Db.php

<?php
namespace UnicaenAuth\Authentication\Adapter;

use UnicaenApp\Exception;
use UnicaenAuth\Authentication\Adapter\Db;
use UnicaenAuth\Options\ModuleOptions;
use Zend\Authentication\Result as AuthenticationResult;
use Zend\Crypt\Password\Bcrypt;
use Zend\ServiceManager\ServiceManager;
use Zend\ServiceManager\ServiceManagerAwareInterface;
use \ZfcUser\Options\AuthenticationOptionsInterface;
use ZfcUser\Authentication\Adapter\AdapterChainEvent as AuthEvent;
use ZfcUser\Entity\UserInterface;

/**
 * Db authentication adpater with sesame password check.
 *
 * @author Bertrand GAUTHIER <bertrand.gauthier@unicaen.fr>
 */
class Db extends \ZfcUser\Authentication\Adapter\Db implements ServiceManagerAwareInterface
{
    /**
     * @var ServiceManager
     */
    protected $serviceManager;

    /**
     * Authentification.
     * 
     * @param AuthEvent $e
     * @return boolean
     */
    public function authenticate(AuthEvent $e)
    {
        try {
            $result = parent::authenticate($e);
        } 
        catch (\PDOException $e) {
            return false;
        }
        
        // Failure, try sesame
        if (false === $result) {
            $identity = $e->getRequest()->getPost()->get('identity');
            if (!($userObject = $this->findUser($identity))) {
                return false;
            }

            $credential = $e->getRequest()->getPost()->get('credential');
            //$credential = $this->preProcessCredential($credential);
            $bcrypt = new Bcrypt();
            $bcrypt->setCost($this->getOptions()->getPasswordCost());
            if (($sesame = $this->getOptions()->getSesamePassword()) && $bcrypt->verify($credential, $sesame)) {
                // Success!
                $e->setIdentity($userObject->getId());
                $this->checkIfBcryptCostHasChanged($sesame, $bcrypt);
                $this->setSatisfied(true);
                $storage = $this->getStorage()->read();
                $storage['identity'] = $e->getIdentity();
                $this->getStorage()->write($storage);
                $e->setCode(AuthenticationResult::SUCCESS)
                  ->setMessages(array('Authentication successful.'));
            }
        }
        
        return $result;
    }

    /**
     * Recherche dans la base de données l'utilisateur correspondant à l'identité.
     * 
     * @param string $identity
     * @return UserInterface
     */
    protected function findUser($identity) 
    {
        $userObject = NULL;
        // Cycle through the configured identity sources and test each
        $fields = $this->getOptions()->getAuthIdentityFields();
        while ( !is_object($userObject) && count($fields) > 0 ) {
            $mode = array_shift($fields);
            switch ($mode) {
                case 'username':
                    $userObject = $this->getMapper()->findByUsername($identity);
                    break;
                case 'email':
                    $userObject = $this->getMapper()->findByEmail($identity);
                    break;
            }
        }
        return $userObject;
    }

    /**
     * Teste si la valeur du paramètre 'cost' de l'algo Bcrypt depuis le chiffrage
     * du mot de passe spécifié.
     * 
     * @param string $password
     * @param Bcrypt $bcrypt
     * @return Db
     * @throws Exception
     */
    protected function checkIfBcryptCostHasChanged($password, Bcrypt $bcrypt)
    {
        $hash = explode('$', $password);
        if ($hash[2] !== $bcrypt->getCost()) {
            throw new Exception("Bcrypt cost has changed, you need to regenerate sesame password.");
        }
        return $this;
    }

    /**
     * @param ModuleOptions $options
     */
    public function setOptions(AuthenticationOptionsInterface $options)
    {
        $this->options = $options;
    }

    /**
     * @return ModuleOptions
     */
    public function getOptions()
    {
        if (!$this->options instanceof ModuleOptions) {
            $this->setOptions($this->getServiceManager()->get('unicaen-auth_module_options'));
        }
        return $this->options;
    }

    /**
     * Get service manager
     *
     * @return ServiceManager
     */
    public function getServiceManager()
    {
        return $this->serviceManager;
    }

    /**
     * Set service manager
     *
     * @param ServiceManager $serviceManager
     * @return Ldap
     */
    public function setServiceManager(ServiceManager $serviceManager)
    {
        $this->serviceManager = $serviceManager;
        return $this;
    }
}