src/EventSubscriber/SignedCookieSubscriber.php line 63

Open in your IDE?
  1. <?php
  3. namespace App\EventSubscriber;
  5. use Aws\CloudFront\CookieSigner;
  6. use Psr\Log\LoggerInterface;
  7. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  8. use Symfony\Component\HttpFoundation\Cookie;
  9. use Symfony\Component\HttpFoundation\RequestStack;
  10. use Symfony\Component\HttpFoundation\Session\SessionInterface;
  11. use Symfony\Component\HttpKernel\Event\ResponseEvent;
  12. use Symfony\Component\HttpKernel\KernelEvents;
  13. use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
  14. use Symfony\Component\Security\Http\SecurityEvents;
  16. class SignedCookieSubscriber implements EventSubscriberInterface
  17. {
  18.     private const SET_COOKIES 'signed_cookie_auth_success';
  20.     /**
  21.      * @var \Symfony\Component\HttpFoundation\Session\SessionInterface
  22.      */
  23.     private $session;
  25.     /**
  26.      * @var \Psr\Log\LoggerInterface
  27.      */
  28.     private $logger;
  30.     /**
  31.      * @var string
  32.      */
  33.     private $privateKey;
  35.     /**
  36.      * @var string
  37.      */
  38.     private $pairId;
  40.     /**
  41.      * @var int
  42.      */
  43.     private $lifetime;
  45.     /**
  46.      * @var \Symfony\Component\HttpFoundation\Request
  47.      */
  48.     private $masterRequest;
  50.     public function __construct(
  51.         SessionInterface $session,
  52.         LoggerInterface $logger,
  53.         RequestStack $requestStack,
  54.         string $cloudFrontPrivateKey,
  55.         string $cloudFrontKeyPairId,
  56.         int $sessionLifetime
  57.     ) {
  58.         $this->session $session;
  59.         $this->logger $logger;
  60.         $this->privateKey $cloudFrontPrivateKey;
  61.         $this->pairId $cloudFrontKeyPairId;
  62.         $this->lifetime $sessionLifetime;
  63.         $this->masterRequest $requestStack->getMasterRequest();
  64.     }
  67.     public static function getSubscribedEvents(): array
  68.     {
  69.         return [
  70.             SecurityEvents::INTERACTIVE_LOGIN => [['setAuthSuccessFlag'10]],
  71.             KernelEvents::RESPONSE => [['setResponseCookies'10]],
  72.         ];
  73.     }
  75.     /**
  76.      * Set a flag in the session to indicate that signed cookies should be set.
  77.      *
  78.      * @param \Symfony\Component\Security\Http\Event\InteractiveLoginEvent $event
  79.      *   Kernel event object
  80.      */
  81.     public function setAuthSuccessFlag(InteractiveLoginEvent $event): void
  82.     {
  83.         // Disable signed cookie functionality if the config is empty.
  84.         if (empty($this->privateKey) && empty($this->pairId)) {
  85.             return;
  86.         }
  88.         $this->session->set(self::SET_COOKIEStrue);
  89.     }
  91.     /**
  92.      * Adds the necessary cookies for accessing assets through CloudFront.
  93.      *
  94.      * Note: Cookies are removed on logout by \App\Security\LogoutSuccessHandler
  95.      *
  96.      * @param \Symfony\Component\HttpKernel\Event\ResponseEvent $event
  97.      *   Kernel event object
  98.      */
  99.     public function setResponseCookies(ResponseEvent $event): void
  100.     {
  101.         // Set CloudFront signed cookies if a login event is detected.
  102.         if (!$this->session->get(self::SET_COOKIES)) {
  103.             return;
  104.         }
  106.         try {
  107.             foreach ($this->getSignedCookies() as $signedCookie) {
  108.                 $event->getResponse()->headers->setCookie($signedCookie);
  109.             }
  110.         } catch (\Exception $e) {
  111.             $this->logger->error('Could not set signed cookies.', ['exception' => $e]);
  112.         }
  114.         $this->session->remove(self::SET_COOKIES);
  115.     }
  117.     /**
  118.      * Creates signed cookies with a custom policy for all resources.
  119.      *
  120.      * @return Cookie[]
  121.      *   Array of Cookie objects ready to be added to a Response
  122.      */
  123.     private function getSignedCookies(): array
  124.     {
  125.         // Create a cookie that allows access to all assets in the S3 bucket through a CloudFront distribution.
  126.         // More about custom policies can be found here
  127.         // https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-setting-signed-cookie-custom-policy.html
  128.         $signer = new CookieSigner($this->pairId$this->privateKey);
  129.         $expire time() + $this->lifetime;
  130.         $policy json_encode([
  131.             'Statement' => [
  132.                 [
  133.                     'Condition' => [
  134.                         'DateLessThan' => ['AWS:EpochTime' => $expire],
  135.                     ],
  136.                 ],
  137.             ],
  138.         ], JSON_UNESCAPED_SLASHES JSON_THROW_ON_ERROR);
  140.         $domain $this->masterRequest->getHost();
  141.         $cookies = [];
  142.         foreach ($signer->getSignedCookie(nullnull$policy) as $name => $value) {
  143.             $cookies[] = Cookie::create($name$value$expire'/'$domain);
  144.         }
  146.         return $cookies;
  147.     }
  148. }