keeping aliens at bay with maker + new security 5.2 features #736
Conversation
src/Resources/skeleton/authenticator/Security51LoginFormAuthenticator.tpl.php
Outdated
Show resolved
Hide resolved
|
|
||
| protected function getLoginUrl(Request $request): string | ||
| { | ||
| return $this->urlGenerator->generate(self::LOGIN_ROUTE); |
There was a problem hiding this comment.
I love the use of const but for the router it breaks the discoverability in the IDE (PhpStorm + Plugin Symfony).
Shouldn't we make exceptions for some use cases?
|
@jrushlow TODO:
|
src/Maker/MakeAuthenticator.php
Outdated
| 'user_fully_qualified_class_name' => trim($userClassNameDetails->getFullName(), '\\'), | ||
| 'user_repository_fully_qualified_class_name' => $userRepoFullyQualifiedName, |
There was a problem hiding this comment.
The idea is to use the UserRepository::class created by make:user directly instead of leaning on an EntityManagerInterface instance to get the user as we currently do with the "old" login form authenticator. This of course introduces its own set of challenges if a UserRepository (or whatever the name of the repository is) does not exist. Thoughts on moving in this direction? (The actual implementation of this is incomplete as I have not gracefully handled failover yet)
Granted, I have not taken into account the new features in 5.2 that @wouterj mentioned w/ the lazy user loading at the time of this comment.
There was a problem hiding this comment.
Yea, I would prefer to inject the repository class if there is a custom repository class. But, if we do that, we will need to:
A) Read the Doctrine metadata to see if there is a custom repository (and get its class name if there is one).
B) If there is not one, fallback to using EntityManagerInterface.
Needing to do (B) is kind of annoying... but it also seems aggressive to throw an error if the user doesn't have a custom UserRepository. So, probably we should do it / try it.
There was a problem hiding this comment.
I'm not very sure about the policy of MakerBundle, but wouldn't it be possible to only support the experimental authenticator maker in Symfony 5.2? That would make this logic a lot easier, as this logic is done by the Security system. All that's needed is to pass the username to the password and configure the user provider (as is done in the "legacy" part of the maker).
There was a problem hiding this comment.
@wouterj ya you're correct, thats what im planning on doing for 5.2. But where it gets tricky is in 5.1 - i started working on implementing this way back when and time came hard to come by. So now we're in a situation where <= 5.0 we have the original make:auth, === 5.1 we'll have this implementation as it written now, and in >= 5.2 we'll use those new features. Hopefully >5.3 there wont be any significant changes.. But in the meantime I think this is where we're at with this.
when we merge this the goal is to have make:auth work in all 3 scenerios
There was a problem hiding this comment.
Yeah, I understand (especially the lack of time bit 😉 ).
What I'm wondering is whether the 5.1 scenario should be focused upon. Or if we can skip it and support the original maker in <=5.1 and the new experimental authenticator in 5.2. Given that 5.2 is going to released in just 2 weeks from now, and 5.1 reaching end of life in just 2.5 months from now, is anyone going to use the maker in a Symfony 5.1 project? (open question, this is my first MakerBundle PR review, so I honestly don't know)
There was a problem hiding this comment.
I'm with ya - I am chewing on the idea myself.. I would almost guarantee if we did skip support in 5.1, someone would open an issue in the coming months about it. That aside -
Pro's of skipping 5.1 support:
- easier to maintain in the future
- quicker to get out the door now
Cons:
- Loosing out on the ability to coin
Security51(Pop culture reference to Area 51 here in the states). - Potentially cutting off / alienating a segment of "less experienced" users who are stuck on 5.1 for whatever reason in the future.
- walking back the functionality that I've written to support 5.1 then saying we didn't want to support this functionality because it makes life easier.
That last 2 cons are the biggest things holding me back from coming out and saying yup, lets skip it. But that is not to say I'm not completely against the idea considering it would make life easier going forward.
Curious as to what others think as well.
There was a problem hiding this comment.
Supporting only 5.2 would be very cool for me
src/Resources/skeleton/authenticator/Security51LoginFormAuthenticator.tpl.php
Outdated
Show resolved
Hide resolved
src/Resources/skeleton/authenticator/Security51LoginFormAuthenticator.tpl.php
Outdated
Show resolved
Hide resolved
983980e to
d9c29d8
Compare
| public function supports(Request $request): ?bool | ||
| { | ||
| return self::LOGIN_ROUTE === $request->attributes->get('_route') | ||
| && $request->isMethod('POST'); | ||
| } |
There was a problem hiding this comment.
💡 No review comment, but DX idea: we can make this the default implementation in AbstractFormLoginAuthenticator. If someone needs a different support call, they can always override but this implementation would cover like 80% of all login forms, wouldn't it?
There was a problem hiding this comment.
I like it, to go one step further on that - what if we had security.firewalls.Xmain.login.path = some_route? this would allow us to do away with the constant and make it easier to change the login route for the majority of use cases. Thoughts?
There was a problem hiding this comment.
abstract support added in symfony/symfony#39213
- removed from template
| new UserBadge($userIdentifier), | ||
| new PasswordCredentials($password), | ||
| [ | ||
| new PasswordUpgradeBadge($password), |
There was a problem hiding this comment.
💡 Also no review comment: didn't we decide to automatically upgrade passwords if UserBadge has a password upgrading user provider and PasswordCredentials is given, @weaverryan?
There was a problem hiding this comment.
I just pinged you on this on Slack. I think it IS still required, though maybe it shouldn't be in a perfect world.
There was a problem hiding this comment.
no longer needed symfony/symfony#39213 thanks for that @wouterj
- removed badge in the template
src/Resources/skeleton/authenticator/Security51LoginFormAuthenticator.tpl.php
Outdated
Show resolved
Hide resolved
… + default support() impl in AbstractFormLoginAuthenticator (wouterj) This PR was squashed before being merged into the 5.2 branch. Discussion ---------- [Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in Ab A3D4 stractFormLoginAuthenticator | Q | A | ------------- | --- | Branch? | 5.2 (hopefully? sorry to keep pushing the barrier here) | Bug fix? | no | New feature? | yes (sort of) | Deprecations? | no | Tickets | - | License | MIT | Doc PR | - These are 2 suggestions we found while implementing `make:auth` for the new system (symfony/maker-bundle#736): Impact on a custom login form authenticator ([as generated by the new maker](https://github.com/symfony/maker-bundle/pull/736/files#diff-528164b6c24778d5e81fa3819b0552f0e68a9fea33c7d3446a012f3da7d0af60)): * **Automatically add `PasswordUpgradeBadge`** if there is a user password with valid password credentials. ```diff // ... return new Passport( new UserBadge($userIdentifier), new PasswordCredentials($password), [ - new PasswordUpgradeBadge($password), new CsrfTokenBadge('authenticate', $csrf), ] ) ``` Note that this does not automatically migrate all passwords: it still relies on `PasswordUpgraderInterface` to be implemented on the user loader/provider. * **Add default implementation of `AbstractFormLoginAuthenticator::support()`** ```diff - public function supports(Request $request): ?bool - { - return self::LOGIN_ROUTE === $request->attributes->get('_route') - && $request->isMethod('POST'); - } ``` cc @weaverryan @jrushlow Commits ------- 27450c0 [Security] [DX] Automatically add PasswordUpgradeBadge + default support() impl in AbstractFormLoginAuthenticator
c7c5027 to
596b9ff
Compare
|
coding standards are failing due to unrelated |
src/Resources/skeleton/authenticator/Security51LoginFormAuthenticator.tpl.php
Outdated
Show resolved
Hide resolved
src/Resources/skeleton/authenticator/Security51LoginFormAuthenticator.tpl.php
Outdated
Show resolved
Hide resolved
| $newData['security']['firewalls'][$firewallName] = ['anonymous' => true]; | ||
| } elseif (!isset($newData['security']['firewalls'][$firewallName]) && $useSecurity51) { | ||
| $newData['security']['firewalls'][$firewallName] = ['lazy' => true]; | ||
| } |
There was a problem hiding this comment.
Logically it might read better as:
if (!isset($newData['security']['firewalls'][$firewallName])) {
if ($useSecurity51) {
} else {
}
}Also, it's minor, but I think we were already missing that lazy should be included in ALL firewalls, at least back to Symfony 4.4. And... I guess we should check the version of Symfony to see if lazy exists? Or, we (in a separate PR) could drop support for 3.4 - bump it to 4.4, as 3.4 is no longer supported.
There was a problem hiding this comment.
lazy: true is introduced in 5.1, it used to be anonymous: lazy. If I read correctly, the 4.4 code uses anonymous: true, so is there a specific reason to enable lazy firewalls in 5.2?
7613cf2 to
ea3e16d
Compare
d9b7a29 to
f69fc99
Compare
7a5af49 to
820ee25
Compare
|
Thanks for the hard work Jesse! |
|
Great!!! Thanks @jrushlow and @weaverryan! |
Hello Security51! Allows
make:authto take advantage of the new security features that were introduced. Starting in Symfony5.2when you runmake:authMakerBundle will automatically check if you have set:If so, MakerBundle will generate the required classes to authenticate users leveraging the new Authenticators.
A positive side effect of this PR, all templates can check
$use_typed_propertiesto determine if the host is capable of utilizing typed properties that were introduced in PHP 7.4.e.g. -
Internally, we've added the
PhpCompatUtil::canUseTypedProperties()method that is called anytime a Maker needs to generate a twig template. We then inject$use_typed_propertiesinto all templates so the developer can add typed properties to a generated template without having to worry about a bunch of behind the scenes logic.