Commit 616718af authored by bojanz's avatar bojanz

Issue #2713987 by bojanz: Implement the login pane

parent cb926a7a
services:
commerce.credentials_check_flood:
class: Drupal\commerce\CredentialsCheckFlood
arguments: ['@flood', '@entity_type.manager', '@config.factory']
commerce.country_context:
class: Drupal\commerce\CountryContext
arguments: ['@request_stack', '@commerce.chain_country_resolver']
......
......@@ -2,13 +2,16 @@
namespace Drupal\commerce_checkout\Plugin\Commerce\CheckoutPane;
use Drupal\commerce\CredentialsCheckFloodInterface;
use Drupal\commerce_checkout\Plugin\Commerce\CheckoutFlow\CheckoutFlowInterface;
use Drupal\Core\Entity\EntityTypeManagerInterface;
use Drupal\Core\Form\FormStateInterface;
use Drupal\Core\Plugin\ContainerFactoryPluginInterface;
use Drupal\Core\Session\AccountInterface;
use Drupal\user\Entity\User;
use Drupal\user\Form\UserLoginForm;
use Drupal\Core\Url;
use Drupal\user\UserAuthInterface;
use Symfony\Component\DependencyInjection\ContainerInterface;
use Symfony\Component\HttpFoundation\RequestStack;
/**
* Provides the login or continue pane.
......@@ -21,6 +24,13 @@ use Symfony\Component\DependencyInjection\ContainerInterface;
*/
class Login extends CheckoutPaneBase implements CheckoutPaneInterface, ContainerFactoryPluginInterface {
/**
* The credentials check flood controller.
*
* @var \Drupal\commerce\CredentialsCheckFloodInterface
*/
protected $credentialsCheckFlood;
/**
* The current user.
*
......@@ -28,6 +38,27 @@ class Login extends CheckoutPaneBase implements CheckoutPaneInterface, Container
*/
protected $currentUser;
/**
* The entity type manager.
*
* @var \Drupal\Core\Entity\EntityTypeManagerInterface
*/
protected $entityTypeManager;
/**
* The user authentication object.
*
* @var \Drupal\user\UserAuthInterface
*/
protected $userAuth;
/**
* The client IP address.
*
* @var string
*/
protected $clientIp;
/**
* Constructs a new Login object.
*
......@@ -39,13 +70,25 @@ class Login extends CheckoutPaneBase implements CheckoutPaneInterface, Container
* The plugin implementation definition.
* @param \Drupal\commerce_checkout\Plugin\Commerce\CheckoutFlow\CheckoutFlowInterface $checkout_flow
* The parent checkout flow.
* @param \Drupal\commerce\CredentialsCheckFloodInterface $credentials_check_flood
* The credentials check flood controller.
* @param \Drupal\Core\Session\AccountInterface $current_user
* The current user.
* @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
* The entity type manager.
* @param \Drupal\user\UserAuthInterface $user_auth
* The user authentication object.
* @param \Symfony\Component\HttpFoundation\RequestStack $request_stack
* The request stack.
*/
public function __construct(array $configuration, $plugin_id, $plugin_definition, CheckoutFlowInterface $checkout_flow, AccountInterface $current_user) {
public function __construct(array $configuration, $plugin_id, $plugin_definition, CheckoutFlowInterface $checkout_flow, CredentialsCheckFloodInterface $credentials_check_flood, AccountInterface $current_user, EntityTypeManagerInterface $entity_type_manager, UserAuthInterface $user_auth, RequestStack $request_stack) {
parent::__construct($configuration, $plugin_id, $plugin_definition, $checkout_flow);
$this->credentialsCheckFlood = $credentials_check_flood;
$this->currentUser = $current_user;
$this->entityTypeManager = $entity_type_manager;
$this->userAuth = $user_auth;
$this->clientIp = $request_stack->getCurrentRequest()->getClientIp();
}
/**
......@@ -57,7 +100,11 @@ class Login extends CheckoutPaneBase implements CheckoutPaneInterface, Container
$plugin_id,
$plugin_definition,
$checkout_flow,
$container->get('current_user')
$container->get('commerce.credentials_check_flood'),
$container->get('current_user'),
$container->get('entity_type.manager'),
$container->get('user.auth'),
$container->get('request_stack')
);
}
......@@ -121,8 +168,112 @@ class Login extends CheckoutPaneBase implements CheckoutPaneInterface, Container
* {@inheritdoc}
*/
public function buildPaneForm(array $pane_form, FormStateInterface $form_state) {
// @todo
$pane_form['returning_customer'] = [
'#type' => 'fieldset',
'#title' => $this->t('Returning Customer'),
];
$pane_form['returning_customer']['name'] = [
'#type' => 'textfield',
'#title' => $this->t('Username'),
'#size' => 60,
'#maxlength' => USERNAME_MAX_LENGTH,
'#attributes' => [
'autocorrect' => 'none',
'autocapitalize' => 'none',
'spellcheck' => 'false',
'autofocus' => 'autofocus',
],
];
$pane_form['returning_customer']['password'] = [
'#type' => 'password',
'#title' => $this->t('Password'),
'#size' => 60,
];
// @todo Add a "forgotten password" link.
