src/App/Service/GoogleIdentityService.php line 332

Open in your IDE?
  1. <?php
  3. namespace App\Service;
  5. use App\Entity\AnonymousUserInfo;
  6. use App\Entity\Blacklisting;
  7. use App\Entity\GoogleIdentityUserInfo;
  8. use App\Entity\Profile;
  9. use App\Entity\User;
  10. use App\Event\UserRegisteredEvent;
  11. use Doctrine\ORM\EntityManagerInterface;
  12. use Exception;
  13. use FOS\UserBundle\Util\TokenGeneratorInterface;
  14. use Google\Service\Oauth2\Userinfo;
  15. use Google_Client;
  16. use Google_Service_Oauth2;
  17. use InvalidArgumentException;
  18. use JanusHercules\DatawarehouseIntegration\Domain\Entity\BusinessEvent;
  19. use JanusHercules\DatawarehouseIntegration\Domain\Service\BusinessEventDomainService;
  20. use Psr\Log\LoggerInterface;
  21. use Symfony\Component\HttpFoundation\Request;
  22. use Symfony\Component\HttpFoundation\RequestStack;
  23. use Symfony\Component\HttpFoundation\Response;
  24. use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
  25. use Symfony\Component\HttpKernel\Exception\HttpException;
  26. use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
  27. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  28. use Throwable;
  30. class GoogleIdentityService
  31. {
  32. public const GOOGLE_CLIENT_CONFIG_PATH = '/config/resources/other-fixtures/google/client_secret_788335927892-ttc3saqioltf5ng0plia8l3635mp3lbr.apps.googleusercontent.com.json';
  34. private LoggerInterface $logger;
  36. private RouterHelperService $routerHelperService;
  38. private EntityManagerInterface $entityManager;
  40. private UserService $userService;
  42. private RegistrationService $registrationService;
  44. private JobseekerProfileService $jobseekerProfileService;
  46. private JoboffererProfileService $joboffererProfileService;
  48. private EventDispatcherInterface $eventDispatcher;
  50. private string $kernelRootDir;
  52. private FileService $fileService;
  54. private AnonymousUserInfoService $anonymousUserInfoService;
  56. private SessionService $sessionService;
  58. private TokenGeneratorInterface $tokenGenerator;
  60. private RequestStack $requestStack;
  62. private Google_Client $client;
  64. private BusinessEventDomainService $businessEventDomainService;
  66. public function __construct(
  67. LoggerInterface $logger,
  68. RouterHelperService $routerHelperService,
  69. EntityManagerInterface $entityManager,
  70. UserService $userService,
  71. RegistrationService $registrationService,
  72. JobseekerProfileService $jobseekerProfileService,
  73. JoboffererProfileService $joboffererProfileService,
  74. EventDispatcherInterface $eventDispatcher,
  75. string $kernelRootDir,
  76. FileService $fileService,
  77. AnonymousUserInfoService $anonymousUserInfoService,
  78. SessionService $sessionService,
  79. TokenGeneratorInterface $tokenGenerator,
  80. RequestStack $requestStack,
  81. Google_Client $client,
  82. BusinessEventDomainService $businessEventDomainService,
  83. private readonly BlacklistingService $blacklistingService
  84. ) {
  85. $this->logger = $logger;
  86. $this->routerHelperService = $routerHelperService;
  87. $this->entityManager = $entityManager;
  88. $this->userService = $userService;
  89. $this->registrationService = $registrationService;
  90. $this->jobseekerProfileService = $jobseekerProfileService;
  91. $this->joboffererProfileService = $joboffererProfileService;
  92. $this->eventDispatcher = $eventDispatcher;
  93. $this->kernelRootDir = $kernelRootDir;
  94. $this->fileService = $fileService;
  95. $this->anonymousUserInfoService = $anonymousUserInfoService;
  96. $this->sessionService = $sessionService;
  97. $this->tokenGenerator = $tokenGenerator;
  98. $this->requestStack = $requestStack;
  99. $this->client = $client;
  100. $this->businessEventDomainService = $businessEventDomainService;
  101. }
  103. // User Info is available thanks to our Google Cloud Platform project at
  104. // https://console.cloud.google.com/apis/credentials?project=sigma-crawler-349911
  106. public function getJobseekerUserInfoByOAuth2Code(string $code): ?GoogleIdentityUserInfo
  107. {
  108. try {
  109. $this->configureGoogleClient();
  110. $this->client->setRedirectUri($this->routerHelperService->generate(
  111. 'returnurls.google.identity.oauth2.jobseeker',
  112. [],
  113. UrlGeneratorInterface::ABSOLUTE_URL
  114. ));
  116. return $this->getUserInfoByOAuth2Code($code);
  117. } catch (Throwable $t) {
  118. $this->logger->error("Error while trying get Google user info for jobseeker by OAuth2 code: {$t->getMessage()}");
  120. return null;
  121. }
  122. }
  124. public function getJoboffererUserInfoByOAuth2Code(string $code): ?GoogleIdentityUserInfo
  125. {
  126. try {
  127. $this->configureGoogleClient();
  128. $this->client->setRedirectUri($this->routerHelperService->generate(
  129. 'returnurls.google.identity.oauth2.jobofferer',
  130. [],
  131. UrlGeneratorInterface::ABSOLUTE_URL
  132. ));
  134. return $this->getUserInfoByOAuth2Code($code);
  135. } catch (Throwable $t) {
  136. $this->logger->error("Error while trying get Google user info for jobofferer by OAuth2 code: {$t->getMessage()}");
  138. return null;
  139. }
  140. }
  142. public function getLoginUserInfoByOAuth2Code(string $code): ?GoogleIdentityUserInfo
  143. {
  144. try {
  145. $this->configureGoogleClient();
  146. $this->client->setRedirectUri($this->routerHelperService->generate(
  147. 'returnurls.google.identity.oauth2.login',
  148. [],
  149. UrlGeneratorInterface::ABSOLUTE_URL
  150. ));
  152. return $this->getUserInfoByOAuth2Code($code);
  153. } catch (Throwable $t) {
  154. $this->logger->error("Error while trying get Google user info for login by OAuth2 code: {$t->getMessage()}");
  156. return null;
  157. }
  158. }
  160. public function getJobseekerUserInfoByGsiCredential(string $credential): ?GoogleIdentityUserInfo
  161. {
  162. try {
  163. $this->configureGoogleClient();
  164. $this->client->setRedirectUri($this->routerHelperService->generate(
  165. 'returnurls.google.identity.oauth2.jobseeker',
  166. [],
  167. UrlGeneratorInterface::ABSOLUTE_URL
  168. ));
  170. return $this->getUserInfoByGsiCredential($credential);
  171. } catch (Throwable $t) {
  172. $this->logger->error("Error while trying to get Google user info for jobseeker by GSI credential: {$t->getMessage()}");
  174. return null;
  175. }
  176. }
  178. public function getJoboffererUserInfoByGsiCredential(string $credential): ?GoogleIdentityUserInfo
  179. {
  180. try {
  181. $this->configureGoogleClient();
  182. $this->client->setRedirectUri($this->routerHelperService->generate(
  183. 'returnurls.google.identity.oauth2.jobofferer',
  184. [],
  185. UrlGeneratorInterface::ABSOLUTE_URL
  186. ));
  188. return $this->getUserInfoByGsiCredential($credential);
  189. } catch (Throwable $t) {
  190. $this->logger->error("Error while trying to get Google user info for jobofferer by GSI credential: {$t->getMessage()}");
  192. return null;
  193. }
  194. }
  196. public function canBeRegistered(GoogleIdentityUserInfo $userInfo): bool
  197. {
  198. return is_null($this->findUser($userInfo));
  199. }
  201. /** @throws Exception
  202. * @throws \Doctrine\DBAL\Driver\Exception
  203. */
  204. public function registerJobseekerUser(Request $request, GoogleIdentityUserInfo $userInfo): void
  205. {
  206. if ($this->blacklistingService->isEmailBlacklistedForType(trim(mb_strtolower($userInfo->getEmail())), Blacklisting::BLACKLISTING_TYPE_REGISTRATION)) {
  207. throw new Exception('User is not allowed to register on joboo');
  208. }
  209. $user = $this->registrationService->createRudimentaryUser();
  210. $user->addRole(User::ROLE_NAME_JOBSEEKER);
  211. $user->setEmail($userInfo->getEmail());
  212. $user->setCreatedVia(
  213. $userInfo->getInfoSource() === GoogleIdentityUserInfo::INFO_SOURCE_OAUTH2
  214. ? User::CREATED_VIA_GOOGLE_IDENTITY_OAUTH2
  215. : User::CREATED_VIA_GOOGLE_IDENTITY_GSI
  216. );
  217. $user->setConfirmationToken(substr(hash('sha256', $this->tokenGenerator->generateToken()), 0, 20));
  218. $this->entityManager->persist($user);
  220. $jobseekerProfile = $this->jobseekerProfileService->getOrCreateAndGetDefaultProfile($user);
  222. if ($this->sessionService->hasSessionAnonymousUserInfo($this->requestStack->getSession())) {
  223. $anonymousUserInfo = $this->entityManager->find(
  224. AnonymousUserInfo::class,
  225. $this->sessionService->getAnonymousUserInfo($this->requestStack->getSession())
  226. );
  227. $anonymousUserInfo->setToken(urlencode($user->getConfirmationToken()));
  228. $this->entityManager->persist($anonymousUserInfo);
  229. $this->entityManager->flush();
  230. $this->anonymousUserInfoService->prefillJobseekerProfileForm($anonymousUserInfo->getId(), $jobseekerProfile);
  231. }
  233. $jobseekerProfile->setFirstname($userInfo->getGivenName());
  234. $jobseekerProfile->setLastname($userInfo->getFamilyName());
  235. $this->addProfilePictureToProfile($jobseekerProfile, $userInfo->getPicture());
  236. $this->entityManager->persist($jobseekerProfile);
  237. $this->entityManager->flush();
  239. $this->eventDispatcher->dispatch(
  240. new UserRegisteredEvent($user),
  241. UserRegisteredEvent::class
  242. );
  244. // Registering via Google Identity implies account confirmation, because we trust Google that
  245. // there is a real user with a valid email address behind each Google account.
  246. $this->confirm($request, $userInfo);
  247. }
  249. /** @throws Exception */
  250. public function registerJoboffererUser(Request $request, GoogleIdentityUserInfo $userInfo): void
  251. {
  252. if ($this->blacklistingService->isEmailBlacklistedForType(trim(mb_strtolower($userInfo->getEmail())), Blacklisting::BLACKLISTING_TYPE_REGISTRATION)) {
  253. throw new Exception('User is not allowed to register on joboo');
  254. }
  255. $user = $this->registrationService->createRudimentaryUser();
  256. $user->addRole(User::ROLE_NAME_JOBOFFERER);
  257. $user->setEmail($userInfo->getEmail());
  258. $user->setCreatedVia(
  259. $userInfo->getInfoSource() === GoogleIdentityUserInfo::INFO_SOURCE_OAUTH2
  260. ? User::CREATED_VIA_GOOGLE_IDENTITY_OAUTH2
  261. : User::CREATED_VIA_GOOGLE_IDENTITY_GSI
  262. );
  263. $user->setConfirmationToken(substr(hash('sha256', $this->tokenGenerator->generateToken()), 0, 20));
  264. $this->entityManager->persist($user);
  266. $joboffererProfile = $this->joboffererProfileService->getOrCreateAndGetDefaultProfile($user);
  268. if ($this->sessionService->hasSessionAnonymousUserInfo($this->requestStack->getSession())) {
  269. $anonymousUserInfo = $this->entityManager->find(
  270. AnonymousUserInfo::class,
  271. $this->sessionService->getAnonymousUserInfo($this->requestStack->getSession())
  272. );
  273. $anonymousUserInfo->setToken(urlencode($user->getConfirmationToken()));
  274. $this->entityManager->persist($anonymousUserInfo);
  275. $this->entityManager->flush();
  276. $this->anonymousUserInfoService->prefillJoboffererProfileForm($anonymousUserInfo->getId(), $joboffererProfile);
  277. }
  279. $joboffererProfile->setFirstname($userInfo->getGivenName());
  280. $joboffererProfile->setLastname($userInfo->getFamilyName());
  281. $this->addProfilePictureToProfile($joboffererProfile, $userInfo->getPicture());
  282. $this->entityManager->persist($joboffererProfile);
  283. $this->entityManager->flush();
  285. $this->eventDispatcher->dispatch(
  286. new UserRegisteredEvent($user),
  287. UserRegisteredEvent::class
  288. );
  290. // Registering via Google Identity implies account confirmation, because we trust Google that
  291. // there is a real user with a valid email address behind each Google account.
  292. $this->confirm($request, $userInfo);
  293. }
  295. /** @throws \Google\Exception */
  296. public function getJobseekerOAuth2TargetUrl(): string
  297. {
  298. $this->configureGoogleClient();
  299. $this->client->setRedirectUri($this->routerHelperService->generate(
  300. 'returnurls.google.identity.oauth2.jobseeker',
  301. [],
  302. UrlGeneratorInterface::ABSOLUTE_URL
  303. ));
  305. return $this->client->createAuthUrl();
  306. }
  308. /** @throws \Google\Exception */
  309. public function getJoboffererOAuth2TargetUrl(): string
  310. {
  311. $this->configureGoogleClient();
  312. $this->client->setRedirectUri($this->routerHelperService->generate(
  313. 'returnurls.google.identity.oauth2.jobofferer',
  314. [],
  315. UrlGeneratorInterface::ABSOLUTE_URL
  316. ));
  318. return $this->client->createAuthUrl();
  319. }
  321. /** @throws \Google\Exception */
  322. public function getLoginOAuth2TargetUrl(?User $user): string
  323. {
  324. $this->businessEventDomainService->writeNewEvent(BusinessEvent::EVENT_TYPE_LOG_IN_VIA_GOOGLE_BUTTON_WAS_PRESSED, $user);
  325. $this->configureGoogleClient();
  326. $this->client->setRedirectUri($this->routerHelperService->generate(
  327. 'returnurls.google.identity.oauth2.login',
  328. [],
  329. UrlGeneratorInterface::ABSOLUTE_URL
  330. ));
  332. return $this->client->createAuthUrl();
  333. }
  335. // This is for the edge case where the user has started the registration "normally" (submitted the initial reg form with 2x mailaddress),
  336. // but then later, before clicking the confirmation link, using the "Register with Google" CTA on the registration page
  337. public function canBeConfirmed(GoogleIdentityUserInfo $userInfo): bool
  338. {
  339. $user = $this->findUser($userInfo);
  340. if (!is_null($user) && !$user->isEnabled()) {
  341. return true;
  342. }
  344. return false;
  345. }
  347. public function confirm(Request $request, GoogleIdentityUserInfo $userInfo): bool
  348. {
  349. if (!$this->canBeConfirmed($userInfo)) {
  350. throw new InvalidArgumentException('Cannot confirm based on Google Identity user info.');
  351. }
  353. $user = $this->findUser($userInfo);
  354. $user->setEnabled(true);
  356. $this->registrationService->handleUserAccountConfirmation($request, $user);
  358. return false;
  359. }
  361. public function canBeLoggedIn(GoogleIdentityUserInfo $userInfo): bool
  362. {
  363. $user = $this->findUser($userInfo);
  364. if (is_null($user) || !$user->isEnabled()) {
  365. return false;
  366. }
  368. return true;
  369. }
  371. public function login(Request $request, GoogleIdentityUserInfo $userInfo): void
  372. {
  373. if (!$this->canBeLoggedIn($userInfo)) {
  374. throw new InvalidArgumentException('Cannot log in based on Google Identity user info.');
  375. }
  376. $user = $this->findUser($userInfo);
  377. $this->userService->login($request, $user);
  378. }
  380. public function handleJobseekerUserInfo(Request $request, GoogleIdentityUserInfo $userInfo): string
  381. {
  382. if ($this->canBeConfirmed($userInfo)) {
  383. $this->confirm($request, $userInfo);
  384. }
  385. if ($this->canBeLoggedIn($userInfo)) {
  386. $this->login($request, $userInfo);
  388. return $this->routerHelperService->generate(
  389. 'account.conversations.index_router',
  390. [],
  391. UrlGeneratorInterface::ABSOLUTE_URL
  392. );
  393. } elseif ($this->canBeRegistered($userInfo)) {
  394. try {
  395. $this->registerJobseekerUser($request, $userInfo);
  396. } catch (Throwable $t) {
  397. throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, "Error while trying to register jobseeker user: '{$t->getMessage()}'.");
  398. }
  399. $this->login($request, $userInfo);
  401. return $this->routerHelperService->generate(
  402. 'account.profiles.index',
  403. [],
  404. UrlGeneratorInterface::ABSOLUTE_URL
  405. );
  406. } else {
  407. // This can e.g. happen if a user started a "normal" jobseeker registration, but before
  408. // clicking on the activation mail cta, they used the OAuth2 cta on the jobseeker reg page
  409. throw new BadRequestHttpException("Can neither log in nor register user with email {$userInfo->getEmail()}.");
  410. }
  411. }
  413. public function handleJoboffererUserInfo(Request $request, GoogleIdentityUserInfo $userInfo): string
  414. {
  415. if ($this->canBeConfirmed($userInfo)) {
  416. $this->confirm($request, $userInfo);
  417. }
  418. if ($this->canBeLoggedIn($userInfo)) {
  419. $this->login($request, $userInfo);
  421. return $this->routerHelperService->generate(
  422. 'account.conversations.index_router',
  423. [],
  424. UrlGeneratorInterface::ABSOLUTE_URL
  425. );
  426. } elseif ($this->canBeRegistered($userInfo)) {
  427. try {
  428. $this->registerJoboffererUser($request, $userInfo);
  429. } catch (Throwable $t) {
  430. throw new HttpException(Response::HTTP_INTERNAL_SERVER_ERROR, "Error while trying to register jobofferer user: '{$t->getMessage()}'.");
  431. }
  432. $this->login($request, $userInfo);
  434. return $this->routerHelperService->generate(
  435. 'account.profiles.index',
  436. [],
  437. UrlGeneratorInterface::ABSOLUTE_URL
  438. );
  439. } else {
  440. // This can e.g. happen if a user started a "normal" jobseeker registration, but before
  441. // clicking on the activation mail cta, they used the OAuth2 cta on the jobseeker reg page
  442. throw new BadRequestHttpException("Can neither log in nor register user with email {$userInfo->getEmail()}.");
  443. }
  444. }
  446. private function getUserInfoByOAuth2Code(string $code): ?GoogleIdentityUserInfo
  447. {
  448. try {
  449. $token = $this->client->fetchAccessTokenWithAuthCode($code);
  450. if (isset($token['error'])) {
  451. $this->logger->error("Invalid Google OAuth2 auth code '$code'.");
  453. return null;
  454. }
  455. $oAuth = new Google_Service_Oauth2($this->client);
  456. /** @var Userinfo $userInfo */
  457. $userInfo = $oAuth->userinfo_v2_me->get();
  459. if (is_null($userInfo)) {
  460. $this->logger->error('userinfo_v2_me->get result is null.');
  462. return null;
  463. }
  465. $this->logger->debug('User info is ' . json_encode($userInfo));
  467. return new GoogleIdentityUserInfo(
  468. GoogleIdentityUserInfo::INFO_SOURCE_OAUTH2,
  469. $userInfo->getEmail(),
  470. $userInfo->getGivenName(),
  471. $userInfo->getFamilyName(),
  472. $userInfo->getPicture(),
  473. );
  474. } catch (Throwable $t) {
  475. $this->logger->error("Error while trying get Google user info by OAuth2 code: {$t->getMessage()}");
  477. return null;
  478. }
  479. }
  481. private function getUserInfoByGsiCredential(string $credential): ?GoogleIdentityUserInfo
  482. {
  483. try {
  484. $verifyIdTokenResult = $this->client->verifyIdToken($credential);
  485. if ($verifyIdTokenResult === false) {
  486. $this->logger->error('verify id token result is false.');
  488. return null;
  489. }
  491. if (is_null($verifyIdTokenResult)) {
  492. $this->logger->error('verify id token result is null.');
  494. return null;
  495. }
  497. $this->logger->debug('User info is ' . json_encode($verifyIdTokenResult));
  499. return new GoogleIdentityUserInfo(
  500. GoogleIdentityUserInfo::INFO_SOURCE_GSI,
  501. $verifyIdTokenResult['email'],
  502. array_key_exists('given_name', $verifyIdTokenResult) ? $verifyIdTokenResult['given_name'] : '',
  503. array_key_exists('family_name', $verifyIdTokenResult) ? $verifyIdTokenResult['family_name'] : '',
  504. array_key_exists('picture', $verifyIdTokenResult) ? $verifyIdTokenResult['picture'] : '',
  505. );
  506. } catch (Throwable $t) {
  507. $this->logger->error("Error while trying to get Google user info by GSI credential: {$t->getMessage()}");
  509. return null;
  510. }
  511. }
  513. /** @throws \Google\Exception */
  514. private function configureGoogleClient(): void
  515. {
  516. $this->client = new Google_Client();
  517. $this->client->setAuthConfig($this->kernelRootDir . GoogleIdentityService::GOOGLE_CLIENT_CONFIG_PATH);
  518. $this->client->addScope(['profile', 'email']);
  519. }
  521. private function findUser(GoogleIdentityUserInfo $userInfo): ?User
  522. {
  523. return $this->entityManager->getRepository(User::class)->findOneBy(['emailCanonical' => mb_strtolower($userInfo->getEmail())]);
  524. }
  526. private function addProfilePictureToProfile(Profile $profile, string $url): void
  527. {
  528. $pathname = sys_get_temp_dir() . DIRECTORY_SEPARATOR;
  529. $filename = uniqid() . basename($url); // Adding a uniqe value avoids the edge case that two uploads
  530. // with the same filename are handled at the same time and overwrite each other
  532. $filepath = $pathname . $filename;
  534. if (!copy($url, $filepath)) {
  535. return;
  536. }
  538. $fileNameExtended = $this->fileService->copyLocalFileToGaufretteFilesystem(
  539. $filepath,
  540. 'profile_photos_fs'
  541. );
  543. unlink($filepath);
  545. $profile->setPhotoFileName($fileNameExtended);
  546. }
  547. }