I'm exploring the new system for User Authentication using the new AbstractAuthenticator class in my symfony 5 project.
My symfony app will contain a mix of routes, some will only be accessible to authenticated users and some for unauthenticated users (public access)
My security.yaml file looks something like this:
security:
enable_authenticator_manager: true
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
custom_authenticators:
- App\Security\JwtAuthenticator
access_control:
- { path: ^/auth/login, roles: PUBLIC_ACCESS }
- { path: ^/auth, roles: ROLE_USER }
I have also setup a route to auth/login
However, when I access the url https://myapp.test/auth/login I get the following message:
{"message":"Invalid credentials."}
If I remove the custom authenticator directive from security.yaml the url loads as expected.
Below is the authenticate function from the Authenticator class:
public function authenticate(Request $request): PassportInterface
{
return new SelfValidatingPassport(new UserBadge($request->get('email));
}
if I access /auth/login with a valid user matching the email address provided and with the ROLE_USER role, the page will load as expected. If I access it without providing an email address, the page will return the following (from the onAuthenticationFailure method):
{"message":"Invalid credentials."}
If I understand correctly, as stated in Symfony docs, the PUBLIC_ACCESS should skip authenticating the user and load the /auth/login route, while everything else under /auth/ should be protected. But I cannot get the PUBLIC_ACCESS directive to work.
I resolved it by changing the location of custom_authenticators like that:
security:
enable_authenticator_manager: true
firewalls:
main:
json_login: # that is my login for rest api
provider: user_provider
check_path: api_login
api:
pattern: ^/api
custom_authenticators: # here is the location for my custom authenticator
- App\Security\Authenticator
stateless: true
access_control:
- { path: ^/login, roles: PUBLIC_ACCESS }
I hope it helps!
Related
I have read the docs and followed this similar question:
Allow anonymous access to specific URL in symfony firewall protected bundle
Using Symfony 4.1.4 I have tried the following:
access_control:
- { path: ^/rpi/service/application/quote/approve, roles: IS_AUTHENTICATED_ANONYMOUSLY}
- { path: ^/rpi, roles: ROLE_USER }
- { path: ^/erp, roles: ROLE_USER }
However when I access the first URI as anonymous I am prompted by the http_basic_ldap login screen. Any ideas?
You need
anonymous: true
in your firewall, as in the default configuration config/packages/security.yml:
security:
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
in_memory: { memory: ~ }
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: true
Anonymous authentication means that the user is authenticated and has a token, but it is an anonymous token.
If you do not have anonymous: true, the AnonymousAuthenticationListener will never run for your firewall, and never create an anonymous token.
I'm pretty new to Symfony although I've managed to set up a working site, with role based authentication and firewalls I'm really struggling working out how to build a system that allows users to login and have access to a page that only they and admin has access to.
What I really want is a dynamic security role which enables the user in the current session access to their own private page and blocks everyone else...
Here's my actual config:
security:
encoders: #define the encoders used to encode passwords
Symfony\Component\Security\Core\User\User: plaintext
IntuitByDesign\UserBundle\Entity\User: bcrypt
role_hierarchy:
ROLE_ADMIN: [ROLE_USER]
providers:
chain_provider:
chain:
providers: [in_memory, user_db]
in_memory:
memory:
users:
admin: { password: adminpass, roles: ROLE_ADMIN }
user_db:
entity: {class: IntuitByDesignUserBundle:User, property: username }
firewalls:
main:
logout: true
pattern: /.*
form_login:
login_path: login
check_path: login
default_target_path: /user
logout:
path: /logout
target: /
security: true
anonymous: true
access_control:
- { path: /login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /logout, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: /user, roles: ROLE_ADMIN }
- { path: /user-page/, roles: ROLE_USER}
- { path: /.*, roles: IS_AUTHENTICATED_ANONYMOUSLY }
Any hints on how to do this?
Update: After login I would like to redirect page that only the specific logged in user can see.
I thought a way that this might be achieved could be with matching the session username with the user path?
You could check in the redirected action, if the user is logged in. If yes, load the data according to the user. e.g. you load the needed data by his user id.
So every user sees the data which is related with himself.
You can find more information about user authentication handling in this question: How to check if an user is logged in Symfony2 inside a controller?
look FosUserBundle
you can create a system of user easily
I have created a REST API, i'm actually trying to secure it with the FOSOAuthServerBundle.
I created the route newclient to generate new client, now i would like to allow only the 'admin' to access to this url.
I guess it's possible to do this with scopes but i can't figure out how.
