Chapters
37 Chapters
|
3:43:31
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!
Subscribe to download the code!
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": ">=8.2",
"ext-ctype": "*",
"ext-iconv": "*",
"api-platform/core": "^3.0", // v3.1.2
"doctrine/annotations": "^2.0", // 2.0.1
"doctrine/doctrine-bundle": "^2.8", // 2.8.3
"doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
"doctrine/orm": "^2.14", // 2.14.1
"nelmio/cors-bundle": "^2.2", // 2.2.0
"nesbot/carbon": "^2.64", // 2.66.0
"phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
"phpstan/phpdoc-parser": "^1.15", // 1.16.1
"symfony/asset": "6.2.*", // v6.2.5
"symfony/console": "6.2.*", // v6.2.5
"symfony/dotenv": "6.2.*", // v6.2.5
"symfony/expression-language": "6.2.*", // v6.2.5
"symfony/flex": "^2", // v2.2.4
"symfony/framework-bundle": "6.2.*", // v6.2.5
"symfony/property-access": "6.2.*", // v6.2.5
"symfony/property-info": "6.2.*", // v6.2.5
"symfony/runtime": "6.2.*", // v6.2.5
"symfony/security-bundle": "6.2.*", // v6.2.6
"symfony/serializer": "6.2.*", // v6.2.5
"symfony/twig-bundle": "6.2.*", // v6.2.5
"symfony/ux-react": "^2.6", // v2.7.1
"symfony/ux-vue": "^2.7", // v2.7.1
"symfony/validator": "6.2.*", // v6.2.5
"symfony/webpack-encore-bundle": "^1.16", // v1.16.1
"symfony/yaml": "6.2.*" // v6.2.5
},
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
"mtdowling/jmespath.php": "^2.6", // 2.6.1
"phpunit/phpunit": "^9.5", // 9.6.3
"symfony/browser-kit": "6.2.*", // v6.2.5
"symfony/css-selector": "6.2.*", // v6.2.5
"symfony/debug-bundle": "6.2.*", // v6.2.5
"symfony/maker-bundle": "^1.48", // v1.48.0
"symfony/monolog-bundle": "^3.0", // v3.8.0
"symfony/phpunit-bridge": "^6.2", // v6.2.5
"symfony/stopwatch": "6.2.*", // v6.2.5
"symfony/web-profiler-bundle": "6.2.*", // v6.2.5
"zenstruck/browser": "^1.2", // v1.2.0
"zenstruck/foundry": "^1.26" // v1.28.0
}
}
7 Comments
Is there a way to keep all the security configuration in the 'security.yaml' file for both roles and scopes, and then to access that from the ApiToken entity? I'd prefer to have all the roles (hierarchy) in a single location.
I'm relatively new to Symfony, and found in docs on security it mentions that with the security.yaml file the roles have to be static, but if you wanted to use a database to store roles you could create Voters. Not sure yet if that would work as a way to centralize the hierarchy (static or database). It still seems like the hierarchy is established in two locations: security.yaml and ApiToken.
Hey @JeffJones
security.yamlis the best place to keep your "static" user roles. I'm a bit confused about your question. What do you mean by "access that from the ApiToken entity"Cheers!
Towards the end of the video, Ryan (God bless him) mentions: "We do need to be careful to make sure that if we add more scopes, we add them here too." I was trying to look for a way to add the Scopes to the security.yaml file and in the ApiToken grap them from the security file instead of using local constants. Thus keeping the configuration in a single location.
However... At this point, I think I would rather keep the API access limited to API Tokens (and Token Scopes) and to not allow Session logins. I need to keep the API isolated from the HTML website.
If this is way too complicated, please, no worries. I'm a recent convert from the Yii 2 framework. Trying to convert a major project that has a very complicated RBAC system that was stored in a database. So I'm trying to learn everything I can about Symfony and to know my "options" for the conversion.
Oh, you've got a big task at hand! Usually, API's are stateless, or in other words, session agnostic. All the authorization processes happen through API tokens that are linked to "token scopes". In this case, you're basically duplicating the token scopes to your "user roles", but that duplication is totally fine because you're dealing with two different interfaces (the UI and the API). You may face a use-case where the UI requires a different role or scope than the API.
I hope this is clearer now :) - Welcome to Symfony btw!
I'm gonna go through the Symfony 5 Security track again...
Hey !!!
i didn't get why you want to specify role to a token and not to a user ?
Hello @winaruz
I have pretty simple answer for you. There might be a situation when user can have multiple tokens with different roles. IIRC it's even a part of api specifications.
Cheers!
"Houston: no signs of life"
Start the conversation!