MemberAuthenticator::getLostPasswordHandler() - Code Metrics - Inspection of "Move default admin" - silverstripe/silverstripe-framework - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Pull Request — master (#7026)

by Damian

created 2017-06-15 05:26 UTC

MemberAuthenticator::getLostPasswordHandler() A

↳ Parent: MemberAuthenticator

Complexity

Conditions	1
Paths	1

Size

Total Lines	4
Code Lines	2

Duplication

Lines	0
Ratio	0 %

Importance

Changes

Metric	Value
cc	1
eloc	2
nc	1
nop	1
dl	0
loc	4
rs	10
c	0
b	0
f	0

<?php

namespace SilverStripe\Security\MemberAuthenticator;

use InvalidArgumentException;
use SilverStripe\Control\Controller;
use SilverStripe\Control\Session;
use SilverStripe\Core\Extensible;
use SilverStripe\ORM\ValidationResult;
use SilverStripe\Security\Authenticator;
use SilverStripe\Security\LoginAttempt;
use SilverStripe\Security\Member;
use SilverStripe\Security\PasswordEncryptor;
use SilverStripe\Security\Security;
use SilverStripe\Security\DefaultAdminService;

/**
 * Authenticator for the default "member" method
 *
 * @author Sam Minnee <[email protected]>
 * @author Simon Erkelens <[email protected]>
 */
class MemberAuthenticator implements Authenticator
{
    use Extensible;

    public function supportedServices()
    {
        // Bitwise-OR of all the supported services in this Authenticator, to make a bitmask
        return Authenticator::LOGIN | Authenticator::LOGOUT | Authenticator::CHANGE_PASSWORD
            | Authenticator::RESET_PASSWORD | Authenticator::CHECK_PASSWORD;
    }

    /**
     * @param array $data
     * @param null|ValidationResult $result
     * @return null|Member
     */
    public function authenticate($data, ValidationResult &$result = null)
    {
        // Find authenticated member
        $member = $this->authenticateMember($data, $result);

        // Optionally record every login attempt as a {@link LoginAttempt} object
        $this->recordLoginAttempt($data, $member, $result->isValid());
function someFunction(A $objectMaybe = null)
{
    if ($objectMaybe instanceof A) {
        $objectMaybe->doSomething();
    }
}

        if ($member) {
            Session::clear('BackURL');
        }

        return $result->isValid() ? $member : null;
    }

    /**
     * Attempt to find and authenticate member if possible from the given data
     *
     * @param array $data Form submitted data
     * @param ValidationResult $result
     * @param Member $member This third parameter is used in the CMSAuthenticator(s)
     * @return Member Found member, regardless of successful login
     */
    protected function authenticateMember($data, ValidationResult &$result = null, Member $member = null)
    {
        $email = !empty($data['Email']) ? $data['Email'] : null;
        $result = $result ?: ValidationResult::create();

        // Check default login (see Security::setDefaultAdmin())

        $asDefaultAdmin = DefaultAdminService::isDefaultAdmin($email);
        if ($asDefaultAdmin) {
            // If logging is as default admin, ensure record is setup correctly
            $member = DefaultAdminService::singleton()->findOrCreateDefaultAdmin();
            $member->validateCanLogin($result);
            if ($result->isValid()) {
                // Check if default admin credentials are correct
                if (DefaultAdminService::isDefaultAdminCredentials($email, $data['Password'])) {
                    return $member;
                } else {
                    $result->addError(_t(
                        'SilverStripe\\Security\\Member.ERRORWRONGCRED',
                        "The provided details don't seem to be correct. Please try again."
                    ));
                }
            }
        }

        // Attempt to identify user by email
        if (!$member && $email) {
            // Find user by email
            $identifierField = Member::config()->get('unique_identifier_field');
            /** @var Member $member */
            $member = Member::get()
                ->filter([$identifierField => $email])
                ->first();
        }

        // Validate against member if possible
        if ($member && !$asDefaultAdmin) {
            $this->checkPassword($member, $data['Password'], $result);
        }

        // Emit failure to member and form (if available)
        if (!$result->isValid()) {
            if ($member) {
                $member->registerFailedLogin();
            }
        } elseif ($member) {
            $member->registerSuccessfulLogin();
        } else {
            // A non-existing member occurred. This will make the result "valid" so let's invalidate
            $result->addError(_t(
                'SilverStripe\\Security\\Member.ERRORWRONGCRED',
                "The provided details don't seem to be correct. Please try again."
            ));
            return null;
        }

        return $member;
    }

    /**
     * Check if the passed password matches the stored one (if the member is not locked out).
     *
     * Note, we don't return early, to prevent differences in timings to give away if a member
     * password is invalid.
     *
     * @param Member $member
     * @param string $password
     * @param ValidationResult $result
     * @return ValidationResult
     */
    public function checkPassword(Member $member, $password, ValidationResult &$result = null)
    {
        // Check if allowed to login
        $result = $member->validateCanLogin($result);
        if (!$result->isValid()) {
            return $result;
        }

        // Allow default admin to login as self
        if (DefaultAdminService::isDefaultAdminCredentials($member->Email, $password)) {
            return $result;
        }

        // Check a password is set on this member
        if (empty($member->Password) && $member->exists()) {
            $result->addError(_t(__CLASS__ . '.NoPassword', 'There is no password on this member.'));
        }

        $encryptor = PasswordEncryptor::create_for_algorithm($member->PasswordEncryption);
        if (!$encryptor->check($member->Password, $password, $member->Salt, $member)) {
            $result->addError(_t(
                __CLASS__ . '.ERRORWRONGCRED',
                'The provided details don\'t seem to be correct. Please try again.'
            ));
        }

        return $result;
    }


    /**
     * Log login attempt
     * TODO We could handle this with an extension
     *
     * @param array $data
     * @param Member $member
     * @param boolean $success
     */
    protected function recordLoginAttempt($data, $member, $success)
    {
        if (!Security::config()->get('login_recording')) {
            return;
        }

        // Check email is valid
        /** @skipUpgrade */
        $email = isset($data['Email']) ? $data['Email'] : null;
        if (is_array($email)) {
            throw new InvalidArgumentException("Bad email passed to MemberAuthenticator::authenticate(): $email");
        }

        $attempt = LoginAttempt::create();
        if ($success && $member) {
            // successful login (member is existing with matching password)
            $attempt->MemberID = $member->ID;
            $attempt->Status = 'Success';

            // Audit logging hook
            $member->extend('authenticationSucceeded');
        } else {
            // Failed login - we're trying to see if a user exists with this email (disregarding wrong passwords)
            $attempt->Status = 'Failure';
            if ($member) {
                // Audit logging hook
                $attempt->MemberID = $member->ID;
                $member->extend('authenticationFailed');
            } else {
                // Audit logging hook
                Member::singleton()->extend('authenticationFailedUnknownUser', $data);
            }
        }

        $attempt->Email = $email;
        $attempt->IP = Controller::curr()->getRequest()->getIP();
        $attempt->write();
    }

    /**
     * @param string $link
     * @return LostPasswordHandler
     */
    public function getLostPasswordHandler($link)
    {
        return LostPasswordHandler::create($link, $this);
    }

    /**
     * @param string $link
     * @return ChangePasswordHandler
     */
    public function getChangePasswordHandler($link)
    {
        return ChangePasswordHandler::create($link, $this);
    }

    /**
     * @param string $link
     * @return LoginHandler
     */
    public function getLoginHandler($link)
    {
        return LoginHandler::create($link, $this);
    }

    /**
     * @param string $link
     * @return LogoutHandler
     */
    public function getLogoutHandler($link)
    {
        return LogoutHandler::create($link, $this);
    }
}


