Guard Authentication: Powerful, Beautiful Security

Guard Authentication: Powerful, Beautiful Security

by your friend:

Ryan Weaver @weaverryan

KnpUniversity.comgithub.com/weaverryan

Who is this guy?

> Lead for the Symfony documentation

> KnpLabs US - Symfony Consulting, training & general Kumbaya

> Writer for KnpUniversity.com Tutorials

> Husband of the much more talented @leannapelham

http://www.github.com/weaverryan

http://KnpUniversity.com

Introducing…

@weaverryan

sfGuardPlugin!

@weaverryan

What’s the hardestpart of Symfony?

@weaverryan

Authentication

Who are you?

@weaverryan

Authorization

Do you have access to do X?

@weaverryan

VOTERS!

@weaverryan

Authenticationin Symfony sucks

@weaverryan

1) Grab information from the request

@weaverryan

2) Load a User

@weaverryan

3) Validate if the credentials are valid

@weaverryan

4) authentication success…now what?

@weaverryan

5) authentication failure …dang, now what?!

@weaverryan

6) How do we “ask” the user to login?

@weaverryan

6 Steps

5 Different Classes

@weaverryan

security: firewalls: main: anonymous: ~ logout: ~ form_login: ~ http_basic: ~ some_invented_system_i_created: ~

Each activates a system of these 5 classes

@weaverryan

On Guard!

@weaverryan

interface GuardAuthenticatorInterface{ public function getCredentials(Request $request); public function getUser($credentials, $userProvider); public function checkCredentials($credentials, UserInterface $user); public function onAuthenticationFailure(Request $request); public function onAuthenticationSuccess(Request $request, $token);

public function start(Request $request); public function supportsRememberMe();}

@weaverryan

Bad News…

@weaverryan

It’s getting coal for Christmas!

You still have to do work (sorry Laravel people)

@weaverryan

But it will be simple

@weaverryan

https://github.com/knpuniversity/guard-presentation

You need a User class

(This has nothing todo with Guard)

@weaverryan

@weaverryan

use Symfony\Component\Security\Core\User\UserInterface; class User implements UserInterface{ }

class User implements UserInterface{ private $username; public function __construct($username) { $this->username = $username; } public function getUsername() { return $this->username; } public function getRoles() { return ['ROLE_USER']; } // …}

a unique identifier(not really used anywhere)

@weaverryan

class User implements UserInterface{ // … public function getPassword() { } public function getSalt() { } public function eraseCredentials() { }}

These are only used for users thathave an encoded password

The Hardest Example Ever:

Form Login

@weaverryan

A traditional login form setup

@weaverryan

class SecurityController extends Controller{ /** * @Route("/login", name="security_login") */ public function loginAction() { return $this->render('security/login.html.twig'); } /** * @Route("/login_check", name="login_check") */ public function loginCheckAction() { // will never be executed } }

<form action="{{ path('login_check') }}” method="post"> <div> <label for="username">Username</label> <input name="_username" /> </div> <div> <label for="password">Password:</label> <input type="password" name="_password" /> </div> <button type="submit">Login</button> </form>

Let’s create an authenticator!

@weaverryan

class FormLoginAuthenticator extends AbstractGuardAuthenticator{ public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { }}

public function getCredentials(Request $request) { if ($request->getPathInfo() != '/login_check') { return; } return [ 'username' => $request->request->get('_username'), 'password' => $request->request->get('_password'), ];}

Grab the “login” credentials!

@weaverryan

public function getUser($credentials, UserProviderInterface $userProvider) { $username = $credentials['username']; $user = new User(); $user->setUsername($username); return $user; }

Create/Load that User!

@weaverryan

public function checkCredentials($credentials, UserInterface $user) { $password = $credentials['password']; if ($password == 'santa' || $password == 'elves') { return; } return true;}

Are the credentials correct?

@weaverryan

public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { $url = $this->router->generate('security_login'); return new RedirectResponse($url);}

Crap! Auth failed! Now what!?

@weaverryan

public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { $url = $this->router->generate('homepage'); return new RedirectResponse($url);}

Amazing. Auth worked. Now what?

@weaverryan

public function start(Request $request) { $url = $this->router->generate('security_login'); return new RedirectResponse($url); }

Anonymous user went to /adminnow what?