Here is my security.yml:
security:
providers:
user_provider:
id: user_provider
firewalls:
doc:
pattern: ^/doc
security: false
oauth_token:
pattern: ^/oauth/v2/token
security: false
oauth_authorize:
pattern: ^/oauth/v2/auth
provider: user_provider
anonymous: true
api:
pattern: ^/
fos_oauth: true
stateless: true
anonymous: false
access_control:
- { path: ^/, roles: ROLE_CLIENT }
- { path: ^/newclient, roles: ROLE_ADMIN }
My config.yml
fos_oauth_server:
db_driver: orm
client_class: WS\RESTBundle\Entity\Client
access_token_class: WS\RESTBundle\Entity\AccessToken
refresh_token_class: WS\RESTBundle\Entity\RefreshToken
auth_code_class: WS\RESTBundle\Entity\AuthCode
Any tips ?
Actually desling with scopes is not the best way to do it, plus the bundle does not support it : https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/issues/231
I made use the User model, add a "role" method and check if the current user's role is enough to access the to the routes.
Here is the piece of code
//Get the current user, check if it's an admin
$token = $this->container->get('security.context')->getToken()->getToken();
$accessToken = $this->container
->get('fos_oauth_server.access_token_manager.default')
->findTokenBy(array('token' => $token));
$client = $accessToken->getClient();
if ($client->getRole() == 'admin') {
...
}
Not sure if it's the best way to do it, any advices welcome !
I've been following the instruction here: https://gist.github.com/danvbe/4476697, I have read the entire thread more than once, but I'm not getting a solution for my problem.
I want to use the oauth bundle just for account linking, persisting the user data from oauth provider. My users will not be authenticated using oauth.
Nevertheless, I have implemented the whole thing to see if it works with github as provider, but nothing. I'm able to go to the authorization page, but when I click on Allow Access, I'm inevitable redirected to the login page with this error No oauth code in the request.
If stop using the custom FOSUBUserProvider and change to the default HWI one, then I get the app registered in Github but cannot persist the data.
Important: I tried replicating exactly the FOSUBUserProvider from HWI and the same problem remained, so probably is not related it's implementation but maybe with the service definition or the config.
Any help is greatly appreciated.
These are the relevant files:
FOSUBUserProvider.php
class FOSUBUserProvider extends BaseClass
{
/**
* {#inheritDoc}
*/
public function connect(UserInterface $user, UserResponseInterface $response)
{
$property = $this->getProperty($response);
$username = $response->getUsername();
//on connect - get the access token and the user ID
$service = $response->getResourceOwner()->getName();
$setter = 'set'.ucfirst($service);
$setter_id = $setter.'Id';
$setter_token = $setter.'AccessToken';
//we "disconnect" previously connected users
if (null !== $previousUser = $this->userManager->findUserBy(array($property => $username))) {
$previousUser->$setter_id(null);
$previousUser->$setter_token(null);
$this->userManager->updateUser($previousUser);
}
//we connect current user
$user->$setter_id($username);
$user->$setter_token($response->getAccessToken());
$this->userManager->updateUser($user);
}
/**
* {#inheritdoc}
*/
public function loadUserByOAuthUserResponse(UserResponseInterface $response)
{
$username = $response->getUsername();
$user = $this->userManager->findUserBy(array($this->getProperty($response) => $username));
//when the user is registrating
if (null === $user) {
$service = $response->getResourceOwner()->getName();
$setter = 'set'.ucfirst($service);
$setter_id = $setter.'Id';
$setter_token = $setter.'AccessToken';
// create new user here
$user = $this->userManager->createUser();
$user->$setter_id($username);
$user->$setter_token($response->getAccessToken());
//I have set all requested data with the user's username
//modify here with relevant data
$user->setUsername($username);
$user->setEmail($username);
$user->setPassword($username);
$user->setEnabled(true);
$this->userManager->updateUser($user);
return $user;
}
//if user exists - go with the HWIOAuth way
$user = parent::loadUserByOAuthUserResponse($response);
$serviceName = $response->getResourceOwner()->getName();
$setter = 'set' . ucfirst($serviceName) . 'AccessToken';
//update access token
$user->$setter($response->getAccessToken());
return $user;
}
}
config.yml
hwi_oauth:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on your site, with data from the provider (facebook. google, etc.)
#and also, the connecting part (get the token and the user_id)
connect:
account_connector: custom.user.provider
# name of the firewall in which this bundle is active, this setting MUST be set
firewall_name: main
# optional FOSUserBundle integration
fosub:
# try 30 times to check if a username is available (foo, foo1, foo2 etc)
username_iterations: 30
# mapping between resource owners (see below) and properties
properties:
github: githubId
# optional HTTP Client configuration
http_client:
verify_peer: false
resource_owners:
github:
type: github
client_id: xxxxxxxxxxxxxxxxxxxxxx
client_secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
scope: "repo, delete_repo, notifications, gist"
options:
csrf: true
security.yml
providers:
fos_userbundle:
id: fos_user.user_provider.username_email
firewalls: #CAUTION! The order of the firewalls IS ON PURPOSE! DON'T CHANGE!
