Chapters
39 Chapters
|
4:45:13
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!Compatible PHP versions: ^7.1.3, <8.0
Subscribe to download the code!Compatible PHP versions: ^7.1.3, <8.0
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
04.
Authentication Errors
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
This tutorial works great for Symfony 5 and API Platform 2.5/2.6.
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": "^7.1.3, <8.0",
"ext-ctype": "*",
"ext-iconv": "*",
"api-platform/core": "^2.1", // v2.4.5
"composer/package-versions-deprecated": "^1.11", // 1.11.99
"doctrine/annotations": "^1.0", // 1.13.2
"doctrine/doctrine-bundle": "^1.6", // 1.11.2
"doctrine/doctrine-migrations-bundle": "^2.0", // v2.0.0
"doctrine/orm": "^2.4.5", // v2.7.2
"nelmio/cors-bundle": "^1.5", // 1.5.6
"nesbot/carbon": "^2.17", // 2.21.3
"phpdocumentor/reflection-docblock": "^3.0 || ^4.0", // 4.3.1
"symfony/asset": "4.3.*", // v4.3.2
"symfony/console": "4.3.*", // v4.3.2
"symfony/dotenv": "4.3.*", // v4.3.2
"symfony/expression-language": "4.3.*", // v4.3.2
"symfony/flex": "^1.1", // v1.21.6
"symfony/framework-bundle": "4.3.*", // v4.3.2
"symfony/http-client": "4.3.*", // v4.3.3
"symfony/monolog-bundle": "^3.4", // v3.4.0
"symfony/security-bundle": "4.3.*", // v4.3.2
"symfony/twig-bundle": "4.3.*", // v4.3.2
"symfony/validator": "4.3.*", // v4.3.2
"symfony/webpack-encore-bundle": "^1.6", // v1.6.2
"symfony/yaml": "4.3.*" // v4.3.2
},
"require-dev": {
"hautelook/alice-bundle": "^2.5", // 2.7.3
"symfony/browser-kit": "4.3.*", // v4.3.3
"symfony/css-selector": "4.3.*", // v4.3.3
"symfony/maker-bundle": "^1.11", // v1.12.0
"symfony/phpunit-bridge": "^4.3", // v4.3.3
"symfony/stopwatch": "4.3.*", // v4.3.2
"symfony/web-profiler-bundle": "4.3.*" // v4.3.2
}
}
23 Comments
I realize this is a bit unrelated to this tutorial, but I'm trying to adapt this login to using LDAP as the back-end and I think I have everything working but I'm getting this error:
No resource class found for object of type "Symfony\Component\Ldap\Security\LdapUser".This is the code causing the error:
'Location' => $iriConverter->getIriFromItem($this->getUser())I'm guessing that I'll have to have the User class extend LdapUser or something?
Hey @Aaron Kincer!
Hmmm. So, on a "high level", the problem is simple-ish ;).
When you call
$iriConverter->getIriFromItem($someObject), API Platform looks at whatever class$someObjectto find its@ApiResourceconfiguration.In your case,
$this->getUser()is returning an instance ofSymfony\Component\Ldap\Security\LdapUser. And so, API Platform looks at that class and tries to find the@ApiResourceannotation, which of course it doesn't have (since it's a core class).What's the solution? It depends on what the expected behavior is that you need. Do you have some different, custom User class that DOES have
@ApiResourceannotations on it? If so, is the user able to log in via some other method to get that user class (like you have 2 ways to authenticate: LDAP, but also some login form that reads from a User entity in the database)?Let me know!
Cheers!
Ahh, I see now. LDAP auth is successful, but the user class that's being set is the LdapUser and not the User class. So the question is how do I intercept the login process and use the User class instead of the LdapUser class. I'll dig around and see what I can find.
Hey @Aaron Kincer!
You got it! If you're using the built-in LDAP support in Symfony... at least in the current version, I'm not sure there's an easy way to "hook in" and replace with your own User... which is unfortunate, because it seems really reasonable. The idea I have is this:
1) Register a custom service for this class - https://github.com/symfony/symfony/blob/5.x/src/Symfony/Component/Ldap/Security/LdapUserProvider.php#L32 - this is normally something you configure indirectly as your user provider - https://symfony.com/doc/current/security/ldap.html#fetching-users-using-the-ldap-user-provider - but in this case, register it as a normal service in services.yaml and do NOT put it in security.yaml under your providers.
2) Create your own custom user provider class & service - https://symfony.com/doc/current/security/user_provider.html#creating-a-custom-user-provider - and inject (normal dependency injection via the constructor) the LdapUserProvider from step (1) into your class. Register THIS new service as your user provider in security.yaml.
For this new user provider service, make it implement both UserProviderInterface, PasswordUpgraderInterface and add all those methods to your class. For all of them, just call the inner LdapUserProvider (this is called "decoration" in object oriented land). So for example, you'll have something like this:
If you do this all correctly... your system will work EXACTLY like it does already :). But now you can hook into the process and and change things. For example, in loadUserByUsername(), you could do something like this:
You'll probably need to do some extra work for the other methods as well, like refreshUser(), which is called at the beginning of each request after being logged in.
Two things about this:
1) This is unnecessarily hard :/. That's a bummer! Let me know if you have any problems.
2) Because loadUserByUsername() is called before the password is checked in Ldap, this means that if someone tries to log in with a valid Ldap user but an invalid password, this will still create a row in your local user table. I actually... don't see a huge problem with that. The user would still not be able to log in.. as their Ldap password will be wrong (as long as you don't also have some other way for users in your database to log in).
Cheers!
Think I figured it out. Forgot I copy and pasted a user class from a DIFFERENT project that didn't have the ApiResource tag and forgot to add it back. Thanks!
As always, PEBKAC.
This is simply taking the code from the course and trying to modify it for LDAP as the back-end auth. Of course I do actually want to store some information about the user locally and update from LDAP as necessary. So one obvious thing I see is to intercept what getUser() is returning and simply pull what I want out of an LdapUser object and put it on an actual User class directly there or in a listener. Maybe there's an easier way.
Is there anything change for json_login in symfony 6? I tried with this tutorial and with official Documentation for symfony 6.
https://symfony.com/doc/current/security.html#json-login
Has anyone a working example with symfony 6?
The failure is that the user never logged in.
Following things, I did try:
php bin/console make:auth-> this work finesymfony serveand with simple xamppMaybe the reason is that I use Postman and a Vue instance created with
npm run serveon port 8080I have no any further idea
Here is access to my Repository
https://gitlab.com/grabasch/api-no-login
I believe I found a workaround. Now use the
php bin/console make:authmethod again, and I edit following authenticate method to:Yesterday as I tried this workaround I did only comment the CsrfTokenBadge and not the complete argument of array
Json_login does not still work, but the workaround is fine for me. Suggestions for improvement gladly accepted. :)
Hey Daniel-G!
Thanks for posting your work-around :). Custom authenticators are always an ok solution. It's a bit more work in the start, but it's also super simple to understand how your code is working.
About
json_login, nothing of significance changed that I'm aware of. The tricky thing, as you noticed, is that when it doesn't work, it's not super obvious why! If you care enough - or for anyone else in the future - to debug this, I would put debugging code into this class: https://github.com/symfony/symfony/blob/6.2/src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php - that's the code behindjson_login. Specifically, I would add debugging code to determine (A) thatsupports()IS being called, (B) thatsupports()is returningtruewhen it should and (C) thatauthenticate()is doing its job and returning thePassport. You could also add debugging code toonAuthenticationSuccess()andonAuthenticationFailure()to make sure those are being called when you expect.Cheers!
Ohhhh nooo, I saw my very stupid mistake. Thanks for your tip to debug my error with JsonLoginAuthenticator Class. :D
I simply used the wrong format. With tool postman, I send a JSON file format in body, but I send as application/text. But there was no error message.
I have a suggestion to help other stupid guys like me in the future. ;-) What can I do? The code is ready in my opinion. But I don't have any experience to suggestion the code in GitHub. I will try now. But maybe you have a tip for me.
UPDATE: I found your video
Organization & Triaging
I think that's should be a good start :)
Hey Daniel!
Woo! Nice job finding the issue! And I saw your PR on GitHub - I'm going to check it more deeply right now. It MAY not be accepted, due to backwards-compatibility concerns, but I think you did a really great job :).
Cheers!
Salut! May I ask a question please? I would be grateful if you can help me!
I am using Symfony for my backend and Angular for the fronend part.
For the authentification, I am using CAS Bundle to login to sso system and everything is going okay! but I can't use the API correctly and I don't know exactly the requested steps for this process.
For now i am using API Platform and NelmioCors bundle. Should I use LexikJWTAuthenticationBundle too? Is there any bundle or steps I should use too?
Hey Lubna!
Hmmm. So you use CAS to log into the SSO system. Do you use Symfony's security system to fully "log in the user" into your Symfony backend (i.e. using normal Symfony security) when you do this? And, is your frontend on the same domain as your backend API?
The easiest way to do this is for your frontend and backend to be on the same domain. If that's true, then you can "login via CAS" and complete the normal Symfony security process so that you are logged in via Symfony. Then... that's it :). Logging into Symfony should cause a session cookie to be set... and then because your frontend and backend are on the same domain, when you make Ajax requests from Angular, they will send the session cookie and the API requests will automatically be authenticated. Very simply.
