[!!!][TASK] Drop "documentation" extension
[Packages/TYPO3.CMS.git] / typo3 / sysext / frontend / Classes / Middleware / FrontendUserAuthenticator.php
1 <?php
2 declare(strict_types = 1);
3 namespace TYPO3\CMS\Frontend\Middleware;
4
5 /*
6 * This file is part of the TYPO3 CMS project.
7 *
8 * It is free software; you can redistribute it and/or modify it under
9 * the terms of the GNU General Public License, either version 2
10 * of the License, or any later version.
11 *
12 * For the full copyright and license information, please read the
13 * LICENSE.txt file that was distributed with this source code.
14 *
15 * The TYPO3 project - inspiring people to share!
16 */
17
18 use Psr\Http\Message\ResponseInterface;
19 use Psr\Http\Message\ServerRequestInterface;
20 use Psr\Http\Server\MiddlewareInterface;
21 use Psr\Http\Server\RequestHandlerInterface;
22 use TYPO3\CMS\Core\Utility\GeneralUtility;
23 use TYPO3\CMS\Frontend\Authentication\FrontendUserAuthentication;
24
25 /**
26 * This middleware authenticates a Frontend User (fe_users).
27 * A valid $GLOBALS['TSFE'] object is needed for the time being, being fully backwards-compatible.
28 */
29 class FrontendUserAuthenticator implements MiddlewareInterface
30 {
31 /**
32 * Creates a frontend user authentication object, tries to authenticate a user
33 * and stores the object in $GLOBALS['TSFE']->fe_user.
34 *
35 * @param ServerRequestInterface $request
36 * @param RequestHandlerInterface $handler
37 * @return ResponseInterface
38 */
39 public function process(ServerRequestInterface $request, RequestHandlerInterface $handler): ResponseInterface
40 {
41 $frontendUser = GeneralUtility::makeInstance(FrontendUserAuthentication::class);
42
43 // List of page IDs where to look for frontend user records
44 $pid = $request->getParsedBody()['pid'] ?? $request->getQueryParams()['pid'] ?? 0;
45 if ($pid) {
46 $frontendUser->checkPid_value = implode(',', GeneralUtility::intExplode(',', $pid));
47 }
48
49 // Check if a session is transferred, and update the cookie parameters
50 $frontendSessionKey = $request->getParsedBody()['FE_SESSION_KEY'] ?? $request->getQueryParams()['FE_SESSION_KEY'] ?? '';
51 if ($frontendSessionKey) {
52 $request = $this->transferFrontendUserSession($frontendUser, $request, $frontendSessionKey);
53 }
54
55 // Authenticate now
56 $frontendUser->start();
57 $frontendUser->unpack_uc();
58
59 // Keep the backwards-compatibility for TYPO3 v9, to have the fe_user within the global TSFE object
60 $GLOBALS['TSFE']->fe_user = $frontendUser;
61
62 // Call hook for possible manipulation of frontend user object
63 // This hook is kept for compatibility reasons, however, it should be fairly simple to add a custom middleware
64 // for this purpose
65 $_params = ['pObj' => &$GLOBALS['TSFE']];
66 foreach ($GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['tslib/class.tslib_fe.php']['initFEuser'] ?? [] as $_funcRef) {
67 GeneralUtility::callUserFunction($_funcRef, $_params, $GLOBALS['TSFE']);
68 }
69 return $handler->handle($request);
70 }
71
72 /**
73 * It's possible to transfer a frontend user session via a GET/POST parameter 'FE_SESSION_KEY'.
74 * In the future, this logic should be moved into the FrontendUserAuthentication object directly,
75 * but only if FrontendUserAuthentication does not request superglobals (like $_COOKIE) anymore.
76 *
77 * @param FrontendUserAuthentication $frontendUser
78 * @param ServerRequestInterface $request
79 * @param string $frontendSessionKey
80 * @return ServerRequestInterface
81 */
82 protected function transferFrontendUserSession(
83 FrontendUserAuthentication $frontendUser,
84 ServerRequestInterface $request,
85 string $frontendSessionKey
86 ): ServerRequestInterface {
87 list($sessionId, $hash) = explode('-', $frontendSessionKey);
88 // If the session key hash check is OK, set the cookie
89 if (md5($sessionId . '/' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey']) === (string)$hash) {
90 $cookieName = FrontendUserAuthentication::getCookieName();
91
92 // keep the global cookie overwriting for now, as long as FrontendUserAuthentication does not
93 // use the request object for fetching the cookie information.
94 $_COOKIE[$cookieName] = $sessionId;
95 if (isset($_SERVER['HTTP_COOKIE'])) {
96 // See http://forge.typo3.org/issues/27740
97 $_SERVER['HTTP_COOKIE'] .= ';' . $cookieName . '=' . $sessionId;
98 }
99 // Add the cookie to the Server Request object
100 $cookieParams = $request->getCookieParams();
101 $cookieParams[$cookieName] = $sessionId;
102 $request = $request->withCookieParams($cookieParams);
103 // @deprecated: we override the current request because it was enriched by cookie information here.
104 $GLOBALS['TYPO3_REQUEST'] = $request;
105 $frontendUser->forceSetCookie = true;
106 $frontendUser->dontSetCookie = false;
107 }
108 return $request;
109 }
110 }