From d3526a1230d70c07e46a9c7da599252d2a773dcb Mon Sep 17 00:00:00 2001
From: zerai <teclaizerai@gmail.com>
Date: Mon, 4 Mar 2024 17:34:37 +0100
Subject: [PATCH 1/3] Added custom login authenticator, + api connet me
 endpoint.

---
 .../Auth/ConnectMeController.php              | 39 ++++++++
 config/packages/security.yaml                 | 24 ++---
 config/routes.yaml                            |  7 ++
 .../OeModulesLoginFormAuthenticator.php       | 88 +++++++++++++++++++
 4 files changed, 146 insertions(+), 12 deletions(-)
 create mode 100644 _iam/src/AdapterForApi/Auth/ConnectMeController.php
 create mode 100644 src/Security/Authenticator/OeModulesLoginFormAuthenticator.php

diff --git a/_iam/src/AdapterForApi/Auth/ConnectMeController.php b/_iam/src/AdapterForApi/Auth/ConnectMeController.php
new file mode 100644
index 0000000..43295a8
--- /dev/null
+++ b/_iam/src/AdapterForApi/Auth/ConnectMeController.php
@@ -0,0 +1,39 @@
+<?php declare(strict_types=1);
+
+/*
+ * This file is part of the medicalmundi/marketplace-accounts
+ *
+ * @copyright (c) 2023 MedicalMundi
+ *
+ * This software consists of voluntary contributions made by many individuals
+ * {@link https://github.com/medicalmundi/marketplace-accounts/graphs/contributors developer} and is licensed under the MIT license.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ * @license https://github.com/MedicalMundi/marketplace-accounts/blob/main/LICENSE MIT
+ */
+
+namespace IdentityAccess\AdapterForApi\Auth;
+
+use App\Entity\User;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Http\Attribute\IsGranted;
+
+#[Route('/api/v1/auth')]
+class ConnectMeController extends AbstractController
+{
+    #[Route('/connect/me', name: 'api_auth_connect_me', methods: 'GET')]
+    #[isGranted('ROLE_USER')]
+    public function index(): Response
+    {
+        /** @var User $user */
+        $user = $this->getUser();
+
+        return $this->json([
+            'id' => $user->getId(),
+            'email' => $user->getEmail(),
+        ]);
+    }
+}
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index b6e100c..ebba662 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -12,12 +12,9 @@ security:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
-        api_token:
-            pattern: ^/api/token$
-            security: false
         api:
             pattern: ^/api
-            security: true
+            security: false
             stateless: true
             oauth2: true
         main:
@@ -26,17 +23,20 @@ security:
 #                interval: '5 minutes'
             lazy: true
             provider: app_user_provider
-            form_login:
-                login_path: app_login
-                check_path: app_login
-                enable_csrf: true
-                default_target_path: app_index
-                use_referer: true
+            custom_authenticators:
+                - App\Security\Authenticator\OeModulesLoginFormAuthenticator
+                #- Symfony\Component\Security\Http\Authenticator\FormAuthenticator
+#            form_login:
+#                login_path: app_login
+#                check_path: app_login
+#                enable_csrf: true
+#                default_target_path: app_index
+#                use_referer: true
             logout:
                 path: app_logout
                 target: app_index
 
-            login_throttling: true
+            #login_throttling: true
 
             # activate different ways to authenticate
             # https://symfony.com/doc/current/security.html#the-firewall
@@ -62,7 +62,7 @@ security:
         - { path: ^/.well-known, roles: PUBLIC_ACCESS }
         - { path: ^/register, roles: PUBLIC_ACCESS }
         - { path: ^/verify, roles: PUBLIC_ACCESS }
-        - { path: ^/api, role: ROLE_OAUTH2_EMAIL }
+        #- { path: ^/api, role: ROLE_OAUTH2_EMAIL }
         - { path: ^/, role: ROLE_USER }
 
 when@test:
diff --git a/config/routes.yaml b/config/routes.yaml
index 5832b6a..d54fe56 100644
--- a/config/routes.yaml
+++ b/config/routes.yaml
@@ -19,3 +19,10 @@ iam_admin_oauth_client_controllers:
         path: ../_iam/src/AdapterForWeb/Administration/OauthClient/
         namespace: IdentityAccess\AdapterForWeb\Administration\OauthClient
     type: attribute
+
+
+api_auth_controllers:
+    resource:
+        path: ../_iam/src/AdapterForApi/Auth/
+        namespace: IdentityAccess\AdapterForApi\Auth
+    type: attribute
diff --git a/src/Security/Authenticator/OeModulesLoginFormAuthenticator.php b/src/Security/Authenticator/OeModulesLoginFormAuthenticator.php
new file mode 100644
index 0000000..59d70cb
--- /dev/null
+++ b/src/Security/Authenticator/OeModulesLoginFormAuthenticator.php
@@ -0,0 +1,88 @@
+<?php declare(strict_types=1);
+
+/*
+ * This file is part of the medicalmundi/marketplace-accounts
+ *
+ * @copyright (c) 2023 MedicalMundi
+ *
+ * This software consists of voluntary contributions made by many individuals
+ * {@link https://github.com/medicalmundi/marketplace-accounts/graphs/contributors developer} and is licensed under the MIT license.
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ * @license https://github.com/MedicalMundi/marketplace-accounts/blob/main/LICENSE MIT
+ */
+
+namespace App\Security\Authenticator;
+
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Authenticator\AbstractLoginFormAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\RememberMeBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\ParameterBagUtils;
+use Symfony\Component\Security\Http\SecurityRequestAttributes;
+use Symfony\Component\Security\Http\Util\TargetPathTrait;
+
+class OeModulesLoginFormAuthenticator extends AbstractLoginFormAuthenticator
+{
+    use TargetPathTrait;
+
+    public function __construct(
+        private readonly UserProviderInterface $userProvider,
+        private readonly UrlGeneratorInterface $urlGenerator
+    ) {
+    }
+
+    protected function getLoginUrl(Request $request): string
+    {
+        return $this->urlGenerator->generate('app_login');
+    }
+
+    public function authenticate(Request $request): Passport
+    {
+        $credentials = $this->getCredentials($request);
+
+        $userBadge = new UserBadge((string) $credentials['username'], $this->userProvider->loadUserByIdentifier(...));
+        $passport = new Passport($userBadge, new PasswordCredentials((string) $credentials['password']), [new RememberMeBadge()]);
+
+        if ($this->userProvider instanceof PasswordUpgraderInterface) {
+            $passport->addBadge(new PasswordUpgradeBadge((string) $credentials['password'], $this->userProvider));
+        }
+
+        return $passport;
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        if (null !== ($targetPath = $this->getTargetPath($request->getSession(), $firewallName))) {
+            return new RedirectResponse($targetPath);
+        }
+
+        return new RedirectResponse($this->urlGenerator->generate('app_index'));
+    }
+
+    private function getCredentials(Request $request): array
+    {
+        $credentials = [];
+        //TODO
+        //$credentials['csrf_token'] = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
+
+        $credentials['username'] = (string) $request->request->get('_username', '');
+        $credentials['password'] = (string) $request->request->get('_password', '');
+
+        $credentials['username'] = trim($credentials['username']);
+
+        $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);
+
+        return $credentials;
+    }
+}

From 6d58a213e6999cad5552486e6efc291906fb67eb Mon Sep 17 00:00:00 2001
From: zerai <teclaizerai@gmail.com>
Date: Mon, 4 Mar 2024 19:06:36 +0100
Subject: [PATCH 2/3] Fix RouterConfigurationSnapShotTest.

---
 .../Regression/Fixture/expected_route_map.json         | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/tests/Integration/Regression/Fixture/expected_route_map.json b/tests/Integration/Regression/Fixture/expected_route_map.json
index fdd2382..b74c8cb 100644
--- a/tests/Integration/Regression/Fixture/expected_route_map.json
+++ b/tests/Integration/Regression/Fixture/expected_route_map.json
@@ -1,4 +1,14 @@
 {
+    "api_auth_connect_me": {
+        "path": "\/api\/v1\/auth\/connect\/me",
+        "requirements": [],
+        "defaults": {
+            "_controller": "IdentityAccess\\AdapterForApi\\Auth\\ConnectMeController::index"
+        },
+        "methods": [
+            "GET"
+        ]
+    },
     "app_api_security_index": {
         "path": "\/api\/security\/test",
         "requirements": [],

From 1128e6981d1e65232d8351205610d0ebb73859ef Mon Sep 17 00:00:00 2001
From: zerai <teclaizerai@gmail.com>
Date: Mon, 4 Mar 2024 19:37:00 +0100
Subject: [PATCH 3/3] Fix security.yaml.

---
 config/packages/security.yaml | 19 +++++--------------
 1 file changed, 5 insertions(+), 14 deletions(-)

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index ebba662..076b3c8 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -14,30 +14,21 @@ security:
             security: false
         api:
             pattern: ^/api
-            security: false
+            security: true
             stateless: true
             oauth2: true
         main:
-#            login_throttling:
-#                max_attempts: 3
-#                interval: '5 minutes'
+            login_throttling:
+                max_attempts: 6
+                interval: '5 minutes'
             lazy: true
             provider: app_user_provider
             custom_authenticators:
                 - App\Security\Authenticator\OeModulesLoginFormAuthenticator
-                #- Symfony\Component\Security\Http\Authenticator\FormAuthenticator
-#            form_login:
-#                login_path: app_login
-#                check_path: app_login
-#                enable_csrf: true
-#                default_target_path: app_index
-#                use_referer: true
             logout:
                 path: app_logout
                 target: app_index
 
-            #login_throttling: true
-
             # activate different ways to authenticate
             # https://symfony.com/doc/current/security.html#the-firewall
 
@@ -62,7 +53,7 @@ security:
         - { path: ^/.well-known, roles: PUBLIC_ACCESS }
         - { path: ^/register, roles: PUBLIC_ACCESS }
         - { path: ^/verify, roles: PUBLIC_ACCESS }
-        #- { path: ^/api, role: ROLE_OAUTH2_EMAIL }
+        - { path: ^/api, role: ROLE_OAUTH2_EMAIL }
         - { path: ^/, role: ROLE_USER }
 
 when@test: