src/EventSubscriber/TwoFactorSecuritySubscriber.php line 84

Open in your IDE?
  1. <?php
  3. declare(strict_types=1);
  5. namespace App\EventSubscriber;
  7. use App\Entity\User;
  8. use Psr\Log\LoggerInterface;
  9. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvent;
  10. use Scheb\TwoFactorBundle\Security\TwoFactor\Event\TwoFactorAuthenticationEvents;
  11. use Symfony\Component\EventDispatcher\EventSubscriberInterface;
  12. use Symfony\Component\HttpFoundation\RequestStack;
  13. use Symfony\Component\RateLimiter\RateLimiterFactory;
  15. /**
  16.  * Security event subscriber for 2FA events.
  17.  * 
  18.  * Handles:
  19.  * - Audit logging for 2FA attempts (success/failure)
  20.  * - Rate limiting for brute-force protection
  21.  */
  22. class TwoFactorSecuritySubscriber implements EventSubscriberInterface
  23. {
  24.     public function __construct(
  25.         private readonly LoggerInterface $logger,
  26.         private readonly RequestStack $requestStack,
  27.         private readonly ?RateLimiterFactory $twoFactorLimiter null,
  28.     ) {
  29.     }
  31.     public static function getSubscribedEvents(): array
  32.     {
  33.         return [
  34.             TwoFactorAuthenticationEvents::SUCCESS => ['onTwoFactorSuccess'0],
  35.             TwoFactorAuthenticationEvents::FAILURE => ['onTwoFactorFailure'0],
  36.             TwoFactorAuthenticationEvents::ATTEMPT => ['onTwoFactorAttempt'10],
  37.             TwoFactorAuthenticationEvents::COMPLETE => ['onTwoFactorComplete'0],
  38.         ];
  39.     }
  41.     /**
  42.      * Called when 2FA attempt is made (before validation).
  43.      * Apply rate limiting here.
  44.      */
  45.     public function onTwoFactorAttempt(TwoFactorAuthenticationEvent $event): void
  46.     {
  47.         $user $event->getToken()->getUser();
  48.         
  49.         if (!$user instanceof User) {
  50.             return;
  51.         }
  53.         $request $this->requestStack->getCurrentRequest();
  54.         $ip $request?->getClientIp() ?? 'unknown';
  56.         // Rate limiting check
  57.         if ($this->twoFactorLimiter !== null) {
  58.             $limiterKey sprintf('2fa_%s_%s'$user->getId(), $ip);
  59.             $limiter $this->twoFactorLimiter->create($limiterKey);
  60.             
  61.             if (!$limiter->consume()->isAccepted()) {
  62.                 $this->logger->warning('2FA rate limit exceeded', [
  63.                     'user_id' => $user->getId(),
  64.                     'email' => $user->getEmail(),
  65.                     'ip' => $ip,
  66.                 ]);
  67.                 
  68.                 // The actual blocking should be handled by the rate limiter configuration
  69.                 // This log entry is for audit purposes
  70.             }
  71.         }
  73.         $this->logger->info('2FA attempt initiated', [
  74.             'user_id' => $user->getId(),
  75.             'email' => $user->getEmail(),
  76.             'ip' => $ip,
  77.             'method' => $user->getTwoFactorMethod(),
  78.         ]);
  79.     }
  81.     /**
  82.      * Called when 2FA code validation succeeds.
  83.      */
  84.     public function onTwoFactorSuccess(TwoFactorAuthenticationEvent $event): void
  85.     {
  86.         $user $event->getToken()->getUser();
  87.         
  88.         if (!$user instanceof User) {
  89.             return;
  90.         }
  92.         $request $this->requestStack->getCurrentRequest();
  93.         $ip $request?->getClientIp() ?? 'unknown';
  95.         $this->logger->info('2FA authentication successful', [
  96.             'user_id' => $user->getId(),
  97.             'email' => $user->getEmail(),
  98.             'ip' => $ip,
  99.             'method' => $user->getTwoFactorMethod(),
  100.             'user_agent' => $request?->headers->get('User-Agent'),
  101.         ]);
  102.     }
  104.     /**
  105.      * Called when 2FA code validation fails.
  106.      */
  107.     public function onTwoFactorFailure(TwoFactorAuthenticationEvent $event): void
  108.     {
  109.         $user $event->getToken()->getUser();
  110.         
  111.         if (!$user instanceof User) {
  112.             return;
  113.         }
  115.         $request $this->requestStack->getCurrentRequest();
  116.         $ip $request?->getClientIp() ?? 'unknown';
  118.         $this->logger->warning('2FA authentication failed', [
  119.             'user_id' => $user->getId(),
  120.             'email' => $user->getEmail(),
  121.             'ip' => $ip,
  122.             'method' => $user->getTwoFactorMethod(),
  123.             'user_agent' => $request?->headers->get('User-Agent'),
  124.         ]);
  125.     }
  127.     /**
  128.      * Called when 2FA process is fully complete (all providers passed).
  129.      */
  130.     public function onTwoFactorComplete(TwoFactorAuthenticationEvent $event): void
  131.     {
  132.         $user $event->getToken()->getUser();
  133.         
  134.         if (!$user instanceof User) {
  135.             return;
  136.         }
  138.         $request $this->requestStack->getCurrentRequest();
  139.         $ip $request?->getClientIp() ?? 'unknown';
  141.         $this->logger->info('2FA authentication complete - full access granted', [
  142.             'user_id' => $user->getId(),
  143.             'email' => $user->getEmail(),
  144.             'ip' => $ip,
  145.         ]);
  146.     }
  147. }