Typo3 自定义 FE 登录没有表单

Question

Update (2020-04-07) : Solution code based on accepted answer below the line.

I am building an extension for Typo3 v9.5 using extbase where I am trying to implement a different entry point for logging in frontend users (think: one-time token via e-mail). So the login form would be bypassed and the credentials retrieved from the DB to log in the user via code. With that said, I want to reuse as much of the login and session logic as possible, that is already there.

I have found a passable solution that superficially seems to work, but I'm not sure, if that is something that will keep working across updates ( $GLOBALS['TSFE']->fe_user being converted to the Context API) and I'm pretty convinced it's not the most elegant way. Ideally, I could use this with minor adaptions in the upcoming Typo3 v10. In some cases I'm not even sure I'm using APIs that are supposed to be used publicly.

Let me lay out what I've done so far in the most compact way I can think of:

<?php
# FILE: my_ext/Classes/Authentication/CustomAuthentication.php
use \TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication;

class CustomAuthentication extends FrontendUserAuthentication {
  // FrontendUserAuthentication seems to be hard-coded to gather credentials
  // that were submitted via login form, so we have to work around that
  protected $_formData = [];

  // new method, set credentials normally entered via form
  public function setLoginFormData(array $data) {
    $this->_formData = $data;
  }

  // new method, set storage PID where user records are located, set via Extbase Controller/TS
  public function setStoragePid(int $pid) {
    $this->checkPid_value = $pid;
  }

  // override, ignore parent logic, simply return custom data
  public function getLoginFormData() {
    return $this->_formData;
  }
}

<?php
# FILE: my_ext/Classes/Controller/SessionController.php
use \TYPO3\CMS\Core\Context\Context;
use \TYPO3\CMS\Core\Context\UserAspect;
use \TYPO3\CMS\Extbase\Mvc\Controller\ActionController;
use MyExt\MyVendor\Authentication\CustomAuthentication;

class SessionController extends ActionController {
  // controller action
  public function someAction() {
    /*...*/
    $loginData = [ /* assume this is retrieved from somewhere */ ];
    $this->login($loginData);
    /*...*/
  }

  // perform login
  protected function login($data) {
    $feAuth = $this->objectManager->get(CustomAuthentication::class);
    // use my new methods to inject data
    $feAuth->setLoginFormData($data);
    $feAuth->setStoragePid($this->settings['pid']);
    // the next part imitates what is going on in 
    // typo3/sysext/frontend/Classes/Middleware/FrontendUserAuthenticator.php
    $feAuth->start();
    $feAuth->unpack_uc(); // necessary?
    $feAuth->fetchGroupData();

    // login successful?
    if(is_array($feAuth->user) && !empty($feAuth->groupData['uid']) {
      $this->setGlobals($feAuth, $feAuth->groupData['uid']);
      $feAuth->updateOnlineTimestamp(); // necessary?
    }
  }

  // perform logout
  protected function logout() {
    //$feAuth = $GLOBALS['TSFE']->fe_user; // deprecated?
    $feAuth = $this->objectManager->get(FrontendUserAuthentication::class);
    // 'rehydrate' the pristine object from the existing session
    $feAuth->start();
    $feAuth->unpack_uc(); // necessary?

    $feAuth->logoff();
    $feAuth->start(); // create fresh session ID, so we can use flash messages and stuff
    $this->setGlobals($feAuth);
  }

  protected function setGlobals(FrontendUserAuthentication $auth, array $grpData=[]) {
    $GLOBALS['TSFE']->fe_user = $feAuth; // TODO remove in Typo3 v10?

    $ctx = $this->objectManager->get(Context::class);
    $ctx->setAspect('frontend.user', $this->objectManager->get(UserAspect::class, $feAuth, $groupData));
    $feAuth->storeSessionData(); // necessary?
  }
}

I guess the question I have would be, whether there is a better way to do that or if anyone more familiar with the internals of Typo3 could comment, if this is acutally a viable possibility to achieve what I want to do with it. Thanks!

---

Update (2020-04-07):

I followed the suggestion from the accepted answer, and I'm posting my code, so other people may be able to use it, if necessary (in mostly abbreviated form).

Below is the service class, that will handle token verification.

