IBX-8356: Reworked `Ibexa\Core\MVC\Symfony\Security\Authentication\Au…

…thenticatorInterface` usages to comply with Symfony-based authentication (#67)

* IBX-8356: Reworked Ibexa\Core\MVC\Symfony\Security\Authentication\AuthenticatorInterface usages to comply with Symfony-based authentication

* fixed phpstan

* improved code according to PHPStan reports

* restored mutation and moved authorization elsewhere

* fixed lack of proper password validation

* cr remark

phpstan-baseline.neon

@@ -325,31 +325,6 @@ parameters:
 			count: 1
 			path: src/lib/Mapper/ContentImageAssetMapperStrategy.php
 
-		-
-			message: "#^Cannot access property \\$attributes on Symfony\\\\Component\\\\HttpFoundation\\\\Request\\|null\\.$#"
-			count: 2
-			path: src/lib/Mutation/Authentication.php
-
-		-
-			message: "#^Method Ibexa\\\\GraphQL\\\\Mutation\\\\Authentication\\:\\:createToken\\(\\) has parameter \\$args with no type specified\\.$#"
-			count: 1
-			path: src/lib/Mutation/Authentication.php
-
-		-
-			message: "#^Method Ibexa\\\\GraphQL\\\\Mutation\\\\Authentication\\:\\:createToken\\(\\) return type has no value type specified in iterable type array\\.$#"
-			count: 1
-			path: src/lib/Mutation/Authentication.php
-
-		-
-			message: "#^Parameter \\#1 \\$request of method Ibexa\\\\Core\\\\MVC\\\\Symfony\\\\Security\\\\Authentication\\\\AuthenticatorInterface\\:\\:authenticate\\(\\) expects Symfony\\\\Component\\\\HttpFoundation\\\\Request, Symfony\\\\Component\\\\HttpFoundation\\\\Request\\|null given\\.$#"
-			count: 1
-			path: src/lib/Mutation/Authentication.php
-
-		-
-			message: "#^Parameter \\#1 \\$wrappedUser of class Ibexa\\\\GraphQL\\\\Security\\\\JWTUser constructor expects Symfony\\\\Component\\\\Security\\\\Core\\\\User\\\\UserInterface, Symfony\\\\Component\\\\Security\\\\Core\\\\User\\\\UserInterface\\|null given\\.$#"
-			count: 1
-			path: src/lib/Mutation/Authentication.php
-
 		-
 			message: "#^Method Ibexa\\\\GraphQL\\\\Mutation\\\\InputHandler\\\\FieldType\\\\BinaryFile\\:\\:toFieldValue\\(\\) has parameter \\$input with no type specified\\.$#"
 			count: 1
@@ -2330,11 +2305,6 @@ parameters:
 			count: 1
 			path: src/lib/Schema/Worker.php
 
-		-
-			message: "#^Method Ibexa\\\\GraphQL\\\\Security\\\\NonAdminGraphQLRequestMatcher\\:\\:__construct\\(\\) has parameter \\$siteAccessGroups with no value type specified in iterable type array\\.$#"
-			count: 1
-			path: src/lib/Security/NonAdminGraphQLRequestMatcher.php
-
 		-
 			message: "#^Cannot cast object to string\\.$#"
 			count: 1

src/bundle/Resources/config/services/resolvers.yaml

@@ -62,9 +62,7 @@ services:
         tags:
             - { name: overblog_graphql.resolver, alias: "Thumbnail", method: "resolveThumbnail" }
 
-    Ibexa\GraphQL\Mutation\Authentication:
-        arguments:
-            $authenticator: '@?ibexa.rest.session_authenticator'
+    Ibexa\GraphQL\Mutation\AuthenticationMutation:
         tags:
             - { name: overblog_graphql.mutation, alias: "CreateToken", method: "createToken" }
 

src/lib/Mutation/AuthenticationMutation.php

@@ -0,0 +1,64 @@
+<?php
+
+/**
+ * @copyright Copyright (C) Ibexa AS. All rights reserved.
+ * @license For full copyright and license information view LICENSE file distributed with this source code.
+ */
+declare(strict_types=1);
+
+namespace Ibexa\GraphQL\Mutation;
+
+use Ibexa\Contracts\Core\Repository\Exceptions\NotFoundException;
+use Ibexa\Contracts\Core\Repository\UserService;
+use Ibexa\Core\MVC\Symfony\Security\User;
+use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
+use Overblog\GraphQLBundle\Definition\Argument;
+
+final readonly class AuthenticationMutation
+{
+    public function __construct(
+        private JWTTokenManagerInterface $tokenManager,
+        private UserService $userService
+    ) {
+    }
+
+    /**
+     * @return array<string, ?string>
+     *
+     * @throws \Ibexa\Contracts\Core\Repository\Exceptions\NotFoundException
+     */
+    public function createToken(Argument $args): array
+    {
+        if (!isset($args['username'], $args['password'])) {
+            return [
+                'message' => 'Missing username or password',
+                'token' => null,
+            ];
+        }
+
+        try {
+            $user = $this->userService->loadUserByLogin($args['username']);
+        } catch (NotFoundException) {
+            return $this->getWrongCredentialsErrorMessage();
+        }
+
+        if (!$this->userService->checkUserCredentials($user, $args['password'])) {
+            return $this->getWrongCredentialsErrorMessage();
+        }
+
+        return [
+            'token' => $this->tokenManager->create(new User($user)),
+        ];
+    }
+
+    /**
+     * @return array<string, ?string>
+     */
+    private function getWrongCredentialsErrorMessage(): array
+    {
+        return [
+            'message' => 'Wrong username or password',
+            'token' => null,
+        ];
+    }
+}

src/lib/Security/NonAdminGraphQLRequestMatcher.php

@@ -16,16 +16,19 @@
  * Security request matcher that excludes admin+graphql requests.
  * Needed because the admin uses GraphQL without a JWT.
  */
-class NonAdminGraphQLRequestMatcher implements RequestMatcherInterface
+final readonly class NonAdminGraphQLRequestMatcher implements RequestMatcherInterface
 {
-    /** @var string[][] */
-    private $siteAccessGroups;
-
-    public function __construct(array $siteAccessGroups)
-    {
-        $this->siteAccessGroups = $siteAccessGroups;
+    /**
+     * @param string[][] $siteAccessGroups
+     */
+    public function __construct(
+        private array $siteAccessGroups
+    ) {
     }
 
+    /**
+     * @throws \Ibexa\AdminUi\Exception\InvalidArgumentException
+     */
     public function matches(Request $request): bool
     {
         return