diff --git a/core/modules/rest/src/Plugin/ResourceBase.php b/core/modules/rest/src/Plugin/ResourceBase.php index 33cb3aa..4e77eb9 100644 --- a/core/modules/rest/src/Plugin/ResourceBase.php +++ b/core/modules/rest/src/Plugin/ResourceBase.php @@ -64,7 +64,7 @@ public static function create(ContainerInterface $container, array $configuratio $plugin_id, $plugin_definition, $container->getParameter('serializer.formats'), - $container->get('logger.factory')->get('rest') + $container->get('logger.channel.rest') ); } diff --git a/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php b/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php new file mode 100644 index 0000000..b801bcb --- /dev/null +++ b/core/modules/rest/src/Plugin/rest/resource/UserLoginResource.php @@ -0,0 +1,207 @@ +configFactory = $config_factory; + $this->flood = $flood; + $this->userStorage = $user_storage; + $this->csrfToken = $csrf_token; + $this->userAuth = $user_auth; + } + + /** + * {@inheritdoc} + */ + public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) { + return new static( + $configuration, + $plugin_id, + $plugin_definition, + $container->getParameter('serializer.formats'), + $container->get('logger.channel.rest'), + $container->get('config.factory'), + $container->get('flood'), + $container->get('entity.manager')->getStorage('user'), + $container->get('csrf_token'), + $container->get('user.auth') + ); + } + + /** + * Responds to the user login POST requests and logs in a user. + * + * @param array $credentials + * The login credentials. + * + * @return \Drupal\rest\ResourceResponse + * The HTTP response object. + */ + public function post($credentials) { + if (!isset($credentials['name']) && !isset($credentials['pass'])) { + throw new BadRequestHttpException('Missing credentials.'); + } + + // Verify that the username is filled. + if (!isset($credentials['name'])) { + throw new BadRequestHttpException('Missing credentials.name.'); + } + // Verify that the password is filled. + if (!isset($credentials['pass'])) { + throw new BadRequestHttpException('Missing credentials.pass.'); + } + + // Flood control. + if (!$this->isFloodBlocked()) { + throw new BadRequestHttpException('Blocked.'); + } + + // Verify that the user is not blocked. + if ($this->userIsBlocked($credentials['name'])) { + throw new BadRequestHttpException('The user has not been activated or is blocked.'); + } + + // Log in the user. + if ($uid = $this->userAuth->authenticate($credentials['name'], $credentials['pass'])) { + /** @var \Drupal\user\Entity\User $user */ + $user = $this->userStorage->load($uid); + $this->userLoginFinalize($user); + + // Add some basics about the user's account. + $response_data = [ + 'current_user' => [ + 'uid' => $user->id(), + 'roles' => $user->getRoles(), + 'name' => $user->getAccountName(), + ], + 'csrf_token' => $this->csrfToken->get('rest'), + ]; + + $response = new ResourceResponse($response_data, 200, []); + return $response->addCacheableDependency($user); + } + + $this->flood->register('rest.login_cookie', $this->configFactory->get('user.flood')->get('user_window')); + throw new BadRequestHttpException('Sorry, unrecognized username or password.'); + } + + /** + * Verifies if the user is blocked. + * + * @param string $name + * The username. + * + * @return bool + * Returns TRUE if the user is blocked, otherwise FALSE. + */ + protected function userIsBlocked($name) { + return user_is_blocked($name); + } + + /** + * Finalizes the user login. + * + * @param \Drupal\user\UserInterface $user + * The user. + */ + protected function userLoginFinalize(UserInterface $user) { + user_login_finalize($user); + } + + /** + * Checks for flooding. + * + * @return bool + * TRUE if the user is allowed to proceed, FALSE otherwise. + */ + protected function isFloodBlocked() { + $config = $this->configFactory->get('user.flood'); + $limit = $config->get('user_limit'); + $interval = $config->get('user_window'); + + return $this->flood->isAllowed('rest.login_cookie', $limit, $interval); + } + +} diff --git a/core/modules/rest/src/Plugin/rest/resource/UserLoginStatus.php b/core/modules/rest/src/Plugin/rest/resource/UserLoginStatus.php new file mode 100644 index 0000000..4ea6e0b --- /dev/null +++ b/core/modules/rest/src/Plugin/rest/resource/UserLoginStatus.php @@ -0,0 +1,89 @@ +currentUser = $current_user; + } + + /** + * {@inheritdoc} + */ + public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) { + return new static( + $configuration, + $plugin_id, + $plugin_definition, + $container->getParameter('serializer.formats'), + $container->get('logger.channel.rest'), + $container->get('current_user') + ); + } + + /** + * Response to user login status GET requests. + * + * @return \Drupal\rest\ResourceResponse + * A resource response. + */ + public function get() { + if ($this->currentUser->isAuthenticated()) { + $response = new ResourceResponse(self::LOGGED_IN, 200, []); + $response->addCacheableDependency($this->currentUser); + } + else { + $response = new ResourceResponse(self::LOGGED_OUT, 200, []); + } + return $response->addCacheableDependency((new CacheableMetadata())->setCacheMaxAge(0)); + } + +} diff --git a/core/modules/rest/src/Plugin/rest/resource/UserLogout.php