Doesn't work in Symfony 5.1 with provided example

[bjo3rnf]

Hi,

in my application I configured the users' email addresses as usernames and implemented a custom LoginFormAuthenticator. To see the actual username in the failure_login_attempt table I added a custom UsernameResolver as described. Now failed login attempts do get logged with the correct username/email but the brute force checker never kicks in. Turns out the username argument is null on the request object passed to the login action. What could be the reason for this?

Thanks in advance.

Cheers Björn

[anyx]

Hi, @bjo3rnf Not sure that I can help without code, but bundle's code is pretty simple (I hope). You can check whats going on in BruteForceChecker service: https://github.com/anyx/LoginGateBundle/blob/71143306603de1ac0c9cb35aa7d5ebab9fd88bed/Service/BruteForceChecker.php#L50.

I believe, couple var_dump's here can clarify your situation. Text me if you will find some problem in bundle

[bjo3rnf]

Hi @anyx,

thanks for your response. I am now injecting AuthenticationUtils into my username resolver to get the username of the last login. It seems that the request object that is provided to the action method is different from the original login request and this is most probably the reason why AuthenticationUtils exists in the first place:

namespace App\Security;

use Anyx\LoginGateBundle\Service\UsernameResolverInterface;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;

class LoginGateUsernameResolver implements UsernameResolverInterface
{
    /**
     * @var AuthenticationUtils
     */
    private $authenticationUtils;

    public function __construct(AuthenticationUtils $authenticationUtils)
    {
        $this->authenticationUtils = $authenticationUtils;
    }

    public function resolve(Request $request)
    {
        return $this->authenticationUtils->getLastUsername();
    }
}

WDYT: Is this something that should be implemented into your code?

Cheers Björn

[anyx]

I don't think that using AuthenticationUtils is good idea here: method getLastUsername returns last (previous) username (which can be stored in session). But we need to get current username here ($request->get('_username') or something like that)

[bjo3rnf]

You are probably right. But BruteForceChecker will not be usable like this in the controller. The request object provided after a failed login is a GET one. Hm...

[bjo3rnf]

But maybe I'm doing something fundamentally wrong on my side. In search for an alternative to the controller method I registered an event listener as described but the event is never fired.

[bjo3rnf]

Sorry for the noise @anyx but here's how it works for me now: As mentioned earlier I am using a custom LoginFormAuthenticator as described here: https://symfony.com/doc/current/security/form_login_setup.html What I have to do now is to integrate BruteForceChecker into the onAuthenticationFailure method where I can access the original request and return the appropriate response. Thanks for your time.

[anyx]

@bjo3rnf no problem Good luck!

[bjo3rnf]

Well, I eventually implemented my own lightweight solution by leveraging UserCheckerInterface. Your code was a good starting point for that so thanks again.