Initial commit

application/Espo/Core/Authentication/Hook/BeforeLogin.php

@@ -0,0 +1,47 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook;
+
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Api\Request;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Exceptions\ServiceUnavailable;
+
+/**
+ * Before logging in, before credentials are checked.
+ */
+interface BeforeLogin
+{
+    /**
+     * @throws Forbidden
+     * @throws ServiceUnavailable
+     */
+    public function process(AuthenticationData $data, Request $request): void;
+}

application/Espo/Core/Authentication/Hook/Hooks/FailedAttemptsLimit.php

@@ -0,0 +1,113 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook\Hooks;
+
+use Espo\Core\Api\Util;
+use Espo\Core\Authentication\HeaderKey;
+use Espo\Core\Authentication\Hook\BeforeLogin;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Api\Request;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Authentication\ConfigDataProvider;
+use Espo\ORM\EntityManager;
+use Espo\Entities\AuthLogRecord;
+
+use DateTime;
+use Espo\ORM\Name\Attribute;
+use Exception;
+use RuntimeException;
+
+/**
+ * @noinspection PhpUnused
+ */
+class FailedAttemptsLimit implements BeforeLogin
+{
+    public function __construct(
+        private ConfigDataProvider $configDataProvider,
+        private EntityManager $entityManager,
+        private Util $util
+    ) {}
+
+    /**
+     * @throws Forbidden
+     */
+    public function process(AuthenticationData $data, Request $request): void
+    {
+        $isByTokenOnly = !$data->getMethod() && $request->getHeader(HeaderKey::AUTHORIZATION_BY_TOKEN) === 'true';
+
+        if ($isByTokenOnly || $this->configDataProvider->isAuthLogDisabled()) {
+            return;
+        }
+
+        $failedAttemptsPeriod = $this->configDataProvider->getFailedAttemptsPeriod();
+
+        $ipAddress = $this->util->obtainIpFromRequest($request);
+
+        $where = [
+            'requestTime>' => $this->getTimeFrom($request, $failedAttemptsPeriod)->format('U'),
+            'isDenied' => true,
+            'ipAddress' => $ipAddress,
+        ];
+
+        $wasFailed = (bool) $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->select([Attribute::ID])
+            ->where($where)
+            ->findOne();
+
+        if (!$wasFailed) {
+            return;
+        }
+
+        $failAttemptCount = $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->where($where)
+            ->count();
+
+        if ($failAttemptCount <= $this->configDataProvider->getMaxFailedAttemptNumber()) {
+            return;
+        }
+
+        throw new Forbidden("Max failed login attempts exceeded for IP address $ipAddress.");
+    }
+
+    private function getTimeFrom(Request $request, string $failedAttemptsPeriod): DateTime
+    {
+        $requestTime = intval($request->getServerParam('REQUEST_TIME_FLOAT'));
+
+        try {
+            $requestTimeFrom = (new DateTime('@' . $requestTime))->modify('-' . $failedAttemptsPeriod);
+        } catch (Exception $e) {
+            throw new RuntimeException($e->getMessage());
+        }
+
+        return $requestTimeFrom;
+    }
+}

application/Espo/Core/Authentication/Hook/Hooks/FailedCodeAttemptsLimit.php

@@ -0,0 +1,118 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook\Hooks;
+
+use Espo\Core\Api\Request;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Authentication\ConfigDataProvider;
+use Espo\Core\Authentication\Hook\BeforeLogin;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Entities\AuthLogRecord;
+use Espo\ORM\EntityManager;
+
+use DateTime;
+use Espo\ORM\Name\Attribute;
+use Exception;
+use RuntimeException;
+
+/**
+ * @noinspection PhpUnused
+ */
+class FailedCodeAttemptsLimit implements BeforeLogin
+{
+    public function __construct(
+        private ConfigDataProvider $configDataProvider,
+        private EntityManager $entityManager,
+    ) {}
+
+    /**
+     * @throws Forbidden
+     */
+    public function process(AuthenticationData $data, Request $request): void
+    {
+        if (
+            $request->getHeader('Espo-Authorization-Code') === null ||
+            $this->configDataProvider->isAuthLogDisabled()
+        ) {
+            return;
+        }
+
+        $isByTokenOnly = !$data->getMethod() && $request->getHeader('Espo-Authorization-By-Token') === 'true';
+
+        if ($isByTokenOnly) {
+            return;
+        }
+
+        $failedAttemptsPeriod = $this->configDataProvider->getFailedCodeAttemptsPeriod();
+
+        $where = [
+            'requestTime>' => $this->getTimeFrom($request, $failedAttemptsPeriod)->format('U'),
+            'isDenied' => true,
+            'username' => $data->getUsername(),
+            'denialReason' => AuthLogRecord::DENIAL_REASON_WRONG_CODE,
+        ];
+
+        $wasFailed = (bool) $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->select([Attribute::ID])
+            ->where($where)
+            ->findOne();
+
+        if (!$wasFailed) {
+            return;
+        }
+
+        $failAttemptCount = $this->entityManager
+            ->getRDBRepository(AuthLogRecord::ENTITY_TYPE)
+            ->where($where)
+            ->count();
+
+        if ($failAttemptCount <= $this->configDataProvider->getMaxFailedAttemptNumber()) {
+            return;
+        }
+
+        $username = $data->getUsername() ?? '';
+
+        throw new Forbidden("Max failed 2FA login attempts exceeded for username '$username'.");
+    }
+
+    private function getTimeFrom(Request $request, string $failedAttemptsPeriod): DateTime
+    {
+        $requestTime = intval($request->getServerParam('REQUEST_TIME_FLOAT'));
+
+        try {
+            $requestTimeFrom = (new DateTime('@' . $requestTime))->modify('-' . $failedAttemptsPeriod);
+        } catch (Exception $e) {
+            throw new RuntimeException($e->getMessage());
+        }
+
+        return $requestTimeFrom;
+    }
+}

application/Espo/Core/Authentication/Hook/Hooks/IpAddressWhitelist.php

@@ -0,0 +1,87 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook\Hooks;
+
+use Espo\Core\Api\Request;
+use Espo\Core\Api\Util;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Authentication\ConfigDataProvider;
+use Espo\Core\Authentication\Hook\OnLogin;
+use Espo\Core\Authentication\Result;
+use Espo\Core\Authentication\Util\IpAddressUtil;
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Utils\Config;
+
+class IpAddressWhitelist implements OnLogin
+{
+    public function __construct(
+        private ConfigDataProvider $configDataProvider,
+        private Util $util,
+        private Config $config,
+        private IpAddressUtil $ipAddressUtil
+    ) {}
+
+    public function process(Result $result, AuthenticationData $data, Request $request): void
+    {
+        if (!$this->configDataProvider->ipAddressCheck()) {
+            return;
+        }
+
+        $ipAddress = $this->util->obtainIpFromRequest($request);
+
+        if (
+            $ipAddress &&
+            $this->ipAddressUtil->isInWhitelist($ipAddress, $this->configDataProvider->getIpAddressWhitelist())
+        ) {
+            return;
+        }
+
+        $user = $result->getUser();
+
+        if ($user && $user->isPortal()) {
+            return;
+        }
+
+        if ($user && $user->isSuperAdmin() && $this->config->get('restrictedMode')) {
+            return;
+        }
+
+        if (
+            $user &&
+            in_array($user->getId(), $this->configDataProvider->getIpAddressCheckExcludedUserIdList())
+        ) {
+            return;
+        }
+
+        $username = $user ? $user->getUserName() : '?';
+
+        throw new Forbidden("Not allowed IP address $ipAddress, user: $username.");
+    }
+}

application/Espo/Core/Authentication/Hook/Manager.php

@@ -0,0 +1,195 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook;
+
+use Espo\Core\Exceptions\Forbidden;
+use Espo\Core\Exceptions\ServiceUnavailable;
+use Espo\Core\Utils\Metadata;
+use Espo\Core\InjectableFactory;
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Api\Request;
+use Espo\Core\Authentication\Result;
+
+class Manager
+{
+
+    public function __construct(private Metadata $metadata, private InjectableFactory $injectableFactory)
+    {}
+
+    /**
+     * @throws ServiceUnavailable
+     * @throws Forbidden
+     */
+    public function processBeforeLogin(AuthenticationData $data, Request $request): void
+    {
+        foreach ($this->getBeforeLoginHookList() as $hook) {
+            $hook->process($data, $request);
+        }
+    }
+
+    /**
+     * @throws Forbidden
+     */
+    public function processOnLogin(Result $result, AuthenticationData $data, Request $request): void
+    {
+        foreach ($this->getOnLoginHookList() as $hook) {
+            $hook->process($result, $data, $request);
+        }
+    }
+
+    public function processOnFail(Result $result, AuthenticationData $data, Request $request): void
+    {
+        foreach ($this->getOnFailHookList() as $hook) {
+            $hook->process($result, $data, $request);
+        }
+    }
+
+    public function processOnSuccess(Result $result, AuthenticationData $data, Request $request): void
+    {
+        foreach ($this->getOnSuccessHookList() as $hook) {
+            $hook->process($result, $data, $request);
+        }
+    }
+
+    public function processOnSuccessByToken(Result $result, AuthenticationData $data, Request $request): void
+    {
+        foreach ($this->getOnSuccessByTokenHookList() as $hook) {
+            $hook->process($result, $data, $request);
+        }
+    }
+
+    public function processOnSecondStepRequired(Result $result, AuthenticationData $data, Request $request): void
+    {
+        foreach ($this->getOnSecondStepRequiredHookList() as $hook) {
+            $hook->process($result, $data, $request);
+        }
+    }
+
+    /**
+     * @return class-string<BeforeLogin|OnResult>[]
+     */
+    private function getHookClassNameList(string $type): array
+    {
+        $key = $type . 'HookClassNameList';
+
+        /** @var class-string<BeforeLogin|OnResult>[] */
+        return $this->metadata->get(['app', 'authentication', $key]) ?? [];
+    }
+
+    /**
+     * @return BeforeLogin[]
+     */
+    private function getBeforeLoginHookList(): array
+    {
+        $list = [];
+
+        foreach ($this->getHookClassNameList('beforeLogin') as $className) {
+            /** @var class-string<BeforeLogin> $className */
+            $list[] = $this->injectableFactory->create($className);
+        }
+
+        return $list;
+    }
+
+    /**
+     * @return OnLogin[]
+     */
+    private function getOnLoginHookList(): array
+    {
+        $list = [];
+
+        foreach ($this->getHookClassNameList('onLogin') as $className) {
+            /** @var class-string<OnLogin> $className */
+            $list[] = $this->injectableFactory->create($className);
+        }
+
+        return $list;
+    }
+
+    /**
+     * @return OnResult[]
+     */
+    private function getOnFailHookList(): array
+    {
+        $list = [];
+
+        foreach ($this->getHookClassNameList('onFail') as $className) {
+            /** @var class-string<OnResult> $className */
+            $list[] = $this->injectableFactory->create($className);
+        }
+
+        return $list;
+    }
+
+    /**
+     * @return OnResult[]
+     */
+    private function getOnSuccessHookList(): array
+    {
+        $list = [];
+
+        foreach ($this->getHookClassNameList('onSuccess') as $className) {
+            /** @var class-string<OnResult> $className */
+            $list[] = $this->injectableFactory->create($className);
+        }
+
+        return $list;
+    }
+
+    /**
+     * @return OnResult[]
+     */
+    private function getOnSuccessByTokenHookList(): array
+    {
+        $list = [];
+
+        foreach ($this->getHookClassNameList('onSuccessByToken') as $className) {
+            /** @var class-string<OnResult> $className */
+            $list[] = $this->injectableFactory->create($className);
+        }
+
+        return $list;
+    }
+
+    /**
+     * @return OnResult[]
+     */
+    private function getOnSecondStepRequiredHookList(): array
+    {
+        $list = [];
+
+        foreach ($this->getHookClassNameList('onSecondStepRequired') as $className) {
+            /** @var class-string<OnResult> $className */
+            $list[] = $this->injectableFactory->create($className);
+        }
+
+        return $list;
+    }
+}

application/Espo/Core/Authentication/Hook/OnLogin.php

@@ -0,0 +1,46 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook;
+
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Api\Request;
+use Espo\Core\Authentication\Result;
+use Espo\Core\Exceptions\Forbidden;
+
+/**
+ * Once a login result is ready.
+ */
+interface OnLogin
+{
+    /**
+     * @throws Forbidden
+     */
+    public function process(Result $result, AuthenticationData $data, Request $request): void;
+}

application/Espo/Core/Authentication/Hook/OnResult.php

@@ -0,0 +1,42 @@
+<?php
+/************************************************************************
+ * This file is part of EspoCRM.
+ *
+ * EspoCRM – Open Source CRM application.
+ * Copyright (C) 2014-2025 EspoCRM, Inc.
+ * Website: https://www.espocrm.com
+ *
+ * This program is free software: you can redistribute it and/or modify
+ * it under the terms of the GNU Affero General Public License as published by
+ * the Free Software Foundation, either version 3 of the License, or
+ * (at your option) any later version.
+ *
+ * This program is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ * GNU Affero General Public License for more details.
+ *
+ * You should have received a copy of the GNU Affero General Public License
+ * along with this program. If not, see <https://www.gnu.org/licenses/>.
+ *
+ * The interactive user interfaces in modified source and object code versions
+ * of this program must display Appropriate Legal Notices, as required under
+ * Section 5 of the GNU Affero General Public License version 3.
+ *
+ * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
+ * these Appropriate Legal Notices must retain the display of the "EspoCRM" word.
+ ************************************************************************/
+
+namespace Espo\Core\Authentication\Hook;
+
+use Espo\Core\Authentication\AuthenticationData;
+use Espo\Core\Api\Request;
+use Espo\Core\Authentication\Result;
+
+/**
+ * Once a login result is ready.
+ */
+interface OnResult
+{
+    public function process(Result $result, AuthenticationData $data, Request $request): void;
+}