My application has 2 security firewalls
"admin" - used by internal staff
"account" - used by customers.
Previoly I had one action under the account firewall, the action in the controller looks something like this.
$user = //get user somehow
$token = new UsernamePasswordToken($user, null, 'account', $user->getRoles());
$this->get('security.token_storage')->setToken($token);
With this code above, I was able to "login as" different users, and this was working but not exactly what I wanted.
However, when I move this code to an action inside my the admin firewall, it is instead changing the token for the admin firewall, but I still want it to change the token for the account firewall, is this possible?
(In other words, I only want admin users to have the ability to login as different account users)
I would rather not share the "context" between the firewalls, as I would like someone to be able to be logged into the admin and the account firewalls at the same time.
This may be a little hacky, but manually wiriting the token to the session achieved what I wanted
$token = new UsernamePasswordToken($user, null, 'account', $user->getRoles());
$this->get('session')->set('_security_account',serialize($token));
// Needed to prepend "_security_" to the firewall name to get "_security_account"
Didnt even need to call lines such as
//Didnt seem to need to call either of these
$this->get('security.token_storage')->setToken($token); //Symfony 2.6+
$this->get('security.context')->setToken($token)
Related
I have rerouted all the traffic to my main domain let's say www.example.com and my first page is www.example.com/login so any entry in the subdomain will be redirected to main domain so something.example.com/login will end up on the same page as www.example.com/login (but the subdomain will stay in the url). The reason I am doing this is that i have multi 'clients' and 'users' every user is responsible for one or more client and its all set in the database and working perfectly so i can login with user1 i will see some tasks for user1 on client1 and when i login with user2 i will see tasks from user2 on client2 etc...
Now i need to do one more thing to make it look a bit better, when someone opens example.com and login with user1 credentials i want him to be redirected to client1.example.com and at the same time when someone opens client1.example.com i want him to see the logo from that client.
All the database queries and other login issues are handled but i am facing couple of issues:
how to redirect to the correct client (subdomain) ?
and vice versa if a (super admin) user which responsible for managing clients and users logs in how to redirect him to main domain (example.com) without?
One more issue but i think it will be solved when i can solve the other issues is when a user manages more than one client, i want to give him the ability to switch clients something like user1 have a menu to switch to client1 or client2 but any redirection i make is logging the user out. how can i maintain the session with this feature ?
p.s when different users logs in the (theme) colors and logos of the application are being called from database according to the client and thats why i need to read the subdomain on the first page so i can change the login logo according to the subdomain
this is a piece of my code to see how i am achieving this if anyone is interested
$currentUrl = $request->getHttpHost();
$baseUrl = $this->container->getParameter('base_url');
$subdomain = str_replace('.'.$baseUrl, '',$currentUrl);
if (sizeof($user->getClients()) > 0) {
$filter = $this->em->getFilters()->enable(Utils::CLIENT_FILTER_NAME);
if ($user->getLastLoggedInClient() !== null) {
$client = $user->getLastLoggedInClient();
} else {
$client = $user->getClients()->first();
}
if ($client == null) {
throw new ClientNotFoundException();
}
if(!$client->isActive()){
throw new ClientNotActiveException();
}
$this->session->set(Utils::CLIENT_ID_NAME, $client->getId());
$this->session->set('client', $client);
$filter->setParameter(Utils::CLIENT_ID_NAME, $client->getId());
$user->setLastLoggedInClient($client);
$this->em->persist($user);
$this->em->flush();
}
else{
return new RedirectResponse('/logout');
}
return new RedirectResponse('/');
so i think somewhere around here return new RedirectResponse('/'); i need to redirect to the correct subdomain.
Thanks!
When you first realise that a user needs to login (from client1.example.com), put the URL, or 'client1' client-name into a session, readable on www.example.com - or add it to the URL (like https://www.example.com/login/to/client1 - the route would be '/login/to/{clientname}'), or more simply /login?clientname=client1.
When a user has logged in, and been verified to be a member of 'client1', then the redirection would be to a route like 'client_app_dashboard', ['clientname' => 'client1'] - and a route definition of #Route("/", name="client_app_dashboard", host="{clientname}.example.com")
The Symfony docs have information on How to Match a Route Based on the Host.
As for a logo - that would be fetched and displayed based on the $clientname on the www. homepage.
So, maybe I missed this somewhere in the docs but I couldn't find anything of the sort.
I wan't my users to have to type in their current password to be able to create a new one. From what I understand if the user is authenticated he is able to update his password without providing his current one.
Even if this might be somewhat secure I would rather have him type his old one to prevent people from going on already authenticated sessions from say family members or so and changing the pw.
Is there any way to do this?
