value): AuthenticationInterf
         return $this;
     }
 
+    public function onIntentAuthorized(callable $value): AuthenticationInterface
+    {
+        $this->on_intent_authorized[] = $value;
+
+        return $this;
+    }
+
+    public function onIntentAuthorizationFailed(callable $value): AuthenticationInterface
+    {
+        $this->on_intent_authorization_failed[] = $value;
+
+        return $this;
+    }
+
+    public function onIntentFulfilled(callable $value): AuthenticationInterface
+    {
+        $this->on_intent_fulfilled[] = $value;
+
+        return $this;
+    }
+
+    public function onIntentFulfillmentFailed(callable $value): AuthenticationInterface
+    {
+        $this->on_intent_fulfillment_failed[] = $value;
+
+        return $this;
+    }
+
     public function onUserSet(callable $value): AuthenticationInterface
     {
         $this->on_user_set[] = $value;

src/AuthenticationInterface.php

@@ -15,6 +15,7 @@
 use ActiveCollab\Authentication\AuthenticationResult\AuthenticationResultInterface;
 use ActiveCollab\Authentication\AuthenticationResult\Transport\TransportInterface;
 use ActiveCollab\Authentication\Authorizer\AuthorizerInterface;
+use ActiveCollab\Authentication\Intent\IntentInterface;
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
 use Psr\Http\Server\MiddlewareInterface;
@@ -24,19 +25,28 @@ interface AuthenticationInterface extends MiddlewareInterface
     public function __invoke(
         ServerRequestInterface $request,
         ResponseInterface $response,
-        callable $next = null
+        callable $next = null,
     ): ResponseInterface;
 
     public function authorize(
         AuthorizerInterface $authorizer,
         AdapterInterface $adapter,
         array $credentials,
-        $payload = null
+        array $payload = null,
+    ): TransportInterface|IntentInterface;
+
+    public function fulfillIntent(
+        AuthorizerInterface $authorizer,
+        AdapterInterface $adapter,
+        IntentInterface $intent,
+        AuthenticatedUserInterface $user,
+        array $credentials,
+        array $payload,
     ): TransportInterface;
 
     public function terminate(
         AdapterInterface $adapter,
-        AuthenticationResultInterface $authenticatedWith
+        AuthenticationResultInterface $authenticatedWith,
     ): TransportInterface;
 
     /**
@@ -53,6 +63,10 @@ public function setAuthenticatedWith(?AuthenticationResultInterface $value): Aut
     public function onUserAuthenticated(callable $value): AuthenticationInterface;
     public function onUserAuthorized(callable $value): AuthenticationInterface;
     public function onUserAuthorizationFailed(callable $value): AuthenticationInterface;
+    public function onIntentAuthorized(callable $value): AuthenticationInterface;
+    public function onIntentAuthorizationFailed(callable $value): AuthenticationInterface;
+    public function onIntentFulfilled(callable $value): AuthenticationInterface;
+    public function onIntentFulfillmentFailed(callable $value): AuthenticationInterface;
     public function onUserSet(callable $value): AuthenticationInterface;
     public function onUserDeauthenticated(callable $value): AuthenticationInterface;
 }

src/Authorizer/SecondFactor/SecondFactorVerifierInterface.php

@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace ActiveCollab\Authentication\Authorizer\SecondFactor;
+
+use ActiveCollab\Authentication\AuthenticatedUser\AuthenticatedUserInterface;
+
+interface SecondFactorVerifierInterface
+{
+    public function verifySecondFactorCode(
+        string $secondFactorCode,
+        AuthenticatedUserInterface $user,
+    ): bool;
+}

src/Exception/AuthenticationDisabledException.php

@@ -10,16 +10,10 @@
 
 namespace ActiveCollab\Authentication\Exception;
 
-use Exception as PhpException;
-
 class AuthenticationDisabledException extends RuntimeException
 {
-    public function __construct(
-        string $message = 'Authentication is temporary disabled',
-        int $code = 0,
-        PhpException $previous = null,
-    )
+    protected function getAuthExceptionMessage(): string
     {
-        parent::__construct($message, $code, $previous);
+        return 'Authentication is temporary disabled.';
     }
 }

src/Exception/IntentExpiredException.php

@@ -0,0 +1,19 @@
+<?php
+
+/*
+ * This file is part of the Active Collab Authentication project.
+ *
+ * (c) A51 doo <[email protected]>. All rights reserved.
+ */
+
+declare(strict_types=1);
+
+namespace ActiveCollab\Authentication\Exception;
+
+class IntentExpiredException extends RuntimeException
+{
+    protected function getAuthExceptionMessage(): string
+    {
+        return 'Intent expired.';
+    }
+}

src/Exception/IntentFulfilledException.php

@@ -0,0 +1,19 @@
+<?php
+
+/*
+ * This file is part of the Active Collab Authentication project.
+ *
+ * (c) A51 doo <[email protected]>. All rights reserved.
+ */
+
+declare(strict_types=1);
+
+namespace ActiveCollab\Authentication\Exception;
+
+class IntentFulfilledException extends RuntimeException
+{
+    protected function getAuthExceptionMessage(): string
+    {
+        return 'Intent already fulfilled.';
+    }
+}