$pane_form['returning_customer']['submit'] = [
'#type' => 'submit',
'#value' => $this->t('Log in'),
'#op' => 'login',
];
$pane_form['guest'] = [
'#type' => 'fieldset',
'#title' => $this->t('Guest Checkout'),
];
$pane_form['guest']['text'] = [
'#prefix' => '<p>',
'#suffix' => '</p>',
'#markup' => $this->t('Proceed to checkout. You can optionally create an account at the end.'),
];
$pane_form['guest']['continue'] = [
'#type' => 'submit',
'#value' => $this->t('Continue as Guest'),
'#op' => 'continue',
];
return $pane_form;
}
/**
* {@inheritdoc}
*/
public function validatePaneForm(array &$pane_form, FormStateInterface $form_state) {
parent::validatePaneForm($pane_form, $form_state);
$triggering_element = $form_state->getTriggeringElement();
if ($triggering_element['#op'] == 'continue') {
// No login in progress, nothing to validate.
return;
}
$name_element = $pane_form['returning_customer']['name'];
$values = $form_state->getValue($pane_form['#parents']);
$username = $values['returning_customer']['name'];
$password = trim($values['returning_customer']['password']);
if (empty($username) || empty($password)) {
$form_state->setErrorByName('name', $this->t('Unrecognized username or password.'));
return;
}
if (user_is_blocked($username)) {
$form_state->setError($name_element, $this->t('The username %name has not been activated or is blocked.', ['%name' => $username]));
return;
}
if (!$this->credentialsCheckFlood->isAllowedHost($this->clientIp)) {
$form_state->setErrorByName($name_element, $this->t('Too many failed login attempts from your IP address. This IP address is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', [':url' => Url::fromRoute('user.pass')]));
$this->credentialsCheckFlood->register($this->clientIp, $username);
return;
}
elseif (!$this->credentialsCheckFlood->isAllowedAccount($this->clientIp, $username)) {
$form_state->setErrorByName($name_element, $this->t('Too many failed login attempts for this account. It is temporarily blocked. Try again later or <a href=":url">request a new password</a>.', [':url' => Url::fromRoute('user.pass')]));
$this->credentialsCheckFlood->register($this->clientIp, $username);
return;
}
$uid = $this->userAuth->authenticate($username, $password);
if (!$uid) {
$this->credentialsCheckFlood->register($this->clientIp, $username);
$form_state->setErrorByName('name', $this->t('Unrecognized username or password.'));
}
$form_state->set('logged_in_uid', $uid);
}
/**
* {@inheritdoc}
*/
public function submitPaneForm(array &$pane_form, FormStateInterface $form_state) {
$triggering_element = $form_state->getTriggeringElement();
if ($triggering_element['#op'] == 'login') {
$storage = $this->entityTypeManager->getStorage('user');
$account = $storage->load($form_state->get('logged_in_uid'));
user_login_finalize($account);
$this->order->setOwner($account);
$this->credentialsCheckFlood->clearAccount($this->clientIp, $account->getAccountName());
}
$form_state->setRedirect('commerce_checkout.form', [
'commerce_order' => $this->order->id(),
'step' => $this->checkoutFlow->getNextStepId(),
]);
}
}
<?php
namespace Drupal\commerce;
use Drupal\Core\Config\ConfigFactoryInterface;
use Drupal\Core\Entity\EntityTypeManagerInterface;
use Drupal\Core\Flood\FloodInterface;
/**
* Provides flood protection for login credential checks.
*
* @todo Replace with core version once #2431357 lands.
*/
class CredentialsCheckFlood implements CredentialsCheckFloodInterface {
/**
* The flood controller.
*
* @var \Drupal\Core\Flood\FloodInterface
*/
protected $flood;
/**
* The entity type manager.
*
* @var \Drupal\Core\Entity\EntityTypeManagerInterface
*/
protected $entityTypeManager;
/**
* The flood configuration.