@weaverryan

Register as a service

services: form_login_authenticator: class: AppBundle\Security\FormLoginAuthenticator arguments: [‘@router’]

@weaverryan

Activate in your firewall

security: firewalls: main: anonymous: ~ logout: ~ guard: authenticators: - form_login_authenticator

@weaverryan

AbstractFormLoginAuthenticator

Free login form authenticator code

@weaverryan

User Providers


@weaverryan

Every App has a User class

@weaverryan

And the Christmas spirit

Each User Class Needs 1 User Provider

@weaverryan

class FestiveUserProvider implements UserProviderInterface{ public function loadUserByUsername($username) { // "load" the user - e.g. load from the db $user = new User(); $user->setUsername($username); return $user; } public function refreshUser(UserInterface $user) { return $user; } public function supportsClass($class) { return $class == 'AppBundle\Entity\User'; }}

services: festive_user_provider: class: AppBundle\Security\FestiveUserProvider

@weaverryan

security: providers: elves: id: festive_user_provider firewalls: main: anonymous: ~ logout: ~ # this is optional as there is only 1 provider provider: elves guard: authenticators: [form_login_authenticator]

Boom!

Optional Boom!


But why!?


refresh from the session


switch_user, remember_me

Slightly more wonderful:

Loading a User from the Database

@weaverryan

class FestiveUserProvider implements UserProviderInterface{ public function loadUserByUsername($username) { $user = $this->em->getRepository('AppBundle:User') ->findOneBy(['username' => $username]); if (!$user) { throw new UsernameNotFoundException(); } return $user; } }

@weaverryan

(of course, the “entity” user provider does this automatically)

public function getUser($credentials, UserProviderInterface $userProvider) { $username = $credentials['username']; //return $userProvider->loadUserByUsername($username); return $this->em ->getRepository('AppBundle:User') ->findOneBy(['username' => $username]);}

FormLoginAuthenticator

you can use this if you want to… or don’t!

Easiest Example ever:

Api Token Authentication

@weaverryan

Jolliest

1) Client sends a token on an X-API-TOKEN header

2) We load a User associated with that token

class User implements UserInterface{ /** * @ORM\Column(type="string") */ private $apiToken; // ...}

class ApiTokenAuthenticator extends AbstractGuardAuthenticator{ public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { }}

public function getCredentials(Request $request) { return $request->headers->get('X-API-TOKEN'); }

@weaverryan

public function getUser($credentials, UserProviderInterface $userProvider) { $apiToken = $credentials; return $this->em ->getRepository('AppBundle:User') ->findOneBy(['apiToken' => $apiToken]);}

@weaverryan

OR

If you use JWT, get the payload from the token and load the User from it

@weaverryan

public function checkCredentials($credentials, UserInterface $user) { // no credentials to check return true; }

@weaverryan

public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { return new JsonResponse([ 'message' => $exception->getMessageKey() ], 401); }

@weaverryan

public function onAuthenticationSuccess(Request $request, TokenInterface $token, $providerKey) { // let the request continue to the controller return; }

@weaverryan

Register as a service

services: api_token_authenticator: class: AppBundle\Security\ApiTokenAuthenticator arguments: - '@doctrine.orm.entity_manager'

@weaverryan

Activate in your firewallsecurity: # ... firewalls: main: # ... guard: authenticators: - form_login_authenticator - api_token_authenticator entry_point: form_login_authenticator

which “start” method should be called

curl http://localhost:8000/secure

<!DOCTYPE html><html> <head> <meta charset="UTF-8" /> <meta http-equiv="refresh" content="1;url=/login" />

<title>Redirecting to /login</title> </head> <body> Redirecting to <a href="/login">/login</a>. </body></html>

@weaverryan

curl \--header "X-API-TOKEN: BAD" \http://localhost:8000/secure

{"message":"Username could not be found."}

@weaverryan

http://localhost:8000/secure

curl \--header "X-API-TOKEN: GOOD" \http://localhost:8000/secure

{"message":"Hello from the secureAction!"}

@weaverryan

http://localhost:8000/secure

Social Login!

@weaverryan

!

AUTHENTICATOR

/facebook/check?code=abc

give me user info!

load a User object

" User

!

composer require league/oauth2-facebook

@weaverryan

@weaverryan

services: app.facebook_provider: class: League\OAuth2\Client\Provider\Facebook arguments: - clientId: %facebook_app_id% clientSecret: %facebook_app_secret% graphApiVersion: v2.3 redirectUri: "..."

@=service('router').generate('connect_facebook_check', {}, true)

@weaverryan

public function connectFacebookAction() { // redirect to Facebook $facebookOAuthProvider = $this->get('app.facebook_provider'); $url = $facebookOAuthProvider->getAuthorizationUrl([ // these are actually the default scopes 'scopes' => ['public_profile', 'email'], ]); return $this->redirect($url); } /** * @Route("/connect/facebook-check", name="connect_facebook_check") */public function connectFacebookActionCheck() { // will not be reached!}

class FacebookAuthenticator extends AbstractGuardAuthenticator{ public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { } public function onAuthenticationFailure(Request $request) { } public function onAuthenticationSuccess(Request $request, TokenInterface $token) { } public function start(Request $request, AuthenticationException $e = null) { } public function supportsRememberMe() { }}

public function getCredentials(Request $request) { if ($request->getPathInfo() != '/connect/facebook-check') { return; } return $request->query->get('code'); }

@weaverryan

public function getUser($credentials, …){ $authorizationCode = $credentials; $facebookProvider = $this->container->get('app.facebook_provider'); $accessToken = $facebookProvider->getAccessToken( 'authorization_code', ['code' => $authorizationCode] ); /** @var FacebookUser $facebookUser */ $facebookUser = $facebookProvider->getResourceOwner($accessToken); // ...}

@weaverryan

Now, have some hot chocolate!

@weaverryan

public function getUser($credentials, …) { // ... /** @var FacebookUser $facebookUser */ $facebookUser = $facebookProvider->getResourceOwner($accessToken); // ... $em = $this->container->get('doctrine')->getManager(); // 1) have they logged in with Facebook before? Easy! $user = $em->getRepository('AppBundle:User') ->findOneBy(array('email' => $facebookUser->getEmail())); if ($user) { return $user; } // ...}

@weaverryan

public function getUser($credentials, ...){ // ... // 2) no user? Perhaps you just want to create one // (or redirect to a registration) $user = new User(); $user->setUsername($facebookUser->getName()); $user->setEmail($facebookUser->getEmail()); $em->persist($user); $em->flush();

return $user; }

@weaverryan

public function checkCredentials($credentials, UserInterface $user) { // nothing to do here!} public function onAuthenticationFailure(Request $request ...){ // redirect to login} public function onAuthenticationSuccess(Request $request ...){ // redirect to homepage / last page}

@weaverryan

Extra Treats(no coal)

@weaverryan

Can I control the error message?

@weaverryan

@weaverryan

If authentication failed, it is becausean AuthenticationException(or sub-class) was thrown


public function onAuthenticationFailure(Request $request, AuthenticationException $exception) { return new JsonResponse([ 'message' => $exception->getMessageKey() ], 401); }

@weaverryan

Christmas miracle! The exception is passedwhen authentication fails

AuthenticationException has a hardcodedgetMessageKey() “safe” string

Invalid credentials.

public function getCredentials(Request $request) { } public function getUser($credentials, UserProviderInterface $userProvider) { } public function checkCredentials($credentials, UserInterface $user) { }

Throw an AuthenticationException at anytime in these 3 methods

How can I customize the message?

@weaverryan

Create a new sub-class of AuthenticationException for each message

and override getMessageKey()

CustomUserMessageAuthenticationException

@weaverryan

public function getUser($credentials, ...){ $apiToken = $credentials; $user = $this->em ->getRepository('AppBundle:User') ->findOneBy(['apiToken' => $apiToken]); if (!$user) { throw new CustomUserMessageAuthenticationException( 'That API token is not very jolly' ); } return $user; }

@weaverryan

I need to manually authenticate my user

@weaverryan

public function registerAction(Request $request) { $user = new User(); $form = // ... if ($form->isValid()) { // save the user $guardHandler = $this->container ->get('security.authentication.guard_handler'); $guardHandler->authenticateUserAndHandleSuccess( $user, $request, $this->get('form_login_authenticator'), 'main' // the name of your firewall ); // redirect } // ...}

I want to save a lastLoggedInAt

field on my user no matter *how* they login

@weaverryan

Chill… that was already possible

SecurityEvents::INTERACTIVE_LOGIN

@weaverryan

class LastLoginSubscriber implements EventSubscriberInterface{ public function onInteractiveLogin(InteractiveLoginEvent $event) { /** @var User $user */ $user = $event->getAuthenticationToken()->getUser(); $user->setLastLoginTime(new \DateTime()); $this->em->persist($user); $this->em->flush($user); } public static function getSubscribedEvents() { return [ SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin' ]; }}

@weaverryan

All of these featuresare available now!

@weaverryan

Thanks 2.8!

KnpUGuardBundle

@weaverryan

For those on 2.7

knpuniversity.com/guard

@weaverryan

Ok, what just happened?

1. User implements UserInterface

@weaverryan

2. UserProvider

@weaverryan

3. Create your authenticator(s)

@weaverryan

Authentication#

@weaverryan

@weaverryan

PHP & Symfony Video Tutorials KnpUniversity.com

Thank You!

Guard Authentication: Powerful, Beautiful Security

Software

Transcript of Guard Authentication: Powerful, Beautiful Security