Chapters

37 Chapters | 3:43:31 |

01

¿Documentos API en producción?

8:22
02

¿Token API? ¿Cookies de sesión?

8:07
03

Formulario de inicio de sesión API con json_login

5:36
04

Manejo de errores de autenticación

3:47
05

En Autenticación correcta

6:03
06

Cerrar sesión y pasar datos de la API a JavaScript

5:45
07

Pasar valores a Stimulus

4:32
08

Tipos de token y la entidad ApiToken

5:59
09

Generar el token de la API y los accesorios

5:58
10

Autenticador de token de acceso

8:56
11

Personalizar los documentos de OpenAPI

7:31
12

Ámbitos de los tokens de la API

5:51
13

Denegar el acceso con la opción "seguridad

7:11
14

Poner en marcha un sistema de pruebas asesino

8:18
15

Aserciones de la prueba JSON y siembra de la base de datos

3:41
16

Aserciones de prueba JSON avanzadas y flexibles

4:04
17

Probar la autenticación

4:59
18

Personalizar el navegador globalmente

3:50
19

Probar la autenticación por token

3:24
20

Nuevo comportamiento PUT

4:46
21

Permitir editar sólo a los propietarios

7:49
22

Permitir que los usuarios administradores editen cualquier tesoro

4:11
23

Votante de seguridad

6:13
24

Campos condicionales por usuario: ApiProperty

5:13
25

Prueba de Usuario + Contraseña Simple

4:21
26

Procesadores de Estado: Hashing de la contraseña de usuario

6:55
27

Grupos de validación y formatos de parche

8:01
28

Grupos Dinámicos: Creador de Contextos

8:26
29

Normalizador personalizado

5:08
30

Decoración del normalizador y "Normalizer Aware" (consciente del normalizador)

6:29
31

Campos totalmente personalizados

3:24
32

Validador personalizado

7:58
33

Validar cómo cambian los valores

8:30
34

Configuración automática del "propietario

4:19
35

Extensión de consulta: Autofiltrar una colección

6:15
36

404 En Artículos No Publicados

8:00
37

Filtrar la colección de relaciones

5:39

> APIs > API Platform 3: Seguridad para tus tesoros

Buy Access to Course

08.

Tipos de token y la entidad ApiToken

Autoplay

Previous Chapter

Next Chapter

Vale, ¿y si necesitas permitir el acceso programático a tu API?

Tipos de tokens de acceso

Cuando hablas con una API mediante código, envías un token de API, comúnmente conocido como token de acceso:

fetch('/api/kittens', {
    headers: {
        'Authorization': 'Bearer THE-ACCESS-TOKEN',
    }
});

La forma exacta de obtener ese token varía. Pero hay dos casos principales.

En primer lugar, como usuario del sitio, como un dragón, quieres generar un token de API para poder utilizarlo personalmente en un script que estés escribiendo. Esto es como un token de acceso personal de GitHub. Estos se crean literalmente a través de una interfaz web. Vamos a mostrar esto.

El segundo caso de uso principal es cuando un tercero quiere hacer peticiones a tu API en nombre de un usuario de tu sistema. Por ejemplo, un nuevo sitio llamadoDragonTreasureOrganizer.com quiere hacer una petición a nuestra API en nombre de algunos de nuestros usuarios, por ejemplo, buscar los tesoros de un usuario y mostrarlos artísticamente en su sitio. En esta situación, en lugar de que nuestros usuarios generen tokens manualmente y luego... como... los introduzcan en ese sitio, ofrecerás OAuth. OAuth es básicamente un mecanismo para que los usuarios normales den de forma segura tokens de acceso para su cuenta a un tercero. Y así, tu sitio, o en algún lugar de tu infraestructura tendrás un servidor OAuth.

Eso está fuera del alcance de este tutorial. Pero lo importante es que, una vez hecho el OAuth, el cliente de la API acabará con, lo has adivinado, ¡un token de API! Así que no importa en qué viaje estés, si estás haciendo acceso programático, tus usuarios de la API terminarán con un token de acceso. Y tu trabajo consistirá en leerlo y comprenderlo. Haremos exactamente eso.

¿JWT vs Almacenamiento en Base de Datos?

Como he mencionado, vamos a mostrar un sistema que permite a los usuarios generar sus propios tokens de acceso. ¿Cómo lo hacemos? De nuevo, hay dos formas principales. ¡Muerte por elección!

La primera es generar algo llamado Token Web JSON o JWT. Lo bueno de los JWT es que no necesitan almacenamiento en bases de datos. Son cadenas especiales que en realidad contienen información en su interior. Por ejemplo, puedes crear una cadena JWT que incluya el id de usuario y algunos ámbitos.

Uno de los inconvenientes de los JWT es que no hay una forma fácil de "cerrar sesión"... porque no hay una forma automática de invalidar los JWT. Les das una fecha de caducidad cuando los creas... pero entonces son válidos hasta entonces... pase lo que pase, a menos que añadas alguna complejidad extra... lo que anula un poco el propósito.

Los JWT están de moda, son populares y divertidos Pero... puede que no los necesites. Son geniales cuando tienes un sistema de inicio de sesión único porque, si ese JWT se utiliza para autenticarse con varios sistemas o API, cada API puede validar el JWT por sí misma: sin necesidad de hacer una petición de API a un sistema central de autenticación.

Así que es posible que acabes utilizando JWT, para lo que existe un bundle estupendo llamado LexikJWTAuthenticationBundle. Los JWT son también el tipo de token de acceso que al final te da OpenID.

En lugar de los JWT, la segunda opción principal es muy sencilla: generar una cadena de token aleatoria y almacenarla en la base de datos. Esto también te permite invalidar los tokens de acceso... ¡simplemente borrándolos! Esto es lo que haremos.

Generar la entidad

Así que manos a la obra. Para almacenar los tokens de la API, ¡necesitamos una nueva entidad! Busca tu terminal y ejecuta:

php ./bin/console make:entity

Y llamémosla ApiToken. En teoría, podrías permitir a los usuarios autenticarse a través de un formulario de inicio de sesión o HTTP básico y luego enviar una petición POST para crear tokens de API si quieres... pero no lo haremos.

Añade una propiedad ownedBy. Esto va a ser un ManyToOne a User y no nullable. Y diré "sí" a la inversa. Así que la idea es que cada Userpueda tener muchos tokens de API. Cuando se utiliza un token de API, queremos saber con qué Userestá relacionado. Lo utilizaremos durante la autenticación. Llamar a la propiedadapiTokens está bien y decir no a la eliminación de huérfanos. Siguiente propiedad: expiresAt datetime_immutable y diré que sí a nullable. Tal vez permitamos que los tokens no caduquen nunca dejando este campo en blanco. La siguiente es token, que será una cadena. Voy a establecer la longitud en 68 -veremos por qué en un minuto- y no ennullable. Y por último, añade una propiedad scopes como tipo json. Esto va a ser bastante guay: almacenaremos una matriz de "permisos" que debe tener este token de API. En este caso, tampoco nullable. Pulsa intro para terminar.

Muy bien, gira a tu editor. Sin sorpresas: eso ha creado una entidad ApiToken... y no hay nada muy interesante dentro de ella:

            Copy Code

                            Show All Lines

                        82 lines
            |
            src/Entity/ApiToken.php
        
                Show Lines

                                                    // ... lines 1 - 2
                            
            namespace App\Entity;
        
            use App\Repository\ApiTokenRepository;
        
            use Doctrine\ORM\Mapping as ORM;
        
            #[ORM\Entity(repositoryClass: ApiTokenRepository::class)]
        
            class ApiToken
        
            {
        
                #[ORM\Id]
        
                #[ORM\GeneratedValue]
        
                #[ORM\Column]
        
                private ?int $id = null;
        
                #[ORM\ManyToOne(inversedBy: 'apiTokens')]
        
                #[ORM\JoinColumn(nullable: false)]
        
                private ?User $ownedBy = null;
        
                #[ORM\Column(nullable: true)]
        
                private ?\DateTimeImmutable $expiresAt = null;
        
                #[ORM\Column(length: 68)]
        
                private string $token = null;
        
                #[ORM\Column]
        
                private array $scopes = [];
        
                Show Lines

                                                    // ... lines 28 - 80
                            
            }

Así que vamos a hacer la migración correspondiente:

symfony console make:migration

Gira y echa un vistazo a ese archivo para asegurarte de que se ve bien. ¡Sí! Crea la tabla api_token:

            Copy Code

                            Show All Lines

                        39 lines
            |
            migrations/Version20230209183006.php
        
                Show Lines

                                                    // ... lines 1 - 12
                            
            final class Version20230209183006 extends AbstractMigration
        
            {
        
                public function getDescription(): string
        
                {
        
                    return '';
        
                }
        
                public function up(Schema $schema): void
        
                {
        
                    // this up() migration is auto-generated, please modify it to your needs
        
                    $this->addSql('CREATE SEQUENCE api_token_id_seq INCREMENT BY 1 MINVALUE 1 START 1');
        
                    $this->addSql('CREATE TABLE api_token (id INT NOT NULL, owned_by_id INT NOT NULL, expires_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, token VARCHAR(68) NOT NULL, scopes JSON NOT NULL, PRIMARY KEY(id))');
        
                    $this->addSql('CREATE INDEX IDX_7BA2F5EB5E70BCD7 ON api_token (owned_by_id)');
        
                    $this->addSql('COMMENT ON COLUMN api_token.expires_at IS \'(DC2Type:datetime_immutable)\'');
        
                    $this->addSql('ALTER TABLE api_token ADD CONSTRAINT FK_7BA2F5EB5E70BCD7 FOREIGN KEY (owned_by_id) REFERENCES "user" (id) NOT DEFERRABLE INITIALLY IMMEDIATE');
        
                }
        
                public function down(Schema $schema): void
        
                {
        
                    // this down() migration is auto-generated, please modify it to your needs
        
                    $this->addSql('CREATE SCHEMA public');
        
                    $this->addSql('DROP SEQUENCE api_token_id_seq CASCADE');
        
                    $this->addSql('ALTER TABLE api_token DROP CONSTRAINT FK_7BA2F5EB5E70BCD7');
        
                    $this->addSql('DROP TABLE api_token');
        
                }
        
            }

Ejecuta eso con:

symfony console doctrine:migrations:migrate

Y... ¡genial! A continuación: vamos a añadir una forma de generar la cadena de tokens aleatorios. Luego, hablaremos de ámbitos y cargaremos nuestros accesorios con algunos tokens de la API.

12 Comments

Sort By

MatthiasN 2 years ago edited HIGHLIGHTED

I understand that one can always argue that things here are meant as examples. But I suppose that people actually implement things as you show here. The problem is that this way of storing API tokens is basically the same as storing passwords in clear text.

While this is an easy solution for demonstration, I strongly suggest to not do it this way on a production system.

It would be better to generate an access token consisting of two parts:

An identifier (either a random string to identify the user or maybe simply the token ID)
A random string (secret) that is hashed using the password hasher.

You would then need to store that hashed secret in the token entity as well of course.

For example, connect the parts with a dot so that it is easy to parse the token.
You can then fetch the token from the database using the identifier and do a „password verification“ using the secret.

I think it is not too complicated to add this. But way more secure.

Of course you need to tell the user that they must immediately save the token somewhere because you can not show it to the user again for security (and because you don’t know the secret in clear text anymore). But I saw this already on other services. So it should be fine.

Or maybe use something like a url signer (which is probably faster).
But however.. do not save API tokens in clear text.

1 | Reply |

weaverryan SFCASTS MatthiasN 2 years ago edited

Hey @MatthiasN!

I think this is really good advice. My intention was to show people that "you can just store tokens in the database". And while that's true (just like how you can "store passwords in a database"), in both cases it shouldn't mean storing in plaintext. So yes, this is definitely a better idea.

Anyway, thank you for posting this - good advice! I'll also add a note to the tutorial about it.

Oh, and let me add some more technical details here to help people, building on what you said:

It would be better to generate an access token consisting of two parts:

An identifier (either a random string to identify the user or maybe simply the token ID)

A random string (secret) that is hashed using the password hasher.

So, for example, you'd generate 2 random strings, separated by a .. This full string would be the API key that you show to the user.
But then, you store the first part (the "locator" or "identifier") in the database on a locator key of ApiToken. Then you store the second part (the secret) on another property of ApiToken - but HASH it first. For example, here is how we generate the random locator and hash the secret in the ResetPasswordBundle - https://github.com/SymfonyCasts/reset-password-bundle/blob/main/src/Generator/ResetPasswordTokenGenerator.php#L52-L65

Then, when verify if a token is valid, you split the token on . to get the first and second part. You then query for the ApiToken via the first part (the locator). If found, you has the 2nd part that was just sent you to you and see if it equals the hashed secret on the ApiToken you just found using hash_equals - e.g. https://github.com/SymfonyCasts/reset-password-bundle/blob/3e0bb051a514459a3c63a5064be40208e4f34783/src/ResetPasswordHelper.php#L126

If anyone has any questions, let me know :)

Cheers!

4 | Reply |

Marko 2 years ago edited

Hello!

Is it possible to have 2 types of tokens in the same app, in API Platform 3 :

a jwt token for the users: this is a 'user specific' token. A user gets a jwt token from the server after successful authentication with his email and password.
an 'api token' that would be used by some cron jobs. This api token would be a way to authenticate the cron job. This token would be a 'company' specific token, not a user token, as the cron job is run for a company not for a user. The api token would be either in the URL of the end point (a string), either (better) in the headers of the request run by the cron job. And basically the api token would not change over time: it is a string, specific to a company, and it never expires, so no need for any refresh token.

So can we have simultaneously 2 differents mechanisms of authentication in the same app : classical jwt/refresh token for the users and api tokens for cron jobs (one api token per company) ?

Thanks!

| Reply |

weaverryan SFCASTS Marko 2 years ago

Hey @Marko!

Sure, I think you could definitely do this :). The easy part is creating the 2 tokens. You can make a JWT after the user authenticates successfully. And you could, for example, add an apiToken property to some Company entity and allow an admin for a Company to see this in some area on your site (where they could then copy and paste this for their CRON jobs).

The trickier part is consuming the tokens, well, maybe not SO tricky I hope :). You could have one authenticator that handles the JWT. This is your normal situation. Then, you could create a 2nd custom authenticator that handles your company token. If these tokens are sent in different ways (e.g. Authorization header for JWT vs some other header for company token), that'll make your job a little easier because each authenticator can figure out "is this a token I should authenticate or is it the other type?". But you could also accomplish this by giving each token some prefix - e.g. company_ - and using that.

Anyway, I think the truly tricky part is this: when using a JWT, you are authenticating as a User. So, a User object is what you would return from your authenticator... and then anywhere in your code where you say $this->getUser(), it would be a User object. But for the company token, your authenticator would return a Company, and when you use $this->getUser() in your code, that will return a Company object. It's THAT difference that could cause some confusion in your code.

I can see two general ideas for solving this:

1) If the company token is only meant to be used for a few specific endpoints, then I might put those few endpoints under their own Symfony firewall. Then, in those endpoints, just be sure that if you're ever referencing the currently authenticated "user", that you know it's the Company.

2) Code carefully :). If you need to be able to support both a User or a Company across your entire application, then be sure to create smart security rules that do no depend on the specific User / Company object. I can give more tips about this if you are going this route and have some questions about how to do some specific things.

Let me know if this helps!

Cheers!

1 | Reply |

Marko weaverryan 2 years ago

Hello! Thanks a lot for your answer. One more question : do you confirm that Company should implement User Interface, as a authenticated 'user'? Or not. Thanks again!

| Reply |

weaverryan SFCASTS Marko 2 years ago

Yes it should!

1 | Reply |

MildDisaster 2 years ago

I'm curious in this example, why you have potentially one user - many tokens relationship?
Wouldn't one user - one token suffice ?

| Reply |

Victor SFCASTS MildDisaster 2 years ago edited

Hey @MildDisaster ,

That's how GitHub access tokens, you can create many tokens on GitHub for your account. First of all, you can create different tokens with different scopes, like some tokens may have access to the private repos while others - only public ones. That's the most common and flexible structure I think :) Moreover, you can use one token e.g. for Composer and another token for your website that sends API requests to GitHub. And it's convenient this way, as you can e.g. remove that second token but the first one will still work.

But of course it depends on your personal use case, and if you're happy with OneToOne relation - go for it, there's nothing wrong with it, just some limitations I mentioned above :)

Cheers!

1 | Reply |

MildDisaster Victor 2 years ago edited

I think I understand. So the relationship is more (but not exclusively) between tokens and apps ( that a user will use to access api with ) ?

What is the preferred way to handle tokens once an associated account is changed, ie (password recovered) ?

Should one invalidate existing tokens, or just let them be ?

I noticed in the symfonycasts github there are projects for account registration and password recovery. Without double checking, don't think there was mention of token cleanup in them.

Thanks !

| Reply |

Victor SFCASTS MildDisaster 2 years ago edited

Hey @MildDisaster ,

I think I understand. So the relationship is more (but not exclusively) between tokens and apps ( that a user will use to access api with ) ?

Mostly yes, I suppose, but once again, it depends on your specific use case. But from my experience it seems more like this :)

What is the preferred way to handle tokens once an associated account is changed, ie (password recovered) ?

Good question. I think it also depends on your specific use case and your strategy. I don't think GitHub invalidate all tokens if you changed password... but in some cases this might be a good idea. It depends on how much your users will be annoyed by it :)

Yeah, we support those bundles. And yeah, probably it's a good use case when you have to clean up password reset tokens on password change :)

Cheers!

1 | Reply |

Someswara-rao-J 2 years ago

How to authenticate jwt token string (First Way to make token). I have done react login page. Successfully logged in, But not getting Authenticated.

| Reply |

weaverryan SFCASTS Someswara-rao-J 2 years ago

Hey @Someswara-rao-J!

Hmm. Did you create an access token authenticator like we did? https://symfonycasts.com/screencast/api-platform-security/access-token-authenticator

If so, here is what I would do to debug:

A) After making the AJAX request to "log in", find the Symfony profiler for that request and open it (reminder: you can always go to /_profiler to see a list of the most recent requests to your site - and you can find the AJAX request you just made there. When you get to the profiler for that request, click on the "Security" tab. Does it show you as authenticated?

B) If it does NOT show you as authenticated, then look more closely at your access token authenticator system: make sure your ApiTokenHandler is being called, etc. If it DOES show that you are authenticated... but then future AJAX requests appear to be not authenticated, it means that you are "losing" authentication between requests.

There are a few things that could cause this:

1) If you have stateless: true on your firewall, this will happen. This is because this tells your firewall to NOT use session/cookie storage.
2) If your frontend and backend are on different subdomains this could happen. For example, if your API is api.example.com and your frontend is just frontend.example.com, by default, Symfony will create a cookie for api.example.com and (iirc) that will not be usable by your frontend. You can adjust your cookie domain in the Symfony settings if this is the cause
3) In some situations, if you've added some custom serialization logic to your User class, you can "lose" authentication on the 2nd request. If you check the logs on the first request after the successful login, you should see something like:

Cannot refresh token because user has changed

Let me know if this helps!

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Chapter

Next Chapter

Tipos de token y la entidad ApiToken

Share this awesome video!

Tipos de tokens de acceso

¿JWT vs Almacenamiento en Base de Datos?

Generar la entidad

12 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 2
	namespace App\Entity;

	use App\Repository\ApiTokenRepository;
	use Doctrine\ORM\Mapping as ORM;

	#[ORM\Entity(repositoryClass: ApiTokenRepository::class)]
	class ApiToken
	{
	#[ORM\Id]
	#[ORM\GeneratedValue]
	#[ORM\Column]
	private ?int $id = null;

	#[ORM\ManyToOne(inversedBy: 'apiTokens')]
	#[ORM\JoinColumn(nullable: false)]
	private ?User $ownedBy = null;

	#[ORM\Column(nullable: true)]
	private ?\DateTimeImmutable $expiresAt = null;

	#[ORM\Column(length: 68)]
	private string $token = null;

	#[ORM\Column]
	private array $scopes = [];
Show Lines	// ... lines 28 - 80
	}

Show Lines	// ... lines 1 - 12
	final class Version20230209183006 extends AbstractMigration
	{
	public function getDescription(): string
	{
	return '';
	}

	public function up(Schema $schema): void
	{
	// this up() migration is auto-generated, please modify it to your needs
	$this->addSql('CREATE SEQUENCE api_token_id_seq INCREMENT BY 1 MINVALUE 1 START 1');
	$this->addSql('CREATE TABLE api_token (id INT NOT NULL, owned_by_id INT NOT NULL, expires_at TIMESTAMP(0) WITHOUT TIME ZONE DEFAULT NULL, token VARCHAR(68) NOT NULL, scopes JSON NOT NULL, PRIMARY KEY(id))');
	$this->addSql('CREATE INDEX IDX_7BA2F5EB5E70BCD7 ON api_token (owned_by_id)');
	$this->addSql('COMMENT ON COLUMN api_token.expires_at IS \'(DC2Type:datetime_immutable)\'');
	$this->addSql('ALTER TABLE api_token ADD CONSTRAINT FK_7BA2F5EB5E70BCD7 FOREIGN KEY (owned_by_id) REFERENCES "user" (id) NOT DEFERRABLE INITIALLY IMMEDIATE');
	}

	public function down(Schema $schema): void
	{
	// this down() migration is auto-generated, please modify it to your needs
	$this->addSql('CREATE SCHEMA public');
	$this->addSql('DROP SEQUENCE api_token_id_seq CASCADE');
	$this->addSql('ALTER TABLE api_token DROP CONSTRAINT FK_7BA2F5EB5E70BCD7');
	$this->addSql('DROP TABLE api_token');
	}
	}