1 or 2% of users registering seem to get no confirmation email or they get a bad token appended to the confirmation link in the email. I can't determine why or where this wrong token comes from. It doesn't look like a truncated version of the correct one. It's totally different. Clicking it yields a 404 response.
I am not overriding the RegistrationController.
Could it be the mailer settings?
swiftmailer:
~
spool: { type: memory }
The only other changes I've made were in validation of a few custom fields.
registration:
form:
type: acme_user_registration
validation_groups: [MyRegistration]
confirmation:
enabled: true
Any ideas what's going on?
Thanks.
I found a problem while viewing a confirmation email in outlook.com. I turns out that outlook.com is 'previewing' the link to show some expanded metadata in the email message. This has the side effect of enabling the user and deleting the token. Once the user actually clicks the link, they get a token not found error, but their account is enabled.
Related
I am trying to debug a Resque setup in an (inherited) app, and so I found that there is a route for resque at /hidden/resque that would be nifty to access, but I am unable to access the route. I am wondering what I need to do ... When I try to access that route I get a HTTP 500 due to this error being thrown:
Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException: Full authentication is required to access this resource.
I have tried accessing it both as a web page (after authenticating as an admin role on a different route) and using curl -H 'Authorization: Basic 9339034147964aebec6716c0110311d1' 'https://web.mysite/hidden/resque' -v. No go.
So what constitues "full authentication"? I am already logged in as an admin user on one of the other routes. Would I need to add anything more to the below config? This has not been setup by me, so I would not know if it ever worked.
app/config/routing.yml
ResqueBundle:
resource: "#ResqueBundle/Resources/config/routing.xml"
prefix: /hidden/resque
app/config/security.yml
access_control:
- { path: ^/hidden, roles: ROLE_ADMIN }
According to the docs:
IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in only because of a "remember me cookie" will have IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.
How can I be "more logged in" than using a cookie? Should I send a basic auth header with username and password base64 encoded?
If you ask for full authentication.
I.E:
/**
* Requiring IS_AUTHENTICATED_FULLY
*
* #IsGranted("IS_AUTHENTICATED_FULLY", message="Nope, no access")
*/
Then when you are logging in with an user, your Authorization Checker must have granted you the IS_AUTHENTICATED_FULLY status in order to have access.
As explained in the docs:
IS_AUTHENTICATED_FULLY: This is similar to IS_AUTHENTICATED_REMEMBERED, but stronger. Users who are logged in only because of a "remember me cookie" will have IS_AUTHENTICATED_REMEMBERED but will not have IS_AUTHENTICATED_FULLY.
You will be completely Authenticated if you manually log in, and not via a cookie. If you are using a command that remembers your credentials, that might be the issue.
Check Doc nº3 to see whether your actual way of entering that route falls inside the IS_REMEMBERED status. Even maybe you end up prefering using the less restrictive IS_AUTHENTICATED_REMEMBERED
Check the different documentations here:
https://symfony.com/doc/3.4/security.html#checking-to-see-if-a-user-is-logged-in-is-authenticated-fully
https://symfony.com/doc/3.4/security.html#learn-more
https://symfony.com/doc/3.4/security/remember_me.html
https://symfony.com/doc/3.4/components/security/authorization.html#authorization-checker
https://github.com/symfony/symfony/blob/3.4/src/Symfony/Component/Security/Core/Authorization/AuthorizationChecker.php
I'm using the FosUserBundle in order to reset a password by sending an e-mail and a confirmation token.
I configure the retry_ttl and token_ttl in config.yml to set the duration of the token.
fos_user:
...
resetting:
retry_ttl: 60 # Value in seconds, logic will use as hours
token_ttl: 86400
These parameters work well. But i want to add a paramter that check if a token is already used or not. I mean if the user has already clicked on the confirm e-mail, the token will be available one and only one time. Then it will be destroyed.
How may I process ?
Thank you for your replies.
It's already the case with fos user bundle...
Confirmation token + password requested at fields are set to null when the reset of the password is completely done.