# FILE: my_ext/Classes/Service/TokenAuthenticationService.php
<?php
use \TYPO3\CMS\Core\Authentication\AbstractAuthenticationService;
use \TYPO3\CMS\Core\Authentication\LoginType;
use \TYPO3\CMS\Core\Database\ConnectionPool;
use \TYPO3\CMS\Core\Utility\GeneralUtility;

class TokenAuthenticationService extends AbstractAuthenticationService {
  protected $timestamp_column = 'tstamp';  // last-changed timestamp
  protected $usertoken_column = 'tx_myext_login_token';

  public function getUser() {
    if($this->login['status'] !== LoginType::LOGIN) {
      return false;
    }

    if((string)$this->login['uname'] === '') {
      $this->logger->warning('Attempted token login with empty token', ['remote'=>$this->authInfo['REMOTE_ADDR']]);
      return false;
    }

    // fetch user record, make sure token was set at most 12 hours ago
    $qb = GeneralUtility::makeInstance(ConnectionPool::class)->getQueryBuilderForTable($this->db_user['table']);
    $where_clause = $qb->expr()->andX(
      $qb->expr()->eq($this->usertoken_column, $qb->expr()->literal($this->login['uname'])),
      $qb->expr()->gte($this->timestamp_column, (int)strtotime('-12 hour'))
    );

    // Typo3 v10 API will change here!
    $user = $this->fetchUserRecord('', $where_clause);
    if(!is_array($user)) {
      $this->logger->warning('Attempted token login with unknown or expired token', ['token'=>$this->login['uname']]);
      return false;
    } else {
      $this->logger->info('Successful token found', ['id'=>$user['uid'], 'username'=>$user['username'], 'token'=>$this->login['uname']]);
    }

    return $user;
  }

  public function authUser(array $user): int {
    // check, if the token that was submitted matches the one from the DB
    if($this->login['uname'] === $user[$this->usertoken_column]) {
      $this->logger->info('Successful token login', ['id'=>$user['uid'], 'username'=>$user['username'], 'token'=>$this->login['uname']]);
      return 200;
    }

    return 100;  // let other auth services try their luck
  }
}

Then register the Service:

# FILE: my_ext/ext_localconf.php
// Add auth service for token login
\TYPO3\CMS\Core\Utility\ExtensionManagementUtility::addService(
  $_EXTKEY,
  'auth',
  \MyVendor\MyExt\Service\TokenAuthenticationService::class,
  [
    'title' => 'Token Auth',
    'description' => 'Allows FE user login via one-time token',
    'subtype' => 'getUserFE,authUserFE',
    'available' => true,
    'priority' => 60,
    'quality' => 50,
    'className' => \MyVendor\MyExt\Service\TokenAuthenticationService::class
  ]
);

When creating a token, the user gets a link to a page with the added token parameter, like:

[...]/index.php?id=123&tx_myext_pi[action]=tokenAuth&tx_myext_pi[token]=whatever-was-stored-in-the-db

Since we need a few parameters to trigger the login middleware, we render a mostly hidden form on that landing page, which prompts the user to 'confirm'.

<!-- FILE: my_ext/Resources/Private/Templates/Some/TokenAuth.html -->
<f:if condition="{token}">
  <h2>Token Login</h2>

  <p>Please confirm</p>

  <f:form action="doLogin" fieldNamePrefix="">
    <f:form.hidden name="logintype" value="login" />
    <f:form.hidden name="pid" value="{settings.membersPid}" />
    <f:form.hidden name="user" value="{token}" />
    <f:form.button>Confirm</f:form.button>
  </f:form>
</f:if>

That request will now automatically perform the login, with all the right parameters. In your controller action, you can then add some kind of flash message or redirect to wherever it makes sense.

# FILE: my_ext/Classes/Controller/SomeController.php
<?php
use \TYPO3\CMS\Core\Context\Context;
use \TYPO3\CMS\Extbase\Mvc\Controller\ActionController;
class SomeController extends ActionController {
  public function doLoginAction() {
    $ctx = $this->objectManager->get(Context::class);
    if($ctx->getPropertyFromAspect('frontend.user', 'isLoggedIn')) {
      // success
    } else {
      // failure
    }
  }
}

Answer 1

You should implement an authentication service this Service only needs to imlement the "authUser()" function. So every thing else might be handled by the core authentication.

See here for details https://docs.typo3.org/m/typo3/reference-services/8.7/en-us/Authentication/Index.html