Let me know if this helps... or if your setup is more complicated.
Cheers!
Hey, everyone.
Is it possible to return an API Platform error response in JSON-LD format in these cases where the route is not managed by API Platform?
Thank you.
Hey André P.
What you could do is to hook into the kernel.exception event of Symfony and look for a 404 error, if it's a 404, then you can return a JsonResponse with the appropriate data.
I leave you the docs reference for more information about events: https://symfony.com/doc/cur...
Cheers!
Hey MolloKhan
What I actually meant was if it was possible to somehow grab the API Platform error responses that already exist instead of creating our own.
Does that make any sense?
What you suggest (I actually already tried it) is to create our own "mimicking" the API Platform one, is that right?
Thank you!
Hey André P. sorry for my late reply, I got my first vaccine dose and it knocked me down for a couple of days. What you mean is to create a custom Error response but make it inherit from inside of ApiPlatform?
there Hi, at 4:30, we add
if (!$this->isGranted('IS_AUTHENTICATED_FULLY'))statement. Is it really a proper way to solve this problem? We try to log in with the wrong request content-type, and then we check if the user is not logged in? How does it work?Hey Gabrielius!
Yea, this is tricky... and confusing - understanding this requires understanding how the whole authentication system works. Here is the flow:
A) We create a json_login system - https://symfonycasts.com/sc... - that will try to authenticate the user whenever the URL is /login. Basically, whenever you go to /login, you will hit this json_login "authentication mechanism" *before* hitting your controller.
B) If authentication fails inside json_login, IT is responsible for sending the user an error. In this case, the controller will never be called.
C) If your code DOES get to the controller, it means that authentication is successful. Well... *almost*. There is one case (at least) where authentication was *not* successful, but instead of returning an error, json_login just "allows the request to continue like normal". The most common case is if you send the data in an invalid format. When that happens, the json_login mechanism basically says "Oh, this must not be a request I'm supposed to try to authenticate" and it allows the request to continue, with no error. So, if the code reaches the controller but the user is *not* authenticated, we can assume that the json_login mechanism decided to not even try to authenticate the user. The main (I think only) reason this would happen is an invalid Content-Type header.
But I agree - when you see the code in the controller, you're like "What the heck?". I hope this helps :).
Cheers!
When sending {"username": "test", "password": "test"} to see what happens I get a weird 500 error, it says undefined index: debug
Actually 4 exceptions:
[1/4] NoSuchPropertyException
`Symfony\Component\PropertyAccess\Exception\NoSuchPropertyException:
Neither the property "email" nor one of the methods "getEmail()", "email()", "isEmail()", "hasEmail()", "__get()" exist and have public access in class "stdClass".
at /var/www/symfony/vendor/symfony/property-access/PropertyAccessor.php:404
<br />[2/4]BadRequestHttpException<br />Symfony\Component\HttpKernel\Exception\BadRequestHttpException:The key "email" must be provided.
at /var/www/symfony/vendor/symfony/security-http/Firewall/UsernamePasswordJsonAuthenticationListener.php:105
<br />[3/4]Error Exception<br />ErrorException:Notice: Undefined index: debug
at /var/www/symfony/vendor/symfony/serializer/Normalizer/ProblemNormalizer.php:44
<br />[4/4]ErrorException<br />ErrorException:Notice: Undefined index: debug
at /var/www/symfony/vendor/symfony/serializer/Normalizer/ProblemNormalizer.php:44`
Yes last two are the same but it is what I see, is it possible to return a 400 Bad Request instead?
Hey gabb!
What does your
json_loginconfig look like insecurity.yaml? I think you might haveusername_pathset toemail. If you do, it means you need to send anemailfield in your JSON - not username :).About the "debug" thing - not sure about this. I checked the code... and it 100% looks like the code should not be failing if the "debug" array key is missing - so I'm super confused about this one - https://github.com/symfony/symfony/blob/ae00ff4cfaa377870289cd3e4adf271d1a747049/src/Symfony/Component/Serializer/Normalizer/ProblemNormalizer.php#L44
Cheers!
Yes I was passing username on purpose to test what error the api would return. I think the code should be:
```$this->debug && isset($context['debug']) && $context['debug']```?
Ah, I see the problem now!
The ?? is exactly supposed to handle missing keys - it's the null coalescing operating:
So, you should NOT get the error. The problem is the "order of operations. This code has a bug - it should be:
I'll make a pull request to fix this :) - https://github.com/symfony/symfony/pull/34903
Cheers!
"Houston: no signs of life"
Start the conversation!