1			<?php
2
3			namespace SilverStripe\Security\MemberAuthenticator;
4
5			use InvalidArgumentException;
6			use SilverStripe\Control\Controller;
7			use SilverStripe\Control\Session;
8			use SilverStripe\Core\Extensible;
9			use SilverStripe\ORM\ValidationResult;
10			use SilverStripe\Security\Authenticator;
11			use SilverStripe\Security\LoginAttempt;
12			use SilverStripe\Security\Member;
13			use SilverStripe\Security\PasswordEncryptor;
14			use SilverStripe\Security\Security;
15			use SilverStripe\Security\DefaultAdminService;
16
17			/**
18			* Authenticator for the default "member" method
19			*
20			* @author Sam Minnee <[email protected]>
21			* @author Simon Erkelens <[email protected]>
22			*/
23			class MemberAuthenticator implements Authenticator
24			{
25			use Extensible;
26
27			public function supportedServices()
28			{
29			// Bitwise-OR of all the supported services in this Authenticator, to make a bitmask
30			return Authenticator::LOGIN \| Authenticator::LOGOUT \| Authenticator::CHANGE_PASSWORD
31			\| Authenticator::RESET_PASSWORD \| Authenticator::CHECK_PASSWORD;
32			}
33
34			/**
35			* @param array $data
36			* @param null\|ValidationResult $result
37			* @return null\|Member
38			*/
39			public function authenticate($data, ValidationResult &$result = null)
40			{
41			// Find authenticated member
42			$member = $this->authenticateMember($data, $result);
43
44			// Optionally record every login attempt as a {@link LoginAttempt} object
45			$this->recordLoginAttempt($data, $member, $result->isValid());
			0 ignored issues – show Bug introduced 2017-06-07 02:54 UTC by Report Bug Copy Issue Report It seems like `$result` is not always an object, but can also be of type `null`. Maybe add an additional type check? If a variable is not always an object, we recommend to add an additional type check to ensure your method call is safe: function someFunction(A $objectMaybe = null) { if ($objectMaybe instanceof A) { $objectMaybe->doSomething(); } } Loading history... Bug introduced 2017-06-14 23:37 UTC by Report Bug Copy Issue Report It seems like `$member` defined by `$this->authenticateMember($data, $result)` on line `42` can be `null`; however, `SilverStripe\Security\Me...r::recordLoginAttempt()` does not accept `null`, maybe add an additional type check? Unless you are absolutely sure that the expression can never be null because of other conditions, we strongly recommend to add an additional type check to your code: /** @return stdClass\|null */ function mayReturnNull() { } function doesNotAcceptNull(stdClass $x) { } // With potential error. function withoutCheck() { $x = mayReturnNull(); doesNotAcceptNull($x); // Potential error here. } // Safe - Alternative 1 function withCheck1() { $x = mayReturnNull(); if ( ! $x instanceof stdClass) { throw new \LogicException('$x must be defined.'); } doesNotAcceptNull($x); } // Safe - Alternative 2 function withCheck2() { $x = mayReturnNull(); if ($x instanceof stdClass) { doesNotAcceptNull($x); } } Loading history...
46
47			if ($member) {
48			Session::clear('BackURL');
49			}
50
51			return $result->isValid() ? $member : null;
52			}
53
54			/**
55			* Attempt to find and authenticate member if possible from the given data
56			*
57			* @param array $data Form submitted data
58			* @param ValidationResult $result
59			* @param Member $member This third parameter is used in the CMSAuthenticator(s)
60			* @return Member Found member, regardless of successful login
61			*/
62			protected function authenticateMember($data, ValidationResult &$result = null, Member $member = null)
63			{
64			$email = !empty($data['Email']) ? $data['Email'] : null;
65			$result = $result ?: ValidationResult::create();
66
67			// Check default login (see Security::setDefaultAdmin())
			0 ignored issues – show Unused Code Comprehensibility introduced 2016-11-01 00:55 UTC by Report Bug Copy Issue Report `38%` of this comment could be valid code. Did you maybe forget this after debugging? Sometimes obsolete code just ends up commented out instead of removed. In this case it is better to remove the code once you have checked you do not need it. The code might also have been commented out for debugging purposes. In this case it is vital that someone uncomments it again or your project may behave in very unexpected ways in production. This check looks for comments that seem to be mostly valid code and reports them. Loading history...
68			$asDefaultAdmin = DefaultAdminService::isDefaultAdmin($email);
69			if ($asDefaultAdmin) {
70			// If logging is as default admin, ensure record is setup correctly
71			$member = DefaultAdminService::singleton()->findOrCreateDefaultAdmin();
72			$member->validateCanLogin($result);
73			if ($result->isValid()) {
74			// Check if default admin credentials are correct
75			if (DefaultAdminService::isDefaultAdminCredentials($email, $data['Password'])) {
76			return $member;
77			} else {
78			$result->addError(_t(
79			'SilverStripe\\Security\\Member.ERRORWRONGCRED',
