Implement login token authentication to use access URL chooser - refs BT#22639

AngelFQC · AngelFQC · commit 45af3cbeba24 · 2025-07-31T18:23:59.000-05:00
diff --git a/assets/vue/components/accessurl/AccessUrlChooser.vue b/assets/vue/components/accessurl/AccessUrlChooser.vue
@@ -1,40 +1,16 @@
 <script setup>
-import { ref } from "vue"
 import { useI18n } from "vue-i18n"
 import Dialog from "primevue/dialog"
-import { findUserActivePortals } from "../../services/accessurlService"
-import { useSecurityStore } from "../../store/securityStore"
-import { useNotification } from "../../composables/notification"
-import BaseAppLink from "../basecomponents/BaseAppLink.vue"
+import { useAccessUrlChooser } from "../../composables/accessurl/accessUrlChooser"
 
-const securityStore = useSecurityStore()
 const { t } = useI18n()
-const { showErrorNotification } = useNotification()
 
-const isLoading = ref(true)
-const accessUrls = ref([])
-
-if (securityStore.showAccessUrlChooser) {
-  findUserActivePortals(securityStore.user["@id"])
-    .then((items) => {
-      accessUrls.value = items
-
-      if (1 === items.length) {
-        window.location.href = items[0].url
-      }
-    })
-    .catch((error) => showErrorNotification(error))
-    .finally(() => {
-      if (1 !== accessUrls.value.length) {
-        isLoading.value = false
-      }
-    })
-}
+const { visible, isLoading, accessUrls, doRedirectToPortal } = useAccessUrlChooser()
 </script>
 
 <template>
   <Dialog
-    v-model:visible="securityStore.showAccessUrlChooser"
+    v-model:visible="visible"
     :modal="true"
     :closable="false"
     :header="t('Access URL')"
@@ -52,8 +28,9 @@ if (securityStore.showAccessUrlChooser) {
         v-for="accessUrl in accessUrls"
         :key="accessUrl.id"
         class="text-center"
+        @click="doRedirectToPortal(accessUrl.url)"
       >
-        <BaseAppLink :url="accessUrl.url">{{ accessUrl.url }}</BaseAppLink>
+        {{ accessUrl.url }}
         <p
           v-if="accessUrl.description"
           v-text="accessUrl.description"
diff --git a/assets/vue/composables/accessurl/accessUrlChooser.js b/assets/vue/composables/accessurl/accessUrlChooser.js
@@ -0,0 +1,56 @@
+import { findUserActivePortals } from "../../services/accessurlService"
+import { useSecurityStore } from "../../store/securityStore"
+import { computed, ref } from "vue"
+import { useNotification } from "../notification"
+import securityService from "../../services/securityService"
+
+export function useAccessUrlChooser() {
+  const securityStore = useSecurityStore()
+
+  const { showErrorNotification } = useNotification()
+
+  const visible = computed(() => securityStore.showAccessUrlChooser)
+  const isLoading = ref(true)
+  const accessUrls = ref([])
+
+  async function init() {
+    if (!securityStore.showAccessUrlChooser) {
+      return
+    }
+
+    try {
+      const items = await findUserActivePortals(securityStore.user["@id"])
+
+      accessUrls.value = items
+
+      if (1 === items.length) {
+        await doRedirectToPortal(items[0].url)
+      }
+    } catch (error) {
+      showErrorNotification(error)
+    } finally {
+      if (1 !== accessUrls.value.length) {
+        isLoading.value = false
+      }
+    }
+  }
+
+  async function doRedirectToPortal(url) {
+    try {
+      await securityService.loginTokenCheck(url, await securityService.loginTokenRequest())
+
+      window.location.href = url
+    } catch (error) {
+      showErrorNotification(error)
+    }
+  }
+
+  init().then(() => {})
+
+  return {
+    visible,
+    isLoading,
+    accessUrls,
+    doRedirectToPortal,
+  }
+}
diff --git a/assets/vue/services/baseService.js b/assets/vue/services/baseService.js
@@ -43,18 +43,21 @@ export default {
    * @param {string} endpoint
    * @param {Object} [params={}]
    * @param {boolean} [addContentType=false]
+   * @param {Object} [additionalHeaders={}]
+   * @param {Object} [options={}]
    * @returns {Promise<Object>}
    */
-  async post(endpoint, params = {}, addContentType = false) {
-    const config = addContentType
-      ? {
-          headers: {
-            "Content-Type": "application/json",
-          },
-        }
-      : {}
-
-    const { data } = await api.post(endpoint, params, config)
+  async post(endpoint, params = {}, addContentType = false, additionalHeaders = {}, options = {}) {
+    const headers = {}
+
+    if (addContentType) {
+      headers["Content-Type"] = "application/json"
+    }
+
+    const { data } = await api.post(endpoint, params, {
+      headers: { ...headers, ...additionalHeaders },
+      ...options,
+    })
 
     return data
   },
diff --git a/assets/vue/services/securityService.js b/assets/vue/services/securityService.js
@@ -28,7 +28,35 @@ async function checkSession() {
   return await baseService.get("/check-session")
 }
 
