Merge pull request #9 from lampi87/master

use captcha and csrf in login form, including config switch
LM-Commons · May 20, 2021 · a2f63a2 · a2f63a2
2 parents 03b4235 + ec6e102
commit a2f63a2
Show file tree

Hide file tree

Showing 5 changed files with 140 additions and 9 deletions.
diff --git a/config/lmcuser.global.php.dist b/config/lmcuser.global.php.dist
@@ -113,6 +113,22 @@ $settings = [
      */
     //'use_registration_form_captcha' => false,
 
+    /**
+     * Login Form Captcha
+     *
+     * Determines if a captcha should be utilized on the user login form.
+     * Default value is false.
+     */
+    //'use_login_form_captcha' => false,
+
+	/**
+     * Login Form CSRF
+     *
+     * Determines if a csrf should be utilized on the user login form.
+     * Default value is true.
+     */
+    //'use_login_form_csrf' => true,
+
     /**
      * Form Captcha Options
      *

diff --git a/src/LmcUser/Form/Login.php b/src/LmcUser/Form/Login.php
@@ -51,14 +51,27 @@ public function __construct($name, AuthenticationOptionsInterface $options)
             )
         );
 
-        // @todo: Fix this
-        // 1) getValidator() is a protected method
-        // 2) i don't believe the login form is actually being validated by the login action
-        // (but keep in mind we don't want to show invalid username vs invalid password or
-        // anything like that, it should just say "login failed" without any additional info)
-        //$csrf = new Element\Csrf('csrf');
-        //$csrf->getValidator()->setTimeout($options->getLoginFormTimeout());
-        //$this->add($csrf);
+        if ($this->getAuthenticationOptions()->getUseLoginFormCsrf()) {
+            $this->add([
+                'type' => '\Laminas\Form\Element\Csrf',
+                'name' => 'security',
+                'options' => [
+                    'csrf_options' => [
+                        'timeout' => $this->getAuthenticationOptions()->getLoginFormTimeout()
+                    ]
+                ]
+            ]);
+        }
+        if ($this->getAuthenticationOptions()->getUseLoginFormCaptcha()) {
+            $this->add([
+                'name' => 'captcha',
+                'type' => 'Laminas\Form\Element\Captcha',
+                'options' => [
+                    'label' => 'Human check',
+                    'captcha' => $this->getAuthenticationOptions()->getFormCaptchaOptions(),
+                ]
+            ]);
+        }
 
         $submitElement = new Element\Button('submit');
         $submitElement

diff --git a/src/LmcUser/Form/LoginFilter.php b/src/LmcUser/Form/LoginFilter.php
@@ -12,7 +12,10 @@ public function __construct(AuthenticationOptionsInterface $options)
         $identityParams = array(
             'name'       => 'identity',
             'required'   => true,
-            'validators' => array()
+            'validators' => array(),
+            'filters'   => array(
+                array('name' => 'StringTrim'),
+            )
         );
 
         $identityFields = $options->getAuthIdentityFields();

diff --git a/src/LmcUser/Options/AuthenticationOptionsInterface.php b/src/LmcUser/Options/AuthenticationOptionsInterface.php
@@ -33,4 +33,49 @@ public function setAuthIdentityFields($authIdentityFields);
      * @return array
      */
     public function getAuthIdentityFields();
+
+    /**
+     * set use a captcha in login form
+     *
+     * @param bool $useLoginFormCaptcha
+     * @return ModuleOptions
+     */
+    public function setUseLoginFormCaptcha($useLoginFormCaptcha);
+
+    /**
+     * get use a captcha in login form
+     *
+     * @return bool
+     */
+    public function getUseLoginFormCaptcha();
+
+    /**
+     * set use a csrf in login form
+     *
+     * @param  bool $useLoginFormCsrf
+     * @return ModuleOptions
+     */
+    public function setUseLoginFormCsrf($useLoginFormCsrf);
+
+    /**
+     * get use a csrf in login form
+     *
+     * @return bool
+     */
+    public function getUseLoginFormCsrf();
+
+    /**
+     * set form CAPTCHA options
+     *
+     * @param  array $formCaptchaOptions
+     * @return ModuleOptions
+     */
+    public function setFormCaptchaOptions($formCaptchaOptions);
+
+    /**
+     * get form CAPTCHA options
+     *
+     * @return array
+     */
+    public function getFormCaptchaOptions();
 }
diff --git a/src/LmcUser/Options/ModuleOptions.php b/src/LmcUser/Options/ModuleOptions.php
@@ -98,6 +98,16 @@ class ModuleOptions extends AbstractOptions implements
      */
     protected $useRegistrationFormCaptcha = false;
 
+    /**
+     * @var bool
+     */
+    protected $useLoginFormCaptcha = false;
+
+    /**
+     * @var bool
+     */
+    protected $useLoginFormCsrf = true;
+
     /**
      * @var int
      */
@@ -473,6 +483,50 @@ public function getUseRegistrationFormCaptcha()
         return $this->useRegistrationFormCaptcha;
     }
 
+    /**
+     * set use a captcha in login form
+     *
+     * @param  bool $useLoginFormCaptcha
+     * @return ModuleOptions
+     */
+    public function setUseLoginFormCaptcha($useLoginFormCaptcha)
+    {
+        $this->useLoginFormCaptcha = $useLoginFormCaptcha;
+        return $this;
+    }
+
+    /**
+     * get use a captcha in login form
+     *
+     * @return bool
+     */
+    public function getUseLoginFormCaptcha()
+    {
+        return $this->useLoginFormCaptcha;
+    }
+
+    /**
+     * set use a csrf in login form
+     *
+     * @param  bool $useLoginFormCsrf
+     * @return ModuleOptions
+     */
+    public function setUseLoginFormCsrf($useLoginFormCsrf)
+    {
+        $this->useLoginFormCsrf = $useLoginFormCsrf;
+        return $this;
+    }
+
+    /**
+     * get use a csrf in login form
+     *
+     * @return bool
+     */
+    public function getUseLoginFormCsrf()
+    {
+        return $this->useLoginFormCsrf;
+    }
+
     /**
      * set user entity class name
      *