# Disabling the security for the web debug toolbar, the profiler and Assetic.
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
# -> custom firewall for the admin area of the URL
admin:
pattern: /admin(.*)
context: user
form_login:
provider: fos_userbundle
login_path: /admin/login
use_forward: false
check_path: /admin/login_check
failure_path: null
logout:
path: /admin/logout
anonymous: true
# -> end custom configuration
# defaut login area for standard users
# This firewall is used to handle the public login area
# This part is handled by the FOS User Bundle
main:
pattern: .*
context: user
form_login:
provider: fos_userbundle
login_path: /login
use_forward: false
check_path: /login_check
failure_path: null
logout: true
anonymous: true
# Login path for OAuth providers
oauth:
resource_owners:
github: "/login/check-github"
trello: "/login/check-trello"
login_path: /login
failure_path: /login
# FOSUB integration
# oauth_user_provider:
# service: hwi_oauth.user.provider.fosub_bridge
oauth_user_provider:
#this is my custom user provider, created from FOSUBUserProvider - will manage the
#automatic user registration on website, with data from the provider (github. trello, etc.)
service: custom.user.provider
access_control:
# URL of FOSUserBundle which need to be available to anonymous users
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Admin login page needs to be access without credential
- { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
# Secured part of the site
# This config requires being logged for the whole site and having the admin role for the admin part.
# Change these rules to adapt them to your needs
- { path: ^/admin/, role: [ROLE_ADMIN, ROLE_SONATA_ADMIN] }
- { path: ^/.*, role: ROLE_USER } #This is on purpose.
routing.yml
hwi_oauth_security:
resource: "#HWIOAuthBundle/Resources/config/routing/login.xml"
prefix: /connect
hwi_oauth_connect:
resource: "#HWIOAuthBundle/Resources/config/routing/connect.xml"
prefix: /connect
hwi_oauth_redirect:
resource: "#HWIOAuthBundle/Resources/config/routing/redirect.xml"
prefix: /connect
services.yml
parameters:
custom.user.provider.class: My\Bundle\Path\Security\Core\User\FOSUBUserProvider
services:
sonata.admin.user:
class: My\Bundle\Path\Admin\Model\UserAdmin
tags:
# - { name: sonata.admin, manager_type: orm, group: users, label: users, label_translator_strategy: sonata.admin.label.strategy.underscore }
arguments:
- ~
- My\Bundle\Path\Entity\User
- SonataAdminBundle:CRUD
calls:
- [setTranslationDomain, [SonataUserBundle]]
- [setUserManager, [#fos_user.user_manager]]
- [setSecurityContext, [#security.context]]
custom.user.provider:
class: "%custom.user.provider.class%"
#this is the place where the properties are passed to the UserProvider - see config.yml
arguments: [#fos_user.user_manager,{github: github_id, trello: trello_id}]
Well, after a lot of try and error, I found the problem:
The callback URL in Github was: http://mywebsite/login/check-github but that was wrong. The truth is that I never found what this value had to be set up to, so I was guessing. By accident I discovered the right URL: http://mywebsite/connect/service/github applicable in my case, with my configuration.
I found it in one of the times in wich I tried the default HWI Provider, inspecting the redirects with the browser console.
After login failure, the application does not redirect to the login page.Here is my security.yml configuration:
security:
encoders:
Acme\SecurityBundle\Entity\Users: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
providers:
main:
entity: { class: Acme\SecurityBundle\Entity\Users}
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login$
security: false
secured_area:
pattern: ^/admin/
form_login:
check_path: /login_check
login_path: /login
logout:
path: /logout
target: /home
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
Here is my controller:
class LoginController extends Controller {
/**
* #Route("/login",name="login")
*/
public function loginAction() {
//displays login form and renders the login.html.twig
}
/**
* #Route("/login_check", name="login_check")
*/
public function loginCheckAction() {
// The security layer will intercept this request
}
After login failure I get error as :
The controller must return a response (null given). Did you forget to add a return statement somewhere in your controller?
500 Internal Server Error - LogicException
I tried the login section inside the Demo that ships with symfony. I found the same result.
What modification should I have to make in order redirect to login form after login failure ?
You don't need to create a controller class for the login and logout actions. You just need to specify those routes inside of routing.yml, something like:
login_path:
pattern: /login
login_check_path:
pattern: /admin/login_check
logout_path:
pattern: /admin/logout
These routes are automatically handled by the security component.
In the firewall configuration, your check_path should be defined as /admin/login_check. The logout path should be /admin/logout.