PS: copy/pasted comment as an answer for future visibility
I'm trying to setup my Google Identity Toolkit so users can reset their passwords. I'm following the documentation here: https://developers.google.com/identity/toolkit/web/required-endpoints#send_email_url
I'm using the PHP Gitkit Client outlined here: https://github.com/google/identity-toolkit-php-client/blob/master/src/GitkitClient.php
Specifically the function getOobResults() on line 307 seems to be unhappy for some reason. Here's where I'm at:
User sets up account and logs in successfully
User then logs out and starts to log back in, enters email in and clicks "Forgot password"
reCaptcha is shown, click check box and then hit continue
At this point my 'Send Email URL' endpoint (gitkitEmail.php) is successfully called and the following POST is set to it (dropping the full '&response' param since it goes on for a while):
action=resetPassword&email=xodfebefa%40nada.ltd&challenge&response=03ACgFB9tGlNt2KAGhrVY....
I then take that string and parse it using parse_str(); since getOobResults() is looking for an array. However, response I get back is always:
{
"response_body": {
"error": "CAPTCHA_CHECK_FAILED"
}
}
I searched around but can't find any details on this error. Any help would be appreciated. I don't have a reCaptcha setup anywhere on my site, unsure if this is expecting me to do that and that's why it's failing? Also, I did bump all my code to a production environment and got the same error there as I did on my localhost.
I have a simple form to login and reminder password, I overwrite the FOSUser template and everything works fine, but when I want to email the password reminder I do not get it to the mail.
This looks like a swiftmailer and fos configuration in config.yml:
swiftmailer:
transport: '%mailer_transport%'
host: '%mailer_host%'
username: '%mailer_user%'
password: '%mailer_password%'
spool: { type: memory }
fos_user:
db_driver: orm
firewall_name: main
user_class: AirblogBundle\Entity\User
from_email:
address: "admin#admin.com"
sender_name: "Admin"
resetting:
email:
from_email:
address: noreply#yoursite.com
sender_name: No Reply
token_ttl: 0
After sending the email from the resetting/request path, I get the following information:
An email has been sent to ...#wp.pl. It contains a link you must click to reset your password.
Which seems correct because the address entered in the form has the same ending, but my mailbox does not receive any message.
ps: One more question, how to simply overwrite the Twig template, so the login and reminder of the hymn was on one page? Do you need to overwrite the controller?
Did you configure the needed parameters of SwiftMailerBundle well ?
First of all I suggest you to use Symfony's command to check your swift mailer configuration.
Specify the good arguments to send you a debug mail with reading the help command
php app/console swiftmailer:email:send --help
You should receive a mail on the email address you wrote in command.
After this step you can assume that your mail configuration is good
Reset your forget password request
One important (in the version installed on my project, composer requirement ~2.0) thing to know that is FOSUserBundle don't resend mail if you didn't click on the previous reset link sended BUT he display to you the message that he sended the mail.
If you want to "reset" your password request for a specific user
UPDATE user SET confirmation_token = NULL, password_requested_at = NULL WHERE username = "yourdebugusername"
Extending FOSUserBundle Twig templates
You should read this documentation
Basically you can override all the FOSUserTemplate under vendor/friendsofsymfony/user-bundle/Resources/views
I hope it's help !
For overriding FOSUser twig template looks the Symfony Doc
I am using sfDoctrineGuard 5.x and I have configured my module credentials in security.yml like this:
all:
is_secure: true
credentials: [ admin ]
and my app/backend/config/security.yml:
default:
is_secure: true
I have tested using:
$this->getUser()->hasPermission('vendor'): returned true
$this->getUser()->hasPermission('admin'): returned false
so I guess the users are inheriting credentials right. But still users with other credentials can access the module!
I have 3 types of group admin, client and vendor and similar permissions: admin, client and vendor!
And users having 'client' or 'vendor' credentials can access the module ignoring the credentials defined in the security.yml after login !
What could be the problem? Can anyone give me some direction?
oh, I am using sfForkedApplyPlugin for registration and profile editing process, which I don't think causing the issue, as I am testing with predefined fixture data.
I figured out the problem just now!
It was the *is_super_admin* field in *sf_guard_user* table which was set to 1 for all my dummy users in fixture.yml :) !
That's why every users were getting access to all modules bypassing the credentials!