Add UserChecker to check for expired passwords, ensure users have active accounts

config/packages/security.yaml

@@ -15,11 +15,19 @@ security:
       pattern: ^/uploads/user_images/
       security: false
     dev:
-      pattern: ^/(_(profiler|wdt)|css|images|js)/
+      pattern:
+        - ^/_profiler
+        - ^/_wdt
+        - ^/css
+        - ^/images
+        - ^/js
+        - ^/uploads
+        - ^/favicon.ico
       security: false
     main:
       lazy: true
       provider: app_user_provider
+      user_checker: App\Security\UserChecker
       form_login:
         login_path: app_login
         check_path: app_login

src/Controller/DefaultController.php

@@ -9,6 +9,7 @@ use App\Libs\Libs;
 use App\Libs\NavList;
 use DateInterval;
 use DateTime;
+use DateTimeInterface;
 use DateTimeZone;
 use Doctrine\ORM\EntityManagerInterface;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
@@ -47,6 +48,18 @@ class DefaultController extends AbstractController
             return $this->redirectToRoute('app_register_step', ['step' => RegistrationController::REGISTER_STEP_TWO]);
         }
 
+        $oldPasswordDate = new DateTime('now', new DateTimeZone($_ENV['COMPANY_TIMEZONE']));
+        $oldPasswordDate->sub(DateInterval::createFromDateString('120 days'));
+
+        if (is_a($user->getPasswordChanged(), DateTimeInterface::class) && $user->getPasswordChanged() < $oldPasswordDate) {
+            $this->addFlash('danger', 'You must change your password');
+            return $this->redirectToRoute('app_profile');
+        }
+
+        if($_SERVER['HTTP_REFERER'] == "{$_SERVER['HTTP_X_FORWARDED_PROTO']}://{$_SERVER['HTTP_HOST']}/") {
+            $this->entityManager->getRepository(User::class)->updateLastLogin($user);
+        }
+
         $ytdtravel = $this->entityManager->getRepository(CaseItinerary::class)->getYTDTravel($user);
         $last30days = $this->entityManager->getRepository(CaseItinerary::class)->getTravelLast30Days($user);
         $ytdMiles = 0;

src/Entity/User.php

@@ -101,6 +101,12 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     #[ORM\Column(type: Types::TEXT, nullable: true)]
     private ?string $signature = null;
 
+    #[ORM\Column]
+    private ?bool $active = null;
+
+    #[ORM\Column(type: Types::DATETIME_MUTABLE, nullable: true)]
+    private ?\DateTimeInterface $lastLogin = null;
+
     public function __construct()
     {
         $this->userCases = new ArrayCollection();
@@ -454,4 +460,28 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
 
         return $this;
     }
+
+    public function isActive(): ?bool
+    {
+        return $this->active;
+    }
+
+    public function setActive(bool $active): static
+    {
+        $this->active = $active;
+
+        return $this;
+    }
+
+    public function getLastLogin(): ?\DateTimeInterface
+    {
+        return $this->lastLogin;
+    }
+
+    public function setLastLogin(?\DateTimeInterface $lastLogin): static
+    {
+        $this->lastLogin = $lastLogin;
+
+        return $this;
+    }
 }

src/Repository/UserRepository.php

@@ -4,6 +4,8 @@ namespace App\Repository;
 
 use App\Entity\Company;
 use App\Entity\User;
+use DateTime;
+use DateTimeZone;
 use Doctrine\Bundle\DoctrineBundle\Repository\ServiceEntityRepository;
 use Doctrine\Persistence\ManagerRegistry;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
@@ -20,6 +22,20 @@ class UserRepository extends ServiceEntityRepository implements PasswordUpgrader
         parent::__construct($registry, User::class);
     }
 
+    public function updateLastLogin(User $user): void
+    {
+        $currentTime = new DateTime('now', new DateTimeZone($_ENV['COMPANY_TIMEZONE']));
+        $qb = $this->createQueryBuilder('u');
+        $q = $qb->update(User::class, 'u')
+               ->set('u.lastLogin', "'{$currentTime->format('Y-m-d H:i:s')}'")
+               ->where('u.id = :id')
+               ->setParameter('id', $user->getId()->toBinary())
+               ->getQuery()
+        ;
+
+        $q->execute();
+    }
+
     /**
      * Used to upgrade (rehash) the user's password automatically over time.
      */

src/Security/UserChecker.php

@@ -0,0 +1,48 @@
+<?php
+
+namespace App\Security;
+
+use App\Entity\User as AppUser;
+use DateInterval;
+use DateTime;
+use DateTimeZone;
+use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Core\Exception\CustomUserMessageAccountStatusException;
+use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+class UserChecker extends AbstractController implements UserCheckerInterface
+{
+    public function checkPreAuth(UserInterface $user): void
+    {
+        if (!$user instanceof AppUser) {
+            return;
+        }
+
+        if (!$user->isActive()) {
+            // the message passed to this exception is meant to be displayed to the user
+            throw new CustomUserMessageAccountStatusException('Your user account has been deactivated by an Admin, please follow up with your Admin to reactivate it.');
+        }
+    }
+
+    public function checkPostAuth(UserInterface $user): void
+    {
+        $dt = new DateTime('now', new DateTimeZone($_ENV['COMPANY_TIMEZONE']));
+        $dt->sub(DateInterval::createFromDateString('120 days'));
+
+        if (!$user instanceof AppUser) {
+            return;
+        }
+
+        if (!\in_array('ROLE_USER', $user->getRoles())) {
+            throw new AccessDeniedException('You do not have access to this system, please contact an Admin');
+        }
+
+        // user account is expired, the user may be notified
+        if ($user->getPasswordChanged() < $dt) {
+            $this->addFlash('warning', 'Your password has expired. Please change it now!');
+            $this->redirectToRoute('app_profile');
+        }
+    }
+}