php - 如果用户状态为非事件状态，则阻止用户登录

Question

我试图阻止用户登录他的状态是非事件的。我正在使用带有 LexikJWT 捆绑包的 API 平台。

我试图制作一个 JWTAuthentication通过扩展来保护 JWTTokenAuthenticator->checkCredentials但问题是这在用户已经登录后有效。

我想要实现的是向用户返回一条消息，他需要首先激活他的帐户，或者任何其他消息，最好是在任何自定义条件下的任何自定义消息。

我的安全 YAML 如下所示:

security:
    encoders:
        App\Entity\User:
            algorithm: bcrypt
    providers:
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email
    firewalls:
        dev:
            pattern: ^/_(profiler|wdt)
            security: false
        api:
            pattern: ^/api/
            stateless: true
            anonymous: true
            provider: app_user_provider
            json_login:
                check_path: /api/authentication_token
                username_path: email
                password_path: password
                success_handler: lexik_jwt_authentication.handler.authentication_success
                failure_handler: lexik_jwt_authentication.handler.authentication_failure
            guard:
                authenticators:
                    - app.jwt_token_authenticator
        main:
            anonymous: true
    access_control:
        - { path: ^/api/authentication_token,   roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/graphql,                roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/public-api,                 roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/,                       roles: [ROLE_MANAGER, ROLE_LEADER] }
        - { path: ^/,                           roles: IS_AUTHENTICATED_ANONYMOUSLY }

服务:

services:
    # default configuration for services in *this* file
    _defaults:
        autowire: true      # Automatically injects dependencies in your services.
        autoconfigure: true # Automatically registers your services as commands, event subscribers, etc.

    # makes classes in src/ available to be used as services
    # this creates a service per class whose id is the fully-qualified class name
    App\:
        resource: '../src/*'
        exclude: '../src/{DependencyInjection,Entity,Migrations,Tests,Kernel.php}'

    # controllers are imported separately to make sure services can be injected
    # as action arguments even if you don't extend any base controller class
    App\Controller\:
        resource: '../src/Controller'
        tags: ['controller.service_arguments']

    # add more service definitions when explicit configuration is needed
    # please note that last definitions always *replace* previous ones
    gedmo.listener.softdeleteable:
        class: Gedmo\SoftDeleteable\SoftDeleteableListener
        tags:
            - { name: doctrine.event_subscriber, connection: default }
        calls:
            - [ setAnnotationReader, [ '@annotation_reader' ] ]

    acme_api.event.authentication_success_listener:
        class: App\EventListener\AuthenticationSuccessListener
        tags:
            - { name: kernel.event_listener, event: lexik_jwt_authentication.on_authentication_success, method: onAuthenticationSuccessResponse }

    app.jwt_token_authenticator:
        autowire: false
        autoconfigure: false
        class: App\Security\Guard\JWTTokenAuthenticator
        parent: lexik_jwt_authentication.security.guard.jwt_token_authenticator

    'App\Serializer\ApiNormalizer':
        decorates: 'api_platform.serializer.normalizer.item'
        arguments: ['@App\Serializer\ApiNormalizer.inner', '@doctrine.orm.entity_manager']

    'App\Serializer\HydraApiNormalizer':
        decorates: 'api_platform.jsonld.normalizer.item'
        arguments: ['@App\Serializer\ApiNormalizer.inner', '@doctrine.orm.entity_manager']

    'App\Voter\ModifyUserVoter':
        public: false
        tags:
            - { name: security.voter }

验证器保护

class JWTTokenAuthenticator extends BaseAuthenticator
{
    /**
     * {@inheritdoc}
     */
    public function checkCredentials($credentials, UserInterface $user)
    {
        if (!$user->getRoles() || !in_array($user->getRoles()[0], ['ROLE_MANAGER', 'ROLE_LEADER'])) {
            throw new UnauthorizedHttpException(rand(10000, 99999), 'Unauthorized');
        }

        if (!$user->getStatus() != "active") {
            throw new UnauthorizedHttpException(rand(10000, 99999), 'Unauthorized');
        }

        return true;
    }
}

Answer 1

您需要创建 UserCheckerInterface 的实现。 (Docs)

例如，看看这个:

use Symfony\Component\Security\Core\Exception\DisabledException;
use Symfony\Component\Security\Core\User\UserCheckerInterface;
use Symfony\Component\Security\Core\User\UserInterface;

class EasyUserChecker implements UserCheckerInterface
{
    public function checkPreAuth(UserInterface $user): void
    {
        // my checker only cares for our managed user classes, we return with no action 
        if (!$user instanceof AppAdmin && !$user instanceof AppUser) {
            return;
        }

        // our user entities can be deleted or disabled. If the user is neither, we return with no action
        if (!$user->isDeleted() && !empty($user->isEnabled())) {
            return;
        }

        // if we got here, we throw an exception
        throw new DisabledException('User account is disabled.');
    }

    // I'm not using the post authorization check, but needs to have an implementation to satisfy the interface.
    public function checkPostAuth(UserInterface $user): void
    {
    }
}

您在安全配置中启用检查器。例如。:

security:
    firewalls:
        api:
            pattern: ^/api
            user_checker: App\Security\EasyChecker

您现在不应该编写 AdvancedUserInterface 的新实现。使用它作为解决方案是错误的方法。

该接口(interface) is deprecated since 4.1 和 在 Symfony 5 中完全删除了 。因此依赖于该接口(interface)的代码将无法升级到较新的 Symfony 版本。