Start replacing authentication methods

Author: riasvdv

routes/actions.php

@@ -6,6 +6,9 @@
 use CraftCms\Cms\Edition;
 use CraftCms\Cms\Http\Controllers\AddressesController;
 use CraftCms\Cms\Http\Controllers\ApiController;
+use CraftCms\Cms\Http\Controllers\Auth\LoginController;
+use CraftCms\Cms\Http\Controllers\Auth\PasskeyController;
+use CraftCms\Cms\Http\Controllers\Auth\TwoFactorAuthenticationController;
 use CraftCms\Cms\Http\Controllers\BaseUpdaterController;
 use CraftCms\Cms\Http\Controllers\ConfigSyncController;
 use CraftCms\Cms\Http\Controllers\Dashboard\Widgets\CraftSupportController;
@@ -105,6 +108,13 @@
     Route::any('app/process-api-response-headers', [ApiController::class, 'processResponseHeaders']);
     Route::any('app/get-utilities-badge-count', [UtilitiesController::class, 'badgeCount']);
 
+    // Auth
+    Route::post('users/login', [LoginController::class, 'attemptLogin']);
+    Route::post('auth/verify-totp', [TwoFactorAuthenticationController::class, 'verify']);
+    Route::post('auth/verify-recovery-code', [TwoFactorAuthenticationController::class, 'verifyRecoveryCode']);
+    Route::post('auth/passkey-request-options', [PasskeyController::class, 'requestOptions']);
+    Route::post('users/login-with-passkey', [PasskeyController::class, 'login']);
+
     // Updater
     Route::prefix('updater')->group(function () {
         Route::post('/', [UpdaterController::class, 'index']);

routes/cp.php

@@ -2,7 +2,10 @@
 
 declare(strict_types=1);
 
+use CraftCms\Cms\Auth\Enums\CpAuthPath;
 use CraftCms\Cms\Edition;
+use CraftCms\Cms\Http\Controllers\Auth\LoginController;
+use CraftCms\Cms\Http\Controllers\Auth\TwoFactorAuthenticationController;
 use CraftCms\Cms\Http\Controllers\Dashboard\DashboardController;
 use CraftCms\Cms\Http\Controllers\Entries\CreateEntryController;
 use CraftCms\Cms\Http\Controllers\Entries\EntriesIndexController;
@@ -38,10 +41,14 @@
 Route::get('install', [InstallController::class, 'index'])
     ->middleware([HandleInertiaRequests::class]);
 
+Route::get(CpAuthPath::Login->value, [LoginController::class, 'showLogin']);
+Route::get(CpAuthPath::TwoFactorChallenge->value, [TwoFactorAuthenticationController::class, 'showForm']);
+
 /**
  * Admin requests that require a login
  */
 Route::middleware('auth:craft')->group(function () {
+    Route::get(CpAuthPath::Logout->value, [LoginController::class, 'logout']);
     Route::get('dashboard', DashboardController::class);
 
     Route::get('utilities', [UtilitiesController::class, 'index']);

src/Auth/AuthServiceProvider.php

@@ -0,0 +1,75 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CraftCms\Cms\Auth;
+
+use CraftCms\Cms\Edition;
+use CraftCms\Cms\User\Elements\User;
+use CraftCms\Cms\User\UserPermissions;
+use Illuminate\Contracts\Auth\Access\Authorizable;
+use Illuminate\Contracts\Hashing\Hasher;
+use Illuminate\Foundation\Application;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Config;
+use Illuminate\Support\Facades\Gate;
+use Illuminate\Support\ServiceProvider;
+use Override;
+
+final class AuthServiceProvider extends ServiceProvider
+{
+    #[Override]
+    public function register(): void
+    {
+        Auth::provider('craft', fn (Application $app) => new UserProvider($app->make(Hasher::class)));
+
+        if (! Config::has('auth.guards.craft')) {
+            Config::set('auth.guards.craft', [
+                'driver' => 'session',
+                'provider' => 'craft',
+            ]);
+        }
+
+        if (! Config::has('auth.providers.craft')) {
+            Config::set('auth.providers.craft', [
+                'driver' => 'craft',
+                'model' => User::class,
+            ]);
+        }
+
+        /**
+         * This hooks our permission system into
+         * Laravel's Gate authorization system
+         */
+        Gate::after(function (Authorizable $user, string $ability, ?bool $result) {
+            if (! $user instanceof User) {
+                return null;
+            }
+
+            /**
+             * Only check our permissions when the
+             * result was not explicitly set.
+             */
+            if (! is_null($result)) {
+                return $result;
+            }
+
+            if (
+                $user->admin ||
+                Edition::get() === Edition::Solo
+            ) {
+                return true;
+            }
+
+            if (! isset($user->id)) {
+                return null;
+            }
+
+            if (! app(UserPermissions::class)->doesUserHavePermission($user->id, $ability)) {
+                return null;
+            }
+
+            return true;
+        });
+    }
+}

src/Auth/Enums/CpAuthPath.php

@@ -0,0 +1,15 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CraftCms\Cms\Auth\Enums;
+
+enum CpAuthPath: string
+{
+    case Login = 'login';
+    case TwoFactorChallenge = 'two-factor-challenge';
+    case Logout = 'logout';
+    case SetPassword = 'set-password';
+    case VerifyEmail = 'verify-email';
+    case Update = 'update';
+}

src/Http/Controllers/Auth/AuthenticationController.php

@@ -0,0 +1,59 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CraftCms\Cms\Http\Controllers\Auth;
+
+use Craft;
+use craft\helpers\User as UserHelper;
+use CraftCms\Cms\Config\GeneralConfig;
+use CraftCms\Cms\Http\RespondsWithFlash;
+use CraftCms\Cms\User\Elements\User;
+use Illuminate\Auth\Events\Failed;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Facades\Event;
+use Symfony\Component\HttpFoundation\Response;
+
+abstract readonly class AuthenticationController
+{
+    use RespondsWithFlash;
+
+    public function __construct(
+        protected GeneralConfig $generalConfig,
+    ) {}
+
+    protected function completeLogin(Request $request, User $user, bool $remember): Response
+    {
+        Auth::guard('craft')
+            ->setRememberDuration((int) $this->generalConfig->rememberedUserSessionDuration / 60)
+            ->login($user, $remember);
+
+        return $this->handleSuccessfulLogin($request, $user);
+    }
+
+    protected function handleSuccessfulLogin(Request $request, User $user): Response
+    {
+        $returnUrl = Craft::$app->getUser()->getReturnUrl();
+        if ($request->wantsJson()) {
+            return $this->asModelSuccess($user, modelName: 'user', data: [
+                'returnUrl' => $returnUrl,
+            ]);
+        }
+
+        return $this->redirectToPostedUrl($user, $returnUrl);
+    }
+
+    protected function handleLoginFailure(Request $request, ?string $authError = null, ?User $user = null): Response
+    {
+        [$authError, $message] = UserHelper::getLoginFailureInfo($authError, $user);
+
+        Event::dispatch(new Failed(
+            guard: 'craft',
+            user: $user,
+            credentials: $request->only('loginName', 'password'),
+        ));
+
+        return $this->asFailure($message, ['errorCode' => $authError]);
+    }
+}

src/Http/Controllers/Auth/LoginController.php

@@ -0,0 +1,111 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CraftCms\Cms\Http\Controllers\Auth;
+
+use Craft;
+use craft\helpers\UrlHelper;
+use CraftCms\Cms\Auth\Enums\CpAuthPath;
+use CraftCms\Cms\User\Elements\User;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Illuminate\Support\Timebox;
+use RuntimeException;
+use Symfony\Component\HttpFoundation\Response;
+
+use function CraftCms\Cms\cp_url;
+
+final readonly class LoginController extends AuthenticationController
+{
+    public function showLogin(Request $request)
+    {
+        // see if they're already logged in
+        if ($user = $request->user()) {
+            return $this->handleSuccessfulLogin($request, $user);
+        }
+
+        // should we be showing the 2FA form?
+        if ($request->input('verify')) {
+            return redirect()->action([TwoFactorAuthenticationController::class, 'showForm']);
+        }
+
+        // TODO: _rerouteWithFallbackTemplate??
+        return view('craftcms::login');
+    }
+
+    public function attemptLogin(Request $request): Response
+    {
+        $request->validate([
+            'loginName' => ['required', 'string'],
+            'password' => ['required', 'string'],
+            'rememberMe' => ['nullable'],
+        ]);
+
+        /** @var \CraftCms\Cms\Auth\UserProvider $provider */
+        $provider = Auth::guard('craft')->getProvider();
+        $user = $provider->retrieveByCredentials($request->only('loginName', 'password'));
+
+        return new Timebox()->call(function () use ($request, $provider, $user) {
+            if (! $user || $user->password === null) {
+                return $this->handleLoginFailure($request, User::AUTH_INVALID_CREDENTIALS);
+            }
+
+            if (! $provider->validateCredentials($user, ['password' => $request->input('password')])) {
+                return $this->handleLoginFailure($request, $user->authError, $user);
+            }
+
+            // Valid credentials
+            if (config('hashing.rehash_on_login', true)) {
+                $provider->rehashPasswordIfRequired($user, ['password' => $request->input('password')]);
+            }
+
+            $authService = Craft::$app->getAuth();
+            if (! $this->generalConfig->disable2fa && $authService->hasActiveMethod($user)) {
+                $request->session()->put('user.id', $user->id);
+
+                if (! $request->isCpRequest() && ! $request->wantsJson()) {
+                    $loginPath = $this->generalConfig->getLoginPath();
+
+                    if (! $loginPath) {
+                        $request->session()->forget('user.id');
+                        throw new RuntimeException('User requires two-step verification, but the loginPath config setting is disabled.');
+                    }
+
+                    return redirect(UrlHelper::siteUrl($loginPath, array_filter([
+                        'verify' => 1,
+                        'returnUrl' => $this->getPostedRedirectUrl($user),
+                    ])));
+                }
+
+                return redirect()->action([TwoFactorAuthenticationController::class, 'showForm']);
+            }
+
+            // if we're impersonating, pass the user we're impersonating to the complete method
+            $impersonator = Craft::$app->getUser()->getImpersonator();
+            if ($impersonator !== null) {
+                $user = Auth::user() ?? $user;
+            }
+
+            return $this->completeLogin($request, $user, $request->boolean('rememberMe'));
+        }, 30_000);
+    }
+
+    public function logout(Request $request): Response
+    {
+        Auth::guard('craft')->logout();
+
+        if ($request->wantsJson()) {
+            return $this->asSuccess();
+        }
+
+        // Redirect to the login page if this is a control panel request
+        if ($request->isCpRequest()) {
+            return redirect(cp_url(CpAuthPath::Login->value));
+        }
+
+        return $this->asSuccess(
+            redirect: $this->generalConfig->getPostLogoutRedirect()
+        );
+    }
+}

src/Http/Controllers/Auth/PasskeyController.php

@@ -0,0 +1,62 @@
+<?php
+
+declare(strict_types=1);
+
+namespace CraftCms\Cms\Http\Controllers\Auth;
+
+use Craft;
+use CraftCms\Cms\Auth\Models\WebAuthn;
+use CraftCms\Cms\Support\Json;
+use CraftCms\Cms\User\Elements\User;
+use Illuminate\Http\JsonResponse;
+use Illuminate\Http\Request;
+use Illuminate\Support\Facades\Auth;
+use Symfony\Component\HttpFoundation\Response;
+
+use function CraftCms\Cms\t;
+
+final readonly class PasskeyController extends AuthenticationController
+{
+    public function requestOptions(): JsonResponse
+    {
+        return new JsonResponse([
+            'options' => Craft::$app->getAuth()->getPasskeyRequestOptions(),
+        ]);
+    }
+
+    public function login(Request $request): Response
+    {
+        $request->validate([
+            'requestOptions' => ['required'],
+            'response' => ['required'],
+        ]);
+
+        $duration = $this->generalConfig->userSessionDuration;
+
+        $requestOptions = $request->input('requestOptions');
+        $response = $request->input('response');
+        $credential = WebAuthn::where('credentialId', Json::decode($response)['id'])->first();
+
+        if ($credential === null) {
+            return $this->asFailure(t('Passkey authentication failed.'));
+        }
+
+        $user = User::findOne(['id' => $credential->userId]);
+
+        if ($user === null) {
+            return $this->handleLoginFailure($request);
+        }
+
+        if (! $user->authenticateWithPasskey($requestOptions, $response)) {
+            return $this->handleLoginFailure($request, $user->authError, $user);
+        }
+
+        // if we're impersonating, pass the user we're impersonating to the complete method
+        $userSession = Craft::$app->getUser();
+        if ($userSession->getImpersonator() !== null) {
+            $user = Auth::user();
+        }
+
+        return $this->completeLogin($request, $user, $duration > 0);
+    }
+}