Ability to authentication a User directly #11158
Comments
|
👍 And hopefully this could also ease the functional tests that require logging the user. |
|
See https://github.com/FriendsOfSymfony/FOSUserBundle/blob/master/Security/LoginManager.php for the necessary logic (implemented by @schmittjoh for FOSUserBundle) |
|
Huge 👍 |
|
👍 |
|
👍 |
3 similar comments
|
👍 |
|
👍 |
|
👍 |
|
I'm happy that everyone likes this - it seems like an easy win! If someone wants to turn this into a PR - using Stof's link above as a guide - that would be awesome! I think we agree that some new service would be handling this. This is really more of a documentation issue, but are there any risks / warnings we need to give about the fact that the UsernamePasswordToken will be used to authenticate the user? Thanks! |
|
👍 |
|
Where would this logic go? In security.context, and a helper method in the base controller? |
|
👍 |
2 similar comments
|
👍 |
|
👍 |
|
Related to this it would be nice, if there was a way to authenticate user directly, but also deauthenticate them. For example: you have locked a user in your admin area, so you directly want to lock them out. edit: probably not realizable with the native file session handler |
|
👍 |
1 similar comment
|
👍 |
|
Btw, we have a PR for this - #11320 - but it has stalled due to some complex things with remember me service stuff and (for me) really being able to identify if this is a generic enough solution (see comment here: #11320 (comment) - is this an actual problem? If so, why/when? If so, perhaps it's ok to say this is a feature that's only if you're using normal user/pass auth)? Since the security component is quite technical, I think it needs a push from someone :). I would still like to see this - it just makes sense to have. |
|
👍 |
…back into security) (weaverryan) This PR was merged into the 2.8 branch. Discussion ---------- New Guard Authentication System (e.g. putting the joy back into security) | Q | A | ------------- | --- | Bug fix? | no | New feature? | yes | BC breaks? | no | Deprecations? | no | Tests pass? | yes | Fixed tickets | at least partially: #14300, #11158, #11451, #10035, #10463, #8606, probably more | License | MIT | Doc PR | symfony/symfony-docs#5265 Hi guys! Though it got much easier in 2.4 with `pre_auth`, authentication is a pain in Symfony. This introduces a new authentication provider called guard, with one goal in mind: put everything you need for *any* authentication system into one spot. ### How it works With guard, you can perform custom authentication just by implementing the [GuardAuthenticatorInterface](https://github.com/weaverryan/symfony/blob/guard/src/Symfony/Component/Security/Guard/GuardAuthenticatorInterface.php) and registering it as a service. It has methods for every part of a custom authentication flow I can think of. For a working example, see https://github.com/weaverryan/symfony-demo/tree/guard-auth. This uses 2 authenticators simultaneously, creating a system that handles [form login](https://github.com/weaverryan/symfony-demo/blob/guard-auth/src/AppBundle/Security/FormLoginAuthenticator.php) and [api token auth](https://github.com/weaverryan/symfony-demo/blob/guard-auth/src/AppBundle/Security/TokenAuthenticator.php) with a respectable amount of code. The [security.yml](https://github.com/weaverryan/symfony-demo/blob/guard-auth/app/config/security.yml) is also quite simple. This also supports "manual login" without jumping through hoops: https://github.com/weaverryan/symfony-demo/blob/guard-auth/src/AppBundle/Controller/SecurityController.php#L45 I've also tested with "remember me" and "switch user" - no problems with either. I hope you like it :). ### What's Needed 1) **Other Use-Cases?**: Please think about the code and try it. What use-cases are we *not* covering? I want Guard to be simple, but cover the 99.9% use-cases. 2) **Remember me** functionality cannot be triggered via manual login. That's true now, and it's not fixed, and it's tricky. ### Deprecations? This is a new feature, so no deprecations. But, creating a login form with a guard authenticator is a whole heck of a lot easier to understand than `form_login` or even `simple_form`. In a perfect world, we'd either deprecate those or make them use "guard" internally so that we have just **one** way of performing authentication. Thanks! Commits ------- a01ed35 Adding the necessary files so that Guard can be its own installable component d763134 Removing unnecessary override e353833 fabbot dd485f4 Adding a new exception and throwing it when the User changes 302235e Fixing a bug where having an authentication failure would log you out. 396a162 Tweaks thanks to Wouter c9d9430 Adding logging on this step and switching the order - not for any huge reason 31f9cae Adding a base class to assist with form login authentication 0501761 Allowing for other authenticators to be checked 293c8a1 meaningless author and license changes 81432f9 Adding missing factory registration 7a94994 Thanks again fabbot! 7de05be A few more changes thanks to @iltar ffdbc66 Splitting the getting of the user and checking credentials into two steps 6edb9e1 Tweaking docblock on interface thanks to @iltar d693721 Adding periods at the end of exceptions, and changing one class name to LogicException thanks to @iltar eb158cb Updating interface method per suggestion - makes sense to me, Request is redundant c73c32e Thanks fabbot! 6c180c7 Adding an edge case - this should not happen anyways 180e2c7 Properly handles "post auth" tokens that have become not authenticated 873ed28 Renaming the tokens to be clear they are "post" and "pre" auth - also adding an interface a0bceb4 adding Guard tests 05af97c Initial commit (but after some polished work) of the new Guard authentication system 330aa7f Improving phpdoc on AuthenticationEntryPointInterface so people that implement this understand it
|
I think #19819 might help. Imho, bypassing the security configuration should not be supported. Instead, I think we can ease its usage and find a compromise in allowing to login users programatically but through a working security configuration. Logging in anyone from everywhere on whatever firewall can lead to weird things, imho again. |
|
Closing as fixed by #14673 thanks to the |
(this issue is part of the "DX" ("Developer eXperience") initiative introduced by Symfony project)
Normally, we don't authenticate a user directly, the firewall handles all of that. But sometimes, we do! I realize that security is super-customizable (e.g. different token classes, etc), but it's always been a bit crazy that you can't simply - if you want to - login a user right from a controller (for example). People do this anyways all the time anyways, for example, after registration FOSUserBundle.
Is it possible to support this? It would also allow people to handle security a bit more themselves if they wanted to, which for simple cases (e.g. traditional username+password login), I don't see an issue (I see authentication as needing to happen via a listener before the controller only for things like API token authentication).
The text was updated successfully, but these errors were encountered: