# Authentification & Sécurité Roxane Guella - Lucas Leperlier --- ## Symfony Security C’est un composant à installer : ``` composer require symfony/security-bundle ``` Il est compris dans le template [webapp-pack](https://github.com/symfony/webapp-pack/blob/main/composer.json) --- ## User Entité particulière liée au permissions: * UserInterface * Identifiant ```yaml= # config/packages/security.yaml security: # ... providers: app_user_provider: entity: class: App\Entity\User property: email ``` --- Hashing Passwords ```php class User implements UserInterface, PasswordAuthenticatedUserInterface ``` ```php $user = new User(...); $plaintextPassword = ...; // hash the password (based on the security.yaml config for the $user class) $hashedPassword = $passwordHasher->hashPassword($user, $plaintextPassword); $user->setPassword($hashedPassword); ``` --- ## Firewalls Qu’est ce que c’est ? Il définit où l’application est protégé et où l’utilisateur vas pouvoir s'authentifier  --- ## Authentification * Form Login * JSON Login * HTTP Basic * Login Link * X.509 Client Certificates * Remote users * Custom Authenticators --- #### Form Login ```php class LoginController extends AbstractController { #[Route('/login', name: 'app_login')] public function index(): Response { return $this->render('login/index.html.twig', [ 'controller_name' => 'LoginController', ]); } } ``` ```yaml # config/packages/security.yaml security: firewalls: main: form_login: login_path: app_login check_path: app_login ``` --- #### JSON login ```yaml # config/packages/security.yaml security: # ... firewalls: main: # ... json_login: # api_login is a route we will create below check_path: api_login ``` --- 1. POST request vers /api/login avec username (même si l'identifiant un email) and password: ```json { "username": "dunglas@example.com", "password": "MyPassword" } ``` 2. Le controller retourne un token: ```json { "user": "dunglas@example.com", "token": "45be42..." } ``` 2.1. Si le mot de passe ou le username sont incorrects, un HTTP 401 Unauthorized JSON response est retourné --- ## Access control - les rôles Les Users ont des rôles : ```php // src/Entity/User.php public function getRoles(): array { $roles = $this->roles; // guarantee every user at least has ROLE_USER $roles[] = 'ROLE_USER'; return array_unique($roles); } ``` --- Hiérarchie ```yaml # config/packages/security.yaml security: # ... role_hierarchy: ROLE_ADMIN: ROLE_USER ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH] ``` --- Refuser les accès ```yaml # config/packages/security.yaml security: # ... access_control: # allow unauthenticated users to access the login form - { path: ^/admin/login, roles: PUBLIC_ACCESS } # but require authentication for all other admin routes - { path: ^/admin, roles: ROLE_ADMIN } ``` --- ```php #[IsGranted('ROLE_ADMIN', statusCode: 423)] class AdminController extends AbstractController { // ... } ``` ```php #[IsGranted('ROLE_ADMIN')] class AdminController extends AbstractController { #[IsGranted('ROLE_SUPER_ADMIN', message: 'You are not allowed to access the admin dashboard.')] public function adminDashboard(): Response { // ... } } ``` --- ```twig {% if is_granted('ROLE_ADMIN') %} <a href="...">Delete</a> {% endif %} ``` --- # Demo --- # Merci (des questions ?)