80			"The provided details don't seem to be correct. Please try again."
81			));
82			}
83			}
84			}
85
86			// Attempt to identify user by email
87			if (!$member && $email) {
88			// Find user by email
89			$identifierField = Member::config()->get('unique_identifier_field');
90			/** @var Member $member */
91			$member = Member::get()
92			->filter([$identifierField => $email])
93			->first();
94			}
95
96			// Validate against member if possible
97			if ($member && !$asDefaultAdmin) {
98			$this->checkPassword($member, $data['Password'], $result);
99			}
100
101			// Emit failure to member and form (if available)
102			if (!$result->isValid()) {
103			if ($member) {
104			$member->registerFailedLogin();
105			}
106			} elseif ($member) {
107			$member->registerSuccessfulLogin();
108			} else {
109			// A non-existing member occurred. This will make the result "valid" so let's invalidate
110			$result->addError(_t(
111			'SilverStripe\\Security\\Member.ERRORWRONGCRED',
112			"The provided details don't seem to be correct. Please try again."
113			));
114			return null;
115			}
116
117			return $member;
118			}
119
120			/**
121			* Check if the passed password matches the stored one (if the member is not locked out).
122			*
123			* Note, we don't return early, to prevent differences in timings to give away if a member
124			* password is invalid.
125			*
126			* @param Member $member
127			* @param string $password
128			* @param ValidationResult $result
129			* @return ValidationResult
130			*/
131			public function checkPassword(Member $member, $password, ValidationResult &$result = null)
132			{
133			// Check if allowed to login
134			$result = $member->validateCanLogin($result);
135			if (!$result->isValid()) {
136			return $result;
137			}
138
139			// Allow default admin to login as self
140			if (DefaultAdminService::isDefaultAdminCredentials($member->Email, $password)) {
141			return $result;
142			}
143
144			// Check a password is set on this member
145			if (empty($member->Password) && $member->exists()) {
146			$result->addError(_t(__CLASS__ . '.NoPassword', 'There is no password on this member.'));
147			}
148
149			$encryptor = PasswordEncryptor::create_for_algorithm($member->PasswordEncryption);
150			if (!$encryptor->check($member->Password, $password, $member->Salt, $member)) {
151			$result->addError(_t(
152			__CLASS__ . '.ERRORWRONGCRED',
153			'The provided details don\'t seem to be correct. Please try again.'
154			));
155			}
156
157			return $result;
158			}
159
160
161			/**
162			* Log login attempt
163			* TODO We could handle this with an extension
164			*
165			* @param array $data
166			* @param Member $member
167			* @param boolean $success
168			*/
169			protected function recordLoginAttempt($data, $member, $success)
170			{
171			if (!Security::config()->get('login_recording')) {
172			return;
173			}
174
175			// Check email is valid
176			/** @skipUpgrade */
177			$email = isset($data['Email']) ? $data['Email'] : null;
178			if (is_array($email)) {
179			throw new InvalidArgumentException("Bad email passed to MemberAuthenticator::authenticate(): $email");
180			}
181
182			$attempt = LoginAttempt::create();
183			if ($success && $member) {
184			// successful login (member is existing with matching password)
185			$attempt->MemberID = $member->ID;
186			$attempt->Status = 'Success';
187
188			// Audit logging hook
189			$member->extend('authenticationSucceeded');
190			} else {
191			// Failed login - we're trying to see if a user exists with this email (disregarding wrong passwords)
192			$attempt->Status = 'Failure';
193			if ($member) {
194			// Audit logging hook
195			$attempt->MemberID = $member->ID;
196			$member->extend('authenticationFailed');
197			} else {
198			// Audit logging hook
199			Member::singleton()->extend('authenticationFailedUnknownUser', $data);
200			}
201			}
202
203			$attempt->Email = $email;
204			$attempt->IP = Controller::curr()->getRequest()->getIP();
205			$attempt->write();
206			}
207
208			/**
209			* @param string $link
210			* @return LostPasswordHandler
211			*/
212			public function getLostPasswordHandler($link)
213			{
214			return LostPasswordHandler::create($link, $this);
215			}
216
217			/**
218			* @param string $link
219			* @return ChangePasswordHandler
220			*/
221			public function getChangePasswordHandler($link)
222			{
223			return ChangePasswordHandler::create($link, $this);
224			}
225
226			/**
227			* @param string $link
228			* @return LoginHandler
229			*/
230			public function getLoginHandler($link)
231			{
232			return LoginHandler::create($link, $this);
233			}
234
235			/**
236			* @param string $link
237			* @return LogoutHandler
238			*/
239			public function getLogoutHandler($link)
240			{
241			return LogoutHandler::create($link, $this);
242			}
243			}
244

silverstripe / silverstripe-framework

Pull Request — master (#7026)

MemberAuthenticator::getLostPasswordHandler() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like