Chapters

47 Chapters | 4:41:51 |

01

composer require seguridad

5:07
02

make:user

5:57
03

Personalizar la clase de usuario

3:08
04

Construir un formulario de inicio de sesión

3:07
05

Cortafuegos y autenticadores

6:39
06

El autentificador y el pasaporte

6:24
07

Consulta de usuario personalizada y credenciales

6:04
08

Éxito de la autenticación y actualización del usuario

6:33
09

Cuando falla la autenticación

7:19
10

Personalizar los mensajes de error y añadir el cierre de sesión

7:33
11

Dar contraseñas a los usuarios

5:26
12

Hash de contraseñas en texto plano y PasswordCredentials

4:22
13

Sistema de eventos de seguridad y protección Csrf

6:40
14

Sistema de recordarme

7:07
15

Recordarme siempre y "signature_properties"

6:28
16

Denegación de acceso, access_control y roles

5:22
17

El punto de entrada: invitar a los usuarios a conectarse

6:45
18

AbstractLoginFormAuthenticator y redireccionamiento a la URL anterior

5:13
19

form_login: El autentificador incorporado

5:42
20

Más configuración de form_login

3:25
21

Negar el acceso en un controlador

4:57
22

Roles dinámicos

4:28
23

Las cadenas especiales ISAUTHENTICATED

9:18
24

Obtención del objeto de usuario

6:38
25

Métodos de usuario personalizados y el usuario en un servicio

7:21
26

Jerarquía de roles

5:37
27

Suplantación: switch_user

5:27
28

La API de usuario y el serializador

5:37
29

¿Utilizar o no la autenticación por token de la API?

4:09
30

Formulario de registro

5:25
31

Autenticación manual

6:12
32

Hacer preguntas propiedad de los usuarios

5:13
33

Aprovechando el propietario de la pregunta

6:09
34

Votantes

6:27
35

Votante personalizado

6:52
36

Verificar el correo electrónico tras el registro

7:57
37

Verificación de la URL firmada del correo electrónico de confirmación

7:18
38

Ralentización de inicio de sesión y eventos

6:11
39

Seguridad Eventos y Listeners

4:00
40

Crear un suscriptor de eventos de seguridad

8:47
41

Redirección personalizada cuando "Email no verificado"

7:16
42

autenticación de 2 factores y tokens de autenticación

8:33
43

2fa con TOTP (Time-Based One Time Password)

5:20
44

Activación de 2FA

5:34
45

Renderización del código QR

6:13
46

Datos QR y escaneo con una aplicación de autenticación

4:35
47

Personalizar el formulario de autenticación de dos factores

5:53

> Symfony 5 > Symfony 5 Seguridad: Autenticadores

Buy Access to Course

37.

Verificación de la URL firmada del correo electrónico de confirmación

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Ahora estamos generando una URL firmada que normalmente incluiríamos en un correo electrónico de "confirmación de la dirección de correo electrónico" que enviamos al usuario tras el registro. Para simplificar las cosas, sólo vamos a renderizar esa URL en la página después del registro.

Eliminando nuestro Bind no utilizado

Vamos a ver qué aspecto tiene. Refresca y... ¡ah! ¡Un error de aspecto terrible!

Se ha configurado un enlace para un argumento llamado $formLoginAuthenticator en _defaults, pero no se ha encontrado el argumento correspondiente.

Así que, hasta hace unos minutos, teníamos un argumento para nuestra acción register() que se llamaba $formLoginAuthenticator. En config/services.yaml, hemos configurado un "bind" global que decía

Siempre que un servicio autocableado tenga un argumento llamado $formLoginAuthenticator, por favor, pasa este servicio.

            Copy Code

                            Show All Lines

                        32 lines
            |
            config/services.yaml
        
                Show Lines

                                                    // ... lines 1 - 8
                            
            services:
        
                # default configuration for services in *this* file
        
                _defaults:
        
                Show Lines

                                                    // ... lines 12 - 13
                            
                    bind:
        
                Show Lines

                                                    // ... line 15
                            
                        $formLoginAuthenticator: '@security.authenticator.form_login.main'
        
                Show Lines

                                                    // ... lines 17 - 32

Una de las cosas buenas de bind es que si no hay un argumento que coincida en ninguna parte de nuestra aplicación, lanza una excepción. Intenta asegurarse de que no estamos cometiendo una errata accidental.

En nuestra situación, ya no necesitamos ese argumento. Así que elimínalo. Y ahora... ¡nuestra página de registro está viva!

Comprobando la URL de verificación

¡Hagamos esto! Introduce un correo electrónico, una contraseña, acepta las condiciones y pulsa registrar. ¡Genial! Aquí está nuestra URL de confirmación por correo electrónico. Puedes ver que va a/verify: que dará a nuestra nueva acción verifyUserEmail(). También incluye una caducidad. Eso es algo que puedes configurar... es el tiempo de validez del enlace. Y tiene un signature: que es algo que ayudará a demostrar que el usuario no se ha inventado esta URL: definitivamente viene de nosotros.

También incluye un id=18: nuestro identificador de usuario.

Verificar la URL firmada

Así que nuestro trabajo ahora es ir al método del controlador verifyUserEmail aquí abajo y validar esa URL firmada. Para ello, necesitamos unos cuantos argumentos: el objeto Request -para poder leer los datos de la URL-, unVerifyEmailHelperInterface para ayudarnos a validar la URL y, por último, nuestro UserRepository -para poder consultar el objeto User:

            Copy Code

                            Show All Lines

                        83 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 6
                            
            use App\Repository\UserRepository;
        
                Show Lines

                                                    // ... line 8
                            
            use Symfony\Component\HttpFoundation\Request;
        
                Show Lines

                                                    // ... lines 10 - 13
                            
            use SymfonyCasts\Bundle\VerifyEmail\VerifyEmailHelperInterface;
        
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 18 - 60
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository): Response
        
                {
        
                Show Lines

                                                    // ... lines 63 - 80
                            
                }
        
            }

Y en realidad, ese es nuestro primer trabajo. Digamos que $user = $userRepository->find() y encontrar el usuario al que pertenece este enlace de confirmación leyendo el parámetro de consulta id. Así que, $request->query->get('id'). Y si, por alguna razón, no podemos encontrar el User, vamos a lanzar una página 404 lanzando$this->createNotFoundException():

            Copy Code

                            Show All Lines

                        83 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 15
                            
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 18 - 60
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository): Response
        
                {
        
                    $user = $userRepository->find($request->query->get('id'));
        
                    if (!$user) {
        
                        throw $this->createNotFoundException();
        
                    }
        
                Show Lines

                                                    // ... lines 67 - 80
                            
                }
        
            }

Ahora podemos asegurarnos de que la URL firmada no ha sido manipulada. Para ello, añade un bloque try-catch. Dentro, di $verifyEmailHelper->validateEmailConfirmation()y pasa un par de cosas. Primero, la URL firmada, que... es la URL actual. Obténla con $request->getUri(). A continuación, pasa el identificador del usuario - $user->getId() y luego el correo electrónico del usuario - $user->getEmail():

            Copy Code

                            Show All Lines

                        83 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 15
                            
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 18 - 60
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository): Response
        
                {
        
                    $user = $userRepository->find($request->query->get('id'));
        
                    if (!$user) {
        
                        throw $this->createNotFoundException();
        
                    }
        
                    try {
        
                        $verifyEmailHelper->validateEmailConfirmation(
        
                            $request->getUri(),
        
                            $user->getId(),
        
                            $user->getEmail(),
        
                        );
        
                Show Lines

                                                    // ... lines 74 - 77
                            
                    }
        
                Show Lines

                                                    // ... lines 79 - 80
                            
                }
        
            }

Esto asegura que la identificación y el correo electrónico no han cambiado en la base de datos desde que se envió el correo de verificación. Bueno, el id definitivamente no ha cambiado... ya que lo acabamos de utilizar para la consulta. Esta parte sólo se aplica realmente si confías en que el usuario esté conectado para verificar su correo electrónico.

De todos modos, si esto tiene éxito... ¡no pasará nada! Si falla, lanzará una excepción especial que implementa VerifyEmailExceptionInterface:

            Copy Code

                            Show All Lines

                        83 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 15
                            
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 18 - 60
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository): Response
        
                {
        
                Show Lines

                                                    // ... lines 63 - 67
                            
                    try {
        
                        $verifyEmailHelper->validateEmailConfirmation(
        
                            $request->getUri(),
        
                            $user->getId(),
        
                            $user->getEmail(),
        
                        );
        
                    } catch (VerifyEmailExceptionInterface $e) {
        
                Show Lines

                                                    // ... lines 75 - 77
                            
                    }
        
                Show Lines

                                                    // ... lines 79 - 80
                            
                }
        
            }

Así que, aquí abajo, sabemos que la verificación de la URL ha fallado... tal vez alguien se ha equivocado. O, más probablemente, el enlace ha caducado. Digamos al usuario la razón aprovechando de nuevo el sistema flash. Digamos $this->addFlash(), pero esta vez poniéndolo en una categoría diferente llamada error. Luego, para decir lo que ha ido mal, utiliza $e->getReason(). Por último, utiliza redirectToRoute() para enviarlos a algún sitio. ¿Qué tal la página de registro?

            Copy Code

                            Show All Lines

                        83 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 15
                            
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 18 - 60
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository): Response
        
                {
        
                Show Lines

                                                    // ... lines 63 - 67
                            
                    try {
        
                        $verifyEmailHelper->validateEmailConfirmation(
        
                            $request->getUri(),
        
                            $user->getId(),
        
                            $user->getEmail(),
        
                        );
        
                    } catch (VerifyEmailExceptionInterface $e) {
        
                        $this->addFlash('error', $e->getReason());
        
                        return $this->redirectToRoute('app_register');
        
                    }
        
                    dd('TODO');
        
                }
        
            }

Para mostrar el error, vuelve a base.html.twig, duplica todo este bloque, pero busca los mensajes de error y utiliza alert-danger:

            Copy Code

                            Show All Lines

                        95 lines
            |
            templates/base.html.twig
        
            <!DOCTYPE html>
        
            <html>
        
                Show Lines

                                                    // ... lines 3 - 14
                            
                <body
        
                Show Lines

                                                    // ... lines 16 - 81
                            
                    {% for flash in app.flashes('success') %}
        
                        <div class="alert alert-success">{{ flash }}</div>
        
                    {% endfor %}
        
                    {% for flash in app.flashes('error') %}
        
                        <div class="alert alert-danger">{{ flash }}</div>
        
                    {% endfor %}
        
                Show Lines

                                                    // ... lines 88 - 92
                            
                </body>
        
            </html>

¡Uf! Probemos el caso del error. Copia la URL y luego abre una nueva pestaña y pégala. Si voy a esta URL real... funciona. Bueno, todavía tenemos que hacer algo más de codificación, pero llega a nuestro TODO en la parte inferior del controlador. Ahora juega con la URL, como eliminar algunos caracteres... o ajustar la caducidad o cambiar el id. Ahora... ¡sí! Ha fallado porque nuestro enlace no es válido. Si el enlace estuviera caducado, verías un mensaje al respecto.

Así que, por fin, ¡acabemos con el caso feliz! En la parte inferior de nuestro controlador, ahora que sabemos que el enlace de verificación es válido, hemos terminado. Para nuestra aplicación, podemos decir $user->isVerified(true) y almacenarlo en la base de datos:

            Copy Code

                            Show All Lines

                        89 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 16
                            
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 19 - 61
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository, EntityManagerInterface $entityManager): Response
        
                {
        
                Show Lines

                                                    // ... lines 64 - 68
                            
                    try {
        
                Show Lines

                                                    // ... lines 70 - 78
                            
                    }
        
                    $user->setIsVerified(true);
        
                Show Lines

                                                    // ... lines 82 - 86
                            
                }
        
            }

Veamos... necesitamos un argumento más: EntityManagerInterface $entityManager:

            Copy Code

                            Show All Lines

                        89 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 7
                            
            use Doctrine\ORM\EntityManagerInterface;
        
                Show Lines

                                                    // ... lines 9 - 16
                            
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 19 - 61
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository, EntityManagerInterface $entityManager): Response
        
                {
        
                Show Lines

                                                    // ... lines 64 - 86
                            
                }
        
            }

Aquí abajo, utiliza $entityManager->flush() para guardar ese cambio:

            Copy Code

                            Show All Lines

                        89 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 16
                            
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 19 - 61
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository, EntityManagerInterface $entityManager): Response
        
                {
        
                Show Lines

                                                    // ... lines 64 - 80
                            
                    $user->setIsVerified(true);
        
                    $entityManager->flush();
        
                Show Lines

                                                    // ... lines 83 - 86
                            
                }
        
            }

Y demos a esto un feliz mensaje de éxito:

¡Cuenta verificada! Ya puedes conectarte.

Bueno, la verdad es que todavía no impedimos que se conecten antes de verificar su correo electrónico. Pero lo haremos pronto. De todos modos, termina redirigiendo a la página de inicio de sesión: app_login:

            Copy Code

                            Show All Lines

                        89 lines
            |
            src/Controller/RegistrationController.php
        
                Show Lines

                                                    // ... lines 1 - 16
                            
            class RegistrationController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 19 - 61
                            
                public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository, EntityManagerInterface $entityManager): Response
        
                {
        
                Show Lines

                                                    // ... lines 64 - 80
                            
                    $user->setIsVerified(true);
        
                    $entityManager->flush();
        
                    $this->addFlash('success', 'Account Verified! You can now log in.');
        
                    return $this->redirectToRoute('app_login');
        
                }
        
            }

Si quieres ser aún más genial, podrías autenticar manualmente al usuario de la misma manera que lo hicimos antes en nuestro controlador de registro. Eso está totalmente bien y depende de ti.

De vuelta a mi pestaña principal... copia ese enlace de nuevo, pégalo y... ¡estamos verificados! ¡Qué bien!

Lo único que queda por hacer es impedir que el usuario se registre hasta que haya verificado su correo electrónico. Para ello, primero tenemos que conocer los eventos que ocurren dentro del sistema de seguridad. Y para mostrarlos, aprovecharemos una nueva función muy interesante: el estrangulamiento del inicio de sesión.

19 Comments

Sort By

Rsteuber 2 years ago

Howdy, I have set this up just like in the tutorial but every time I try to validate the link it throws an exception with the message that the link is invalid. I read that there was a problem in the maker-bundle to output the signedUrl with a raw selector, but that doesn't work either. Is there a solution for this?

I run my app with docker-compose, with Symfony 6.3 and with PHP 8.2.

| Reply |

weaverryan SFCASTS Rsteuber 2 years ago

Hey @Rsteuber!

Sorry for the slow reply! Hmm, this kind of failure is tough - it's hard to debug. What we need to know is why is it invalid? And the bundle doesn't give better errors because, for production, sometimes we want to hide that info. To figure out the problem, exactly which exception class is being thrown? That would show us which part of this function - https://github.com/SymfonyCasts/verify-email-bundle/blob/main/src/VerifyEmailHelper.php#L62-L77 - is failing. You mentioned that it says that the "link is invalid", which makes me think it's the InvalidSignatureException. If that's true, then there's a problem with the "signed url", which is odd. We use a UriSigner class from Symfony and the logic is pretty simple:

A) We ask it to sign the URL - https://github.com/SymfonyCasts/verify-email-bundle/blob/main/src/VerifyEmailHelper.php#L56
B) We as it to verify that signature - https://github.com/SymfonyCasts/verify-email-bundle/blob/main/src/VerifyEmailHelper.php#L64

I would put a dump when the request is signed (dump $signature in A) then compare that to the URL when you click the link. It may be that we're losing part of the URL... or there is some URL or HTML encoding that is slightly changing it. It needs to be exactly the same.

Let me know if this helps!

Cheers!

| Reply |

Rsteuber weaverryan 2 years ago

Hey Ryan,

No problem for replying so late. We are busy too so totally understandable :)

I've dumped the $signature and compared it with the link in the email. Turns out they are exactly the same:

------ dump ------
verify?expires=1701263583&id=27&signature=eJHNOlI3HkWXhZOJfpJrTeIOEjdYR2pJuOtE8l0ktFQ%3D&token=UGMyl2OXc8HLSCU9qRZ9Pn3%2BRn1ovX%2BVXXq8AQmz5gI%3D

------ link ------
verify?expires=1701263583&id=27&signature=eJHNOlI3HkWXhZOJfpJrTeIOEjdYR2pJuOtE8l0ktFQ%3D&token=UGMyl2OXc8HLSCU9qRZ9Pn3%2BRn1ovX%2BVXXq8AQmz5gI%3D

That seems a bit awkward to me.
Is there somehow a way to get the real exception message?

Cheers! 🍻

| Reply |

weaverryan SFCASTS Rsteuber 2 years ago

Hey @Rsteuber!

Hmm, that is mysterious! To get more info, I would:

A) First, triple-check that this line is the problem - https://github.com/SymfonyCasts/verify-email-bundle/blob/main/src/VerifyEmailHelper.php#L69 - e.g. put a die in front of the exception. Better, a dd($signedUrl) to be sure.

B) To debug further, inside of Symfony's core itself, find the UriSigner class and put some debugging inside the check() method - https://github.com/symfony/symfony/blob/7.1/src/Symfony/Component/HttpFoundation/UriSigner.php#L59-L75

I'm hoping this will help figure out what difference the UriSigner is seeing that's causing the difference. I'd compare, specifically, what the $uri and $this->secret look like both when the URL is created and when it's checked in this method https://github.com/symfony/symfony/blob/7.1/src/Symfony/Component/HttpFoundation/UriSigner.php#L86-L89

Let me know what you find out - it's gotta be something small...

Cheers!

| Reply |

Rsteuber weaverryan 2 years ago edited

Ok, I have found something weird...

The query parameters is giving me this:
"query" => "%3Fexpires=1701721532&id=30&signature=C37Z9HCzWS5GuCanWzEYexMuvrpAJkKE2yuHQs9Rllk%3D&token=P%2BzNwEnF%2FBhMD%2B24xuU9N9I9bqJuxbB3YuyxgEuz89c%3D"

But when I dd($params), it is showing me a weird token like it has been decoded:
array:3 [▼ "?expires" => "1701721532" "id" => "30" "token" => "P+zNwEnF/BhMD+24xuU9N9I9bqJuxbB3YuyxgEuz89c=" ]

The %2B = transformed into a "+" character. Could that be the problem to this case?

Cheers!

| Reply |

weaverryan SFCASTS Rsteuber 2 years ago

That would be enough to cause the signing to fail. Or it could be a false clue. If you, temporarily, manually hacked in code to make the + go back to %2B and tried it (or, more generally, you could urldecode that part), and it works, then I think we might have something. Otherwise, this could just be a false alarm an we just happen to be comparing the urlencoded and urldecoded strings. But even if this is the cause, I'm not really sure what's going on yet...

| Reply |

Rsteuber weaverryan 2 years ago edited

Ok, I am trying to figure it out today and think I see the problem now!

When i use the $request->getUri() method, it seems that it adds some extra characters into the uri right before the "expires" query param. (%3F)

So.... If I use the following code in my controller, it goes well:

$uri = $request->getScheme() .  '://'. $request->getHost() . $request->getRequestUri();
$this->verifyEmailHelper->validateEmailConfirmation($uri, $user->getId(), $user->getEmail());

Wondering if other people got this same problem?

Cheers!

| Reply |

weaverryan SFCASTS Rsteuber 2 years ago edited

Hey @Rsteuber!

Really glad you figured it out! And yea, this is strange! You said:

When i use the $request->getUri() method, it seems that it adds some extra characters into the uri right before the "expires" query param. (%3F)

That %3F is the ? character. the getUri() method does add this character - https://github.com/symfony/symfony/blob/aa8e74b1c27890850b541c27ab7b05203cf06524/src/Symfony/Component/HttpFoundation/Request.php#L955 - but it shouldn't be adding an extra one. The $this->getQueryString() should return something like expires=...&foo=bar, and so adding the ? should be proper to reconstruct the URL. It also wouldn't show as URL encoded as %3F. It feels like there is an extra %3F in the URL when you come to the page... and so you're stripping effectively stripping that, but I also have a feeling I may be misreading things. If this were a bug, I'm sure we would have heard about it, but I'm not sure what you're doing differently.

However, I do think there may be a problem. Notice UriSigner has a checkRequest() helper method - https://github.com/symfony/symfony/blob/7.1/src/Symfony/Component/HttpFoundation/UriSigner.php#L83 - and it gets the URL in a different way, purposely not using getUri(). That may or may not be describing your problem, but I'm thinking we should use that method in the bundle to url signing validation. https://github.com/SymfonyCasts/verify-email-bundle/issues/155

Cheers!

| Reply |

Juan-Etxenike 3 years ago edited

Hello I have tried a slightly different approach. I actually have created a verification system which sends a random code via email and following your reccomendation in this chapter "If you wanted to be even cooler, you could manually authenticate the user in the same way that we did earlier in our registration controller. That's totally ok and up to you." I have tried to authenticate the user:

/**
   * @Route("/verify/{user}", name="user-verify")
   */


  public function userVerify(
    User $user,
    EntityManagerInterface $em,
    Request $request,
    UserAuthenticatorInterface $userAuthenticator,
    FormLoginAuthenticator $formLoginAuthenticator,
  ) {
  
  $form = $this->createFormBuilder()
      ->add('verification', TextType::class)
      ->add('userId', HiddenType::class, [
        'data' => $user->getId()
      ])
      ->add('send', SubmitType::class)
      ->getForm();
    $form->handleRequest($request);
    
     if ($form->isSubmitted() && $form->isValid()) {
      $data = $form->getData();
      if ($data['verification'] == $user->getVerification()) {
        $user->setVerification('verified');
        $em->persist($user);
        $em->flush();
        $userAuthenticator->authenticateUser(
          $user,
          $formLoginAuthenticator,
          $request
        );
        //dd($user); -> returns $user Object
        return $this->redirectToRoute('frontend_user');
      }

My security.yaml file:


form_login:
                login_path: app_login
                check_path: app_login
                username_parameter: email
                password_parameter: password
                enable_csrf: true
                default_target_path: frontend_user
                use_referer: true
                target_path_parameter: frontend_user

After the redirection $this->getUser() returns null thus the session is not mantained, so seems that validation did not work or at least the session was not retained and I would need to send the verified user to login which is possible but not desired in my case. How can I find out what has happened during that redirection? What would be the best debugging strategy?

| Reply |

weaverryan SFCASTS Juan-Etxenike 3 years ago edited

Hey Juan E.!

Hmm, that's a mystery! And you've asked the correct questions: how to debug / find out what happened during that redirection.

Here's what I like to do:

A) In config/packages/dev/web_profiler.yaml, you should have a intercept_redirects: false line. Change that to intercept_redirects: true.

B) Now, whenever Symfony redirects you, instead of redirecting, you will see a page that says something like "About to redirect you to http://...". But it hasn't actually redirected you.

How is that useful? Because now you can do this:

1) Click the link, which will hit this URL, submit the form and (should) authenticate the user (make sure you put your redirectToRoute() back)
2) But, instead of redirecting, it will stop and show you the message. The useful thing is that, on this screen, you will see the web debug toolbar for this page. The question is: do you see yourself as authenticated in the web debug toolbar?

The answer to this question will tell us where to look next. If you ARE authenticated (but then when you click the link to "follow the redirect" suddenly you are not authenticated), then you are "losing" authentication, probably because some data on your User object is being seen as "changed" (if you have this situation, I can tell you more - it is common if you, for some reason, implement a custom \Serializable interface on your User class, which you probably shouldn't have).

Let me know what you find out.

Cheers!

| Reply |

Juan-Etxenike weaverryan 3 years ago edited

Hi I just managed to make it work using the rememberMe Handler Interface and adding this line before the redirect:

$rememberMe->createRememberMeCookie($this->getUser());

| Reply |

Juan-Etxenike weaverryan 3 years ago edited

Hi, as I said in the previous reply I still get "kicked out" this is my User.php entity, I wonder if the libPhoneNumber object could be the problem.

`<?php

namespace App\Entity;

use Doctrine\Common\Collections\ArrayCollection;
use Doctrine\Common\Collections\Collection;
use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Security\Core\User\UserInterface;
use Symfony\Component\Serializer\Annotation\Groups;
use Symfony\Component\Validator\Constraints as Assert;
use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
use Adamski\Symfony\PhoneNumberBundle\Model\PhoneNumber;
use Adamski\Symfony\PhoneNumberBundle\Validator\Constraints\PhoneNumber as AssertPhoneNumber;

/**

@ORM\Entity(repositoryClass=App\Repository\UserRepository::class)
@UniqueEntity(fields={"email"}, message="This value is already used.")
*/
class User implements UserInterface
{

const REGISTERED_SUCCESFULLY = 'Se ha registrado exitosamente';
/**
 * @ORM\Id
 * @ORM\GeneratedValue
 * @ORM\Column(type="integer")
 */
private $id;

/**
 * @ORM\Column(type="string", length=180, unique=true)
 * @Groups("main")
 * 
 * @Assert\NotBlank()
 * @Assert\Email()
 */
private $email;

/**
 * @ORM\Column(type="json")
 * @Groups("main")
 *
 */
private $roles = [];

/**
 * @var string The hashed password
 * @ORM\Column(type="string", nullable=true)
 * @Assert\NotBlank()
 */
private $password;

/**
 * @ORM\Column(type="string", length=2, nullable=true)
 * @Groups("main")
 */
private $langue;

/**
 * @ORM\Column(type="string", length=255, nullable=true)
 * @Groups("main")
 * @Assert\NotBlank()
 */
private $nom;

/**
 * @ORM\Column(type="string", length=255, nullable=true)
 * @Groups("main")
 * @Assert\NotBlank()
 */
private $prenom;

/**
 * @Groups("main")
 * @AssertPhoneNumber
 * @ORM\Column(name="telephone", type="phone_number", nullable=true)
 */

private $telephone;

/**
 * @ORM\Column(type="string", length=15, nullable=true)
 * @Groups("main")
 */
private $position;

/**
 * @ORM\Column(type="datetime")
 * @Groups("main")
 */
private $date_ajout;

/**
 * @ORM\ManyToMany(targetEntity=Dates::class, inversedBy="users")
 */
private $date;

/**
 * @ORM\OneToMany(targetEntity=Reservation::class, mappedBy="user", cascade={"persist","remove"})
 */
private $reservation;

/**
 * @ORM\OneToMany(targetEntity=BlogTranslation::class, mappedBy="user", orphanRemoval=true)
 */
private $blogTranslations;

/**
 * @ORM\OneToMany(targetEntity=Document::class, mappedBy="user")
 */
private $documents;

/**
 * @ORM\OneToMany(
 *                  targetEntity=Travellers::class, 
 *                  mappedBy="user",
 *                  fetch="EXTRA_LAZY",
 *                  orphanRemoval=true,
 *                  cascade={"persist"}
 * )
 */

private $travellers;

/**
 * @ORM\Column(type="string", length=255, nullable=true)
 */
private $address;

/**
 * @ORM\Column(type="string", length=6, nullable=true)
 */
private $postcode;

/**
 * @ORM\Column(type="string", length=255, nullable=true)
 */
private $city;

/**
 * @ORM\Column(type="string", length=255, nullable=true)
 */
private $country;

/**
 * @ORM\Column(type="string", length=255, nullable=true)
 */
private $nationality;

/**
 * @ORM\Column(type="string", length=3, nullable=true)
 */
private $sizes;

/**
 * @ORM\Column(type="string", length=255, nullable=true)
 */
private $verification;

/**
 * @ORM\OneToMany(targetEntity=ReservationData::class, mappedBy="User", orphanRemoval=true)
 */
private $reservationData;

/**
 * @ORM\OneToMany(targetEntity=Codespromo::class, mappedBy="user")
 */
private $codespromos;

/**
 * @ORM\Column(type="boolean")
 */
private $isVerified = false;

public function __construct()
{
    $this->date = new ArrayCollection();
    $this->reservation = new ArrayCollection();
    $this->blogTranslations = new ArrayCollection();
    $this->documents = new ArrayCollection();
    $this->travellers = new ArrayCollection();
    $this->reservations = new ArrayCollection();
    $this->reservationData = new ArrayCollection();
    $this->codespromos = new ArrayCollection();
}

public function getId(): ?int
{
    return $this->id;
}

public function getEmail(): ?string
{
    return $this->email;
}

public function setEmail(string $email): self
{
    $this->email = $email;

    return $this;
}
/**
 * A visual identifier that represents this user.
 *
 * @see UserInterface
 */
public function getUserIdentifier(): string
{
    return (string)$this->email;
}

/**
 * @deprecated since Symfony 5.3, use getUserIdentifier instead
 *
 */
public function getUsername(): string
{
    return (string) $this->email;
}

/**
 * @see UserInterface
 */
public function getRoles(): array
{
    $roles = $this->roles;
    // guarantee every user at least has ROLE_USER
    $roles[] = 'ROLE_USER';

    return array_unique($roles);
}

public function setRoles(array $roles): self
{
    $this->roles = $roles;

    return $this;
}

/**
 * @see UserInterface
 */
public function getPassword(): string
{
    return (string) $this->password;
}

public function setPassword(string $password): self
{
    $this->password = $password;

    return $this;
}

/**
 * Returning a salt is only needed, if you are not using a modern
 * hashing algorithm (e.g. bcrypt or sodium) in your security.yaml.
 *
 * @see UserInterface
 */
public function getSalt(): ?string
{
    return null;
}

/**
 * @see UserInterface
 */
public function eraseCredentials()
{
    // If you store any temporary, sensitive data on the user, clear it here
    // $this->plainPassword = null;
}

public function getLangue(): ?string
{
    return $this->langue;
}

public function setLangue(string $langue): self
{
    $this->langue = $langue;

    return $this;
}

public function getNom(): ?string
{
    return $this->nom;
}

public function setNom(string $nom): self
{
    $this->nom = $nom;

    return $this;
}

public function getPrenom(): ?string
{
    return $this->prenom;
}

public function setPrenom(string $prenom): self
{
    $this->prenom = $prenom;

    return $this;
}

public function getTelephone(): ?PhoneNumber
{
    return $this->telephone;
}

public function setTelephone(?PhoneNumber $telephone): self
{
    $this->telephone = $telephone;

    return $this;
}

public function getPosition(): ?string
{
    return $this->position;
}

public function setPosition(?string $position): self
{
    $this->position = $position;

    return $this;
}

public function getDateAjout(): ?\DateTimeInterface
{
    return $this->date_ajout;
}

public function setDateAjout(\DateTimeInterface $date_ajout): self
{
    $this->date_ajout = $date_ajout;

    return $this;
}

/**
 * @return Collection|Dates[]
 */
public function getDate(): Collection
{
    return $this->date;
}

public function addDate(Dates $date): self
{
    if (!$this->date->contains($date)) {
        $this->date[] = $date;
    }

    return $this;
}

public function removeDate(Dates $date): self
{
    $this->date->removeElement($date);

    return $this;
}

/**
 * @return Collection|Reservations[]
 */
public function getReservation(): Collection
{
    return $this->reservation;
}

public function addReservation(Reservation $reservation): self
{
    if (!$this->reservation->contains($reservation)) {
        $this->reservation[] = $reservation;
    }

    return $this;
}

public function removeReservation(Reservation $reservation): self
{
    $this->reservation->removeElement($reservation);

    return $this;
}

/**
 * @return Collection|BlogTranslation[]
 */
public function getBlogTranslations(): Collection
{
    return $this->blogTranslations;
}

public function addBlogTranslation(BlogTranslation $blogTranslation): self
{
    if (!$this->blogTranslations->contains($blogTranslation)) {
        $this->blogTranslations[] = $blogTranslation;
        $blogTranslation->setUser($this);
    }

    return $this;
}

public function removeBlogTranslation(BlogTranslation $blogTranslation): self
{
    if ($this->blogTranslations->removeElement($blogTranslation)) {
        // set the owning side to null (unless already changed)
        if ($blogTranslation->getUser() === $this) {
            $blogTranslation->setUser(null);
        }
    }

    return $this;
}

/**
 * @return Collection|Document[]
 */
public function getDocuments(): Collection
{
    return $this->documents;
}

public function addDocument(Document $document): self
{
    if (!$this->documents->contains($document)) {
        $this->documents[] = $document;
        $document->setUser($this);
    }

    return $this;
}

public function removeDocument(Document $document): self
{
    if ($this->documents->removeElement($document)) {
        // set the owning side to null (unless already changed)
        if ($document->getUser() === $this) {
            $document->setUser(null);
        }
    }

    return $this;
}

/**
 * @return Collection|Travellers[]
 */
public function getTravellers(): Collection
{
    return $this->travellers;
}

public function addTraveller(Travellers $traveller): self
{
    if (!$this->travellers->contains($traveller)) {
        $this->travellers[] = $traveller;
        $traveller->setUser($this);
    }

    return $this;
}

public function removeTraveller(Travellers $traveller): self
{
    if ($this->travellers->removeElement($traveller)) {
        // set the owning side to null (unless already changed)
        if ($traveller->getUser() === $this) {
            $traveller->setUser(null);
        }
    }

    return $this;
}

public function __toString(): string
{
    return $this->getUserIdentifier();
}

/**
 * @return Collection|Reservation[]
 */
public function getReservations(): Collection
{
    return $this->reservation;
}

public function getAddress(): ?string
{
    return $this->address;
}

public function setAddress(?string $address): self
{
    $this->address = $address;

    return $this;
}

public function getPostcode(): ?string
{
    return $this->postcode;
}

public function setPostcode(?string $postcode): self
{
    $this->postcode = $postcode;

    return $this;
}

public function getCity(): ?string
{
    return $this->city;
}

public function setCity(?string $city): self
{
    $this->city = $city;

    return $this;
}

public function getCountry(): ?string
{
    return $this->country;
}

public function setCountry(?string $country): self
{
    $this->country = $country;

    return $this;
}

public function getNationality(): ?string
{
    return $this->nationality;
}

public function setNationality(?string $nationality): self
{
    $this->nationality = $nationality;

    return $this;
}

public function getSizes(): ?string
{
    return $this->sizes;
}

public function setSizes(?string $sizes): self
{
    $this->sizes = $sizes;

    return $this;
}

public function getVerification(): ?string
{
    return $this->verification;
}

public function setVerification(?string $verification): self
{
    $this->verification = $verification;

    return $this;
}

/**
 * @return Collection|ReservationData[]
 */
public function getReservationData(): Collection
{
    return $this->reservationData;
}

public function addReservationData(ReservationData $reservationData): self
{
    if (!$this->reservationData->contains($reservationData)) {
        $this->reservationData[] = $reservationData;
        $reservationData->setUser($this);
    }

    return $this;
}

public function removeReservationData(ReservationData $reservationData): self
{
    if ($this->reservationData->removeElement($reservationData)) {
        // set the owning side to null (unless already changed)
        if ($reservationData->getUser() === $this) {
            $reservationData->setUser(null);
        }
    }

    return $this;
}

/**
 * @return Collection|Codespromo[]
 */
public function getCodespromos(): Collection
{
    return $this->codespromos;
}

public function addCodespromo(Codespromo $codespromo): self
{
    if (!$this->codespromos->contains($codespromo)) {
        $this->codespromos[] = $codespromo;
        $codespromo->setUser($this);
    }

    return $this;
}

public function removeCodespromo(Codespromo $codespromo): self
{
    if ($this->codespromos->removeElement($codespromo)) {
        // set the owning side to null (unless already changed)
        if ($codespromo->getUser() === $this) {
            $codespromo->setUser(null);
        }
    }

    return $this;
}

public function getIsVerified(): ?bool
{
    return $this->isVerified;
}

public function setIsVerified(bool $isVerified): self
{
    $this->isVerified = $isVerified;

    return $this;
}

| Reply |

Juan-Etxenike weaverryan 3 years ago

Hi thank you, I have proceeded following your indications and so far I find my self in the place we expected. By preventing direct redirection I got to that "intermediate" page and the user was still logged in, but after redirection it disappeared. Since the project I am managing "inherits" many elements from a former project I will clean up the data model of the user class and then test again, if I get no progress I may send here the User.php entity class with the hope you may find something I couldn't, I will try tomorrow and whatever the outcome I will post it here. Thanks so much.

| Reply |

weaverryan SFCASTS Juan-Etxenike 3 years ago

Hey Juan!

I see that you got this working, I just wanted to apologize for not replying - I'm not sure how I lost this message! Overall, your solution is probably fine. If you'd like to learn more about the underlying issue and solution, you can read about it on this thread: https://symfonycasts.com/sc...

Cheers!

| Reply |

Ruslan 4 years ago

Hi,
How to translate $e->getReason() ? I don't see any domain in debug bar.

Thank you.

| Reply |

Victor SFCASTS Ruslan 4 years ago

Hey Ruslan,

I think you need to translate the exact text if the error is from core Symfony. If the error message is your custom - you can use a translation message key, translate it in translation files, and use the translator in that spot to translate.

I hope this helps!

Cheers!

| Reply |

Ruslan Victor 4 years ago

Hi Victor,
In this tutorial, we have changed Error messages for Login form (lesson 10) in translations\security.en.yaml. As I understand "security" is domain and I can see it in debug bar "Translation".
$e->getReason() is from VerifyEmailExceptionInterface. - but here I miss understand how to translate (I mean translation file name)

Thank you.

| Reply |

Ruslan Ruslan 4 years ago

Looks like I understand my fault.
in this code I need to pass $error
-----
} catch (VerifyEmailExceptionInterface $e){
$this->addFlash('error', $e->getReason());

return $this->redirectToRoute('app_register');
}
-----

and in twig use the same construction like in login.html.twig.
<div class="alert alert-danger">{{ error.messageKey|trans(error.messageData, 'security') }}</div>

Am I right?

| Reply |

Victor SFCASTS Ruslan 4 years ago

Hey Ruslan,

I'm not sure you can pass the error object, IIRC you can only pass string to the addFlash() method. So, either you need to translate the message in PHP using trans() method before pass the string to the addFlash(), or you can pass the untranslated string to the addFlash() and translate it later in the template, i.e. "<div class="alert alert-success">{{ flash|trans }}</div>" as you mentioned, but yeah, if the message requires some messageData - it you do need to pass it into the template somehow, so probably better to translate in PHP where you have access to the object.

But if it's possible to pass the object - yeah, you can try your solution as well then. But you would need one more check in the template - you would need to know if you passed a string or an object and so render it a bit differently.

Cheers!

| Reply |

¡Este tutorial también funciona muy bien para Symfony 6!

symfony 5.3

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "babdev/pagerfanta-bundle": "^3.3", // v3.3.0
        "composer/package-versions-deprecated": "^1.11", // 1.11.99.4
        "doctrine/annotations": "^1.0", // 1.13.2
        "doctrine/doctrine-bundle": "^2.1", // 2.6.3
        "doctrine/doctrine-migrations-bundle": "^3.0", // 3.1.1
        "doctrine/orm": "^2.7", // 2.10.1
        "knplabs/knp-markdown-bundle": "^1.8", // 1.9.0
        "knplabs/knp-time-bundle": "^1.11", // v1.16.1
        "pagerfanta/doctrine-orm-adapter": "^3.3", // v3.3.0
        "pagerfanta/twig": "^3.3", // v3.3.0
        "phpdocumentor/reflection-docblock": "^5.2", // 5.2.2
        "scheb/2fa-bundle": "^5.12", // v5.12.1
        "scheb/2fa-qr-code": "^5.12", // v5.12.1
        "scheb/2fa-totp": "^5.12", // v5.12.1
        "sensio/framework-extra-bundle": "^6.0", // v6.2.0
        "stof/doctrine-extensions-bundle": "^1.4", // v1.6.0
        "symfony/asset": "5.3.*", // v5.3.4
        "symfony/console": "5.3.*", // v5.3.7
        "symfony/dotenv": "5.3.*", // v5.3.8
        "symfony/flex": "^1.3.1", // v1.21.6
        "symfony/form": "5.3.*", // v5.3.8
        "symfony/framework-bundle": "5.3.*", // v5.3.8
        "symfony/monolog-bundle": "^3.0", // v3.7.0
        "symfony/property-access": "5.3.*", // v5.3.8
        "symfony/property-info": "5.3.*", // v5.3.8
        "symfony/rate-limiter": "5.3.*", // v5.3.4
        "symfony/runtime": "5.3.*", // v5.3.4
        "symfony/security-bundle": "5.3.*", // v5.3.8
        "symfony/serializer": "5.3.*", // v5.3.8
        "symfony/stopwatch": "5.3.*", // v5.3.4
        "symfony/twig-bundle": "5.3.*", // v5.3.4
        "symfony/ux-chartjs": "^1.3", // v1.3.0
        "symfony/validator": "5.3.*", // v5.3.8
        "symfony/webpack-encore-bundle": "^1.7", // v1.12.0
        "symfony/yaml": "5.3.*", // v5.3.6
        "symfonycasts/verify-email-bundle": "^1.5", // v1.5.0
        "twig/extra-bundle": "^2.12|^3.0", // v3.3.3
        "twig/string-extra": "^3.3", // v3.3.3
        "twig/twig": "^2.12|^3.0" // v3.3.3
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.3", // 3.4.0
        "symfony/debug-bundle": "5.3.*", // v5.3.4
        "symfony/maker-bundle": "^1.15", // v1.34.0
        "symfony/var-dumper": "5.3.*", // v5.3.8
        "symfony/web-profiler-bundle": "5.3.*", // v5.3.8
        "zenstruck/foundry": "^1.1" // v1.13.3
    }
}

Previous Chapter

Next Chapter

Verificación de la URL firmada del correo electrónico de confirmación

Share this awesome video!

Keep on Learning!

Eliminando nuestro Bind no utilizado

Comprobando la URL de verificación

Verificar la URL firmada

19 Comments

Delete comment?

What PHP libraries does this tutorial use?

Show Lines	// ... lines 1 - 8
	services:
	# default configuration for services in this file
	_defaults:
Show Lines	// ... lines 12 - 13
	bind:
Show Lines	// ... line 15
	$formLoginAuthenticator: '@security.authenticator.form_login.main'
Show Lines	// ... lines 17 - 32

Show Lines	// ... lines 1 - 6
	use App\Repository\UserRepository;
Show Lines	// ... line 8
	use Symfony\Component\HttpFoundation\Request;
Show Lines	// ... lines 10 - 13
	use SymfonyCasts\Bundle\VerifyEmail\VerifyEmailHelperInterface;

	class RegistrationController extends AbstractController
	{
Show Lines	// ... lines 18 - 60
	public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository): Response
	{
Show Lines	// ... lines 63 - 80
	}
	}

Show Lines	// ... lines 1 - 15
	class RegistrationController extends AbstractController
	{
Show Lines	// ... lines 18 - 60
	public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository): Response
	{
	$user = $userRepository->find($request->query->get('id'));
	if (!$user) {
	throw $this->createNotFoundException();
	}
Show Lines	// ... lines 67 - 80
	}
	}

	<!DOCTYPE html>
	<html>
Show Lines	// ... lines 3 - 14
	<body
Show Lines	// ... lines 16 - 81
	{% for flash in app.flashes('success') %}
	<div class="alert alert-success">{{ flash }}</div>
	{% endfor %}
	{% for flash in app.flashes('error') %}
	<div class="alert alert-danger">{{ flash }}</div>
	{% endfor %}
Show Lines	// ... lines 88 - 92
	</body>
	</html>

Show Lines	// ... lines 1 - 16
	class RegistrationController extends AbstractController
	{
Show Lines	// ... lines 19 - 61
	public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository, EntityManagerInterface $entityManager): Response
	{
Show Lines	// ... lines 64 - 68
	try {
Show Lines	// ... lines 70 - 78
	}

	$user->setIsVerified(true);
Show Lines	// ... lines 82 - 86
	}
	}

Show Lines	// ... lines 1 - 7
	use Doctrine\ORM\EntityManagerInterface;
Show Lines	// ... lines 9 - 16
	class RegistrationController extends AbstractController
	{
Show Lines	// ... lines 19 - 61
	public function verifyUserEmail(Request $request, VerifyEmailHelperInterface $verifyEmailHelper, UserRepository $userRepository, EntityManagerInterface $entityManager): Response
	{
Show Lines	// ... lines 64 - 86
	}
	}