b/core/modules/rest/src/Plugin/rest/resource/UserLogout.php new file mode 100644 index 0000000..cece0cf --- /dev/null +++ b/core/modules/rest/src/Plugin/rest/resource/UserLogout.php @@ -0,0 +1,38 @@ +userStorage = $user_storage; + } + + /** + * {@inheritdoc} + */ + public static function create(ContainerInterface $container, array $configuration, $plugin_id, $plugin_definition) { + return new static( + $configuration, + $plugin_id, + $plugin_definition, + $container->getParameter('serializer.formats'), + $container->get('logger.channel.rest'), + $container->get('entity_type.manager')->getStorage('user') + ); + } + + /** + * Resets a user password using a POST request. + * + * @param string $name + * The username or mail address, that should be resetted. + * @param string|null $langcode + * The langcode. + * + * @return \Drupal\rest\ResourceResponse::__construct + * The HTTP response. + */ + public function post($name, $langcode = NULL) { + $name = trim($name); + + if (!$account = $this->loadUserByNameOrEmail($name)) { + // No success, the user does not exist. + throw new BadRequestHttpException(new FormattableMarkup('Sorry, %name is not recognized as a user name or an e-mail address.', ['%name' => $name])); + } + + $mail = $this->userMailNotify($account, $langcode); + if (empty($mail)) { + throw new BadRequestHttpException('The email with the instructions was not sent as expected.'); + } + + $this->logger->notice('Password reset instructions mailed to %name at %email.', ['%name' => $account->getDisplayName(), '%email' => $account->getEmail()]); + return new ResourceResponse('Further instructions have been sent to your email address.', 200, []); + } + + /** + * Conditionally create and send a notification email. + * + * @param \Drupal\Core\Session\AccountInterface $account + * The user object of the account being notified. Must contain at + * least the fields 'uid', 'name', and 'mail'. + * @param string $langcode + * (optional) Language code to use for the notification, overriding account + * language. + * + * @return array + * An array containing various information about the message. + * See \Drupal\Core\Mail\MailManagerInterface::mail() for details. + */ + protected function userMailNotify(AccountInterface $account, $langcode = NULL) { + return _user_mail_notify('password_reset', $account, $langcode); + } + + /** + * Loads a user by name OR mail address. + * + * @param string $name + * The username or mail address, that should be loaded. + * + * @return \Drupal\user\UserInterface|null + * The loaded user or NULL. + */ + protected function loadUserByNameOrEmail($name) { + // Try to load by email. + $accounts = $this->userStorage->loadByProperties(['mail' => $name, 'status' => '1']); + if ($accounts) { + return reset($accounts); + } + + // No success, try to load by name. + $accounts = $this->userStorage->loadByProperties(['name' => $name, 'status' => '1']); + if ($accounts) { + return reset($accounts); + } + } + +} diff --git a/core/modules/rest/src/RequestHandler.php b/core/modules/rest/src/RequestHandler.php index 9efdb35..bdf30e1 100644 --- a/core/modules/rest/src/RequestHandler.php +++ b/core/modules/rest/src/RequestHandler.php @@ -54,9 +54,16 @@ public function handle(RouteMatchInterface $route_match, Request $request) { $method_settings = $config[$plugin][$request->getMethod()]; if (empty($method_settings['supported_formats']) || in_array($format, $method_settings['supported_formats'])) { $definition = $resource->getPluginDefinition(); - $class = $definition['serialization_class']; try { - $unserialized = $serializer->deserialize($received, $class, $format, array('request_method' => $method)); + if (array_key_exists('serialization_class', $definition)) { + $unserialized = $serializer->deserialize($received, $definition['serialization_class'], $format, array('request_method' => $method)); + } + // If the plugin does not specify a serialization class just decode + // the received data. + // Example: received JSON is decoded into a PHP array. + else { + $unserialized = $serializer->decode($received, $format, array('request_method' => $method)); + } } catch (UnexpectedValueException $e) { $error['error'] = $e->getMessage(); diff --git a/core/modules/rest/src/Tests/RESTTestBase.php b/core/modules/rest/src/Tests/RESTTestBase.php index 099957e..c9338ae 100644 --- a/core/modules/rest/src/Tests/RESTTestBase.php +++ b/core/modules/rest/src/Tests/RESTTestBase.php @@ -77,7 +77,7 @@ protected function setUp() { * @return string * The content returned from the request. */ - protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL) { + protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL, $request_headers = []) { if (!isset($mime_type)) { $mime_type = $this->defaultMimeType; } @@ -118,10 +118,11 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL) { CURLOPT_POSTFIELDS => $body, CURLOPT_URL => $url, CURLOPT_NOBODY => FALSE, - CURLOPT_HTTPHEADER => array( + CURLOPT_HTTPHEADER => array_merge( + array( 'Content-Type: ' . $mime_type, 'X-CSRF-Token: ' . $token, - ), + ), $request_headers), ); break; @@ -173,6 +174,9 @@ protected function httpRequest($url, $method, $body = NULL, $mime_type = NULL) { $this->verbose($method . ' request to: ' . $url . '