*
* @var \Drupal\Core\Config\ImmutableConfig
*/
protected $config;
/**
* The static cache of loaded accounts.
*
* @var \Drupal\Core\Session\AccountInterface[]
*/
protected $accounts = [];
/**
* Constructs a new CredentialsCheckFlood object.
*
* @param \Drupal\Core\Flood\FloodInterface $flood
* The flood controller.
* @param \Drupal\Core\Entity\EntityTypeManagerInterface $entity_type_manager
* The entity type manager.
* @param \Drupal\Core\Config\ConfigFactoryInterface $config_factory
* The config factory.
*/
public function __construct(FloodInterface $flood, EntityTypeManagerInterface $entity_type_manager, ConfigFactoryInterface $config_factory) {
$this->flood = $flood;
$this->entityTypeManager = $entity_type_manager;
$this->config = $config_factory->get('user.flood');
}
/**
* {@inheritdoc}
*/
public function register($ip, $name) {
// Register a per-ip failed credentials check event.
$this->flood->register('user.failed_login_ip', $this->config->get('ip_window'), $ip);
// Register a per-user failed credentials check event.
if ($identifier = $this->getAccountIdentifier($ip, $name)) {
$this->flood->register('user.failed_login_user', $this->config->get('user_window'), $identifier);
}
}
/**
* {@inheritdoc}
*/
public function clearHost($ip) {
$this->flood->clear('user.failed_login_ip', $ip);
}
/**
* {@inheritdoc}
*/
public function clearAccount($ip, $name) {
if ($identifier = $this->getAccountIdentifier($ip, $name)) {
$this->flood->clear('user.failed_login_user', $identifier);
}
}
/**
* {@inheritdoc}
*/
public function isAllowedHost($ip) {
return $this->flood->isAllowed('user.failed_login_ip', $this->config->get('ip_limit'), $this->config->get('ip_window'), $ip);
}
/**
* {@inheritdoc}
*/
public function isAllowedAccount($ip, $name) {
$allowed = TRUE;
if ($identifier = $this->getAccountIdentifier($ip, $name)) {
$allowed = $this->flood->isAllowed('user.failed_login_user', $this->config->get('user_limit'), $this->config->get('user_window'), $identifier);
}
return $allowed;
}
/**
* Gets the identifier used to register account flood events.
*
* @param string $ip
* The client IP address.
* @param string $name
* The account name.
*
* @return string|NULL
* The flood identifier name or NULL if there is no account with the
* given name.
*/
protected function getAccountIdentifier($ip, $name) {
if (!isset($this->accounts[$name])) {
$storage = $this->entityTypeManager->getStorage('user');
$account_by_name = $storage->loadByProperties(['name' => $name]);
$this->accounts[$name] = reset($account_by_name);
}
/** @var \Drupal\Core\Session\AccountInterface $account **/
$account = $this->accounts[$name];
if ($account) {
if ($this->config->get('uid_only')) {
// Register flood events based on the uid only, so they apply for any
// IP address. This is the most secure option.
return $account->id();
}
else {
// The default identifier is a combination of uid and IP address. This
// is less secure but more resistant to denial-of-service attacks that
// could lock out all users with public user names.
return $account->id() . '-' . $ip;
}
}
}
}
<?php
namespace Drupal\commerce;
/**
* Provides a flood service tailored to login credential checks.
*/
interface CredentialsCheckFloodInterface {
/**
* Registers a new failed credentials check by the given user.
*
* @param string $ip
* The client IP address.
* @param string $name
* The account name.
*/
public function register($ip, $name);
/**
* Clears failed credential checks from the given host.
*
* @param string $ip
* The client IP address.
*/
public function clearHost($ip);
/**
* Clears failed credential checks by the given user.
*
* @param string $ip
* The client IP address.
* @param string $name
* The account name.
*/
public function clearAccount($ip, $name);
/**
* Whether or not a client machine is allowed to perform a credentials check.
*
* Independent of the per-user limit to catch attempts from one IP to
* log in to many different user accounts. We have a reasonably high limit
* since there may be only one apparent IP for all users at an institution.
*
* @param string $ip
* The client IP address.
*
* @return bool
* TRUE if credentials check is allowed, FALSE otherwise.
*/
public function isAllowedHost($ip);
/**
* Whether or not a credentials check with the given account is allowed.
*
* @param string $ip
* The client IP address.
* @param string $name
* The account name.
*
* @return bool
* TRUE if credentials check is allowed, FALSE otherwise.
*/
public function isAllowedAccount($ip, $name);
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment