listen to request before authentication or rewrite /login_check in symfony3
Question
I'm trying to register an eventListener which would be called before the /login_check tries to login the user.
I'm writing a DDoS protection, iIlog in database each try (date, user_id, is_failure), and if an user has more than N wrong attempts to login, I generate a token sent by email to the right user email. Anyone without this token will be forbidden to try another login during 10 minutes.
To proceed, I need to:
- either be able to register an eventListener at the start of /login_check
- either be able to rewrite /login_check to add the event
I didn't find any event about "pre_authentication", do you have a solution ?
I won't write the code in a repository method to lad an user, it's not its place.
Thanks
1 answers
solution1
2 ACCPTED 2017-05-05 07:55:17
I had a similar problem a few days ago. And like you said i couldn't find a suitable "pre_authentication" either at which point i could execute my checks even before the authentication was attempted. (AuthenticationSuccess and AuthenticationFailure Handler weren't an option in my case since i wanted to block the attempt before it was even tried)
But in the end i found an approach that did work in my case (although there may be a better one but i couldn't find it).
If your application is using the default username/password authentication you could do this:
Extend the UsernamePasswordFormAuthenticationListener
class UsernamePasswordFormAuthenticationListener extends \\Symfony\\Component\\Security\\Http\\Firewall\\UsernamePasswordFormAuthenticationListener { /** @var EntityManagerInterface */ protected $entityManager; /** * setter is called through DI container * * @param EntityManagerInterface $entityManager */ public function setEntityManager(EntityManagerInterface $entityManager) { $this->entityManager = $entityManager; } /** * * @param Request $request * * @return null|RedirectResponse|\\Symfony\\Component\\HttpFoundation\\Response|\\Symfony\\Component\\Security\\Core\\Authentication\\Token\\TokenInterface */ protected function attemptAuthentication(Request $request) { //do your logic and whatnot here // iE return a redirect repsonse if the token is needed but missing return parent::attemptAuthentication($request); } }Overwrite the original service in your services.yml
security.authentication.listener.form: class: AppBundle\\Listener\\UsernamePasswordFormAuthenticationListener parent: security.authentication.listener.abstract abstract: true calls: [ [setEntityManager, ["@doctrine.orm.entity_manager"]] ]
(Using setter injection here because the constructor needs like a ton of parameters)
Maybe this approach could fit your needs and nobody has a better idea
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.