(I have no problem using the Admin SDK since I already set up a server for these kind of things)
UPDATE: (Use - reauthenticateWithCredential)
var user = firebaseApp.auth().currentUser;
var credential = firebase.auth.EmailAuthProvider.credential(
firebase.auth().currentUser.email,
providedPassword
);
// Prompt the user to re-provide their sign-in credentials
user.reauthenticateWithCredential(credential).then(function() {
// User re-authenticated.
}).catch(function(error) {
// An error happened.
});
PREVIOUS VERSION
you can use reauthenticate API to do so. I am assuming you want to verify a current user's password before allowing the user to update it. So in web you do something like the following:
reauthenticateAndRetrieveDataWithCredential- DEPRECATED
firebase.auth().currentUser.reauthenticateAndRetrieveDataWithCredential(
firebase.auth.EmailAuthProvider.credential(
firebase.auth().currentUser.email,
providedPassword
)
);
If this succeeds, then you can call
firebase.auth().currentUser.updatePassword(newPassword);
I have a website where I have to authenticate the users registered in another system (in this case the Kayako support system).
I think I have to use the APIs to resolve this problem, but I don't really know how to get started.
Can someone please help me solve this problem? How can I send the data required for the authentication and how do I manage the response I get from Kayako.
Figure out how the API of the Kayako system looks like. In WordPress you can do something similar like this in order to authenticate the users:
// this action is executed just before the invocation of the WordPress authentication process
add_action('wp_authenticate','checkTheUserAuthentication');
function checkTheUserAuthentication() {
$username=$_POST['log'];
$password=$_POST['pwd'];
// try to log into the external service or database with username and password
$ext_auth = try2AuthenticateExternalService($username,$password);
// if external authentication was successful
if($ext_auth) {
// find a way to get the user id
$user_id = username_exists($username);
// userdata will contain all information about the user
$userdata = get_userdata($user_id);
$user = set_current_user($user_id,$username);
// this will actually make the user authenticated as soon as the cookie is in the browser
wp_set_auth_cookie($user_id);
// the wp_login action is used by a lot of plugins, just decide if you need it
do_action('wp_login',$userdata->ID);
// you can redirect the authenticated user to the "logged-in-page", define('MY_PROFILE_PAGE',1); f.e. first
header("Location:".get_page_link(MY_PROFILE_PAGE));
}
}
The try2AuthenticateExternalService() method should contain some curl-request (or similar) to the remote service.
I am using FOSUserBundle for handling my users. For them I have 2 roles ROLE_CUSTOMER and ROLE_MANUFACTURER. The problem is that I need to be able switch these roles when I am logged in. Is it possible? I have read this documentation:
http://symfony.com/doc/current/cookbook/security/impersonating_user.html
There is said how I can switch user to other user without relog, but nothing about role switching.
Maybe someone has any code examples or something? I have read too lot documentations which are hard to understand.
Look at my answer here - Symfony 2.3: How do I refresh the authenticated user from the database?
The key is you need to reset a token after you switched roles.
Something like this:
$loggedInUser = $this->get('security.context')->getToken()->getUser();
$loggedInUser->removeRole('ROLE_ABC');
$loggedInUser->addRole('ROLE_XYZ');
$token = new \Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken(
$loggedInUser,
null,
'main',
$loggedInUser->getRoles()
);
$this->container->get('security.context')->setToken($token);
I'd like to e-mail all my users a link to a symfony site that I am writing, and have it so that when they follow that link they are logged in to the site (probably with a special role, like IS_AUTHENTICATED_REMEMBERED), and redirected to a certain page. How can I do this?
So the link would be something like:
http://example.com/?key=[some sort secret key with their account encoded in it]
i'd do something like this: generate the key with a hash function over the username.
Then send them a link to http://example.com/?user=username&hash=the-hash-result.
In the action that will recieve this url you can get the request parameter username and hash, apply the same hash funcion to the username you recived and compare the result to the hash key in the request parameters.
If match, just set the appropiate credentials to the user and log him in
Lets see some code, in your authentication class you should have a function to authenticate a user with the $user and $password parameters. Here or extending this class you can define a funciton like this:
function authenticate($user,$hash-key){
if(hashFunction($user) == $hash-key){
$user->setAuthFunction(true);//sort of
}
}
Hope it helped you!
Not so easy to implement I can tell you but you got to take a look to the UsernamePasswordFormAuthenticationListener::attemptAuthentication method...
Make your own service to atteptAuthentication automaticaly.
Inspired by this message and this code, I wrote a controller that gets the user from the database, verifies the secret key, then fakes a login token as follows:
$providerKey = 'secured_area'; // Name of firewall from security.yml - not sure this is correct.
$token = new UsernamePasswordToken($user, null, $providerKey, array('AUTO_LOGIN'));
$this->container->get('security.context')->setToken($token);
(you need this at the top of your file)
use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
It seems to work, and the user has a role of AUTO_LOGIN so I can easily restrict them from accessing more sensitive stuff until they have logged in with a username and password as normal.