+/**
+ * @returns {Promise<string>}
+ */
+async function loginTokenRequest() {
+  const { token } = await baseService.get(`/login/token/request`)
+
+  return token
+}
+
+/**
+ * @param {string} portalUrl
+ * @param {string} token
+ * @returns {Promise<void>}
+ */
+async function loginTokenCheck(portalUrl, token) {
+  portalUrl = portalUrl.endsWith("/") ? portalUrl.slice(0, -1) : portalUrl
+
+  await baseService.post(
+    `${portalUrl}/login/token/check`,
+    {},
+    false,
+    { Authorization: `Bearer ${token}` },
+    { withCredentials: true },
+  )
+}
+
 export default {
   login,
   checkSession,
+  loginTokenRequest,
+  loginTokenCheck,
 }
diff --git a/config/packages/nelmio_cors.yaml b/config/packages/nelmio_cors.yaml
@@ -6,5 +6,6 @@ nelmio_cors:
         allow_headers: ['Content-Type', 'Authorization', 'Preload', 'Fields']
         expose_headers: ['Link']
         max_age: 3600
+        allow_credentials: true
     paths:
         '^/': null
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
@@ -115,11 +115,13 @@ security:
                 # password_path: security.credentials.password
 
             custom_authenticators:
+                - Chamilo\CoreBundle\Security\Authenticator\LoginTokenAuthenticator
                 - Chamilo\CoreBundle\Security\Authenticator\OAuth2\GenericAuthenticator
                 - Chamilo\CoreBundle\Security\Authenticator\OAuth2\FacebookAuthenticator
                 - Chamilo\CoreBundle\Security\Authenticator\OAuth2\KeycloakAuthenticator
                 - Chamilo\CoreBundle\Security\Authenticator\OAuth2\AzureAuthenticator
 
     access_control:
+        - { path: ^/login/token/check, roles: PUBLIC_ACCESS }
         - {path: ^/login, roles: PUBLIC_ACCESS}
         - {path: ^/api/authentication_token, roles: PUBLIC_ACCESS}
diff --git a/src/CoreBundle/Controller/SecurityController.php b/src/CoreBundle/Controller/SecurityController.php
@@ -18,11 +18,13 @@
 use Chamilo\CoreBundle\Repository\Node\AccessUrlRepository;
 use Chamilo\CoreBundle\Repository\Node\CourseRepository;
 use Chamilo\CoreBundle\Repository\TrackELoginRecordRepository;
+use Chamilo\CoreBundle\Security\Authenticator\LoginTokenAuthenticator;
 use Chamilo\CoreBundle\Settings\SettingsManager;
 use DateTime;
 use DateTimeImmutable;
 use Doctrine\ORM\EntityManagerInterface;
 use Exception;
+use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
 use OTPHP\TOTP;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\JsonResponse;
@@ -32,6 +34,8 @@
 use Symfony\Component\Routing\RouterInterface;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Authorization\AuthorizationCheckerInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Authentication\UserAuthenticatorInterface;
 use Symfony\Component\Serializer\SerializerInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
@@ -187,6 +191,26 @@ public function checkSession(): JsonResponse
         throw $this->createAccessDeniedException();
     }
 
+    #[Route('/login/token/request', name: 'login_token_request', methods: ['GET'])]
+    public function loginTokenRequest(JWTTokenManagerInterface $jwtManager): JsonResponse
+    {
+        $user = $this->userHelper->getCurrent();
+
+        if (!$user) {
+            throw $this->createAccessDeniedException();
+        }
+
+        return new JsonResponse([
+            'token' => $jwtManager->create($user),
+        ]);
+    }
+
+    #[Route('/login/token/check', name: 'login_token_check', methods: ['POST'])]
+    public function loginTokenCheck(): Response
+    {
+        return new Response(null, Response::HTTP_NO_CONTENT);
+    }
+
     /**
      * Validates the provided TOTP code for the given user.
      *
diff --git a/src/CoreBundle/Security/Authenticator/LoginTokenAuthenticator.php b/src/CoreBundle/Security/Authenticator/LoginTokenAuthenticator.php
@@ -0,0 +1,89 @@
+<?php
+
+/* For licensing terms, see /license.txt */
+
+declare(strict_types=1);
+
+namespace Chamilo\CoreBundle\Security\Authenticator;
+
+use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\RouterInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+
+class LoginTokenAuthenticator extends AbstractAuthenticator
+{
+    public function __construct(
+        protected readonly UserProviderInterface $userProvider,
+        protected readonly RouterInterface $router,
+        protected readonly JWTTokenManagerInterface $jwtManager,
+    ) {}
+
+    /**
+     * @inheritDoc
+     */
+    public function supports(Request $request): ?bool
+    {
+        return $request->attributes->get('_route') === 'login_token_check'
+            && $request->headers->has('Authorization')
+        ;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function authenticate(Request $request): Passport
+    {
+        $authHeader = $request->headers->get('Authorization');
+
+        if (!$authHeader || !str_starts_with($authHeader, 'Bearer ')) {
+            throw new AuthenticationException('Missing token.');
+        }
+
+        $jwt = substr($authHeader, 7);
+
+        try {
+            $payload = $this->jwtManager->parse($jwt);
+            $username = $payload['username'] ?? $payload['sub'] ?? null;
+
+            if (!$username) {
+                throw new AuthenticationException('Token does not contain a username.');
+            }
+
+        } catch (\Exception $e) {
+            throw new AuthenticationException('Invalid JWT token: '.$e->getMessage());
+        }
+
+        return new SelfValidatingPassport(
+            new UserBadge(
+                $username,
+                fn(string $username) => $this->userProvider->loadUserByIdentifier($username)
+            )
+        );
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return null;
+    }
+
+    /**
+     * @inheritDoc
+     */
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        $message = strtr($exception->getMessage(), $exception->getMessageData());
+
+        return new Response($message, Response::HTTP_FORBIDDEN);
+    }
+}
