Registering the Authenticator (Part 2)

Woohoo! Nice work Tech Nomad!

Yes, the supports() method is the FIRST method that Symfony calls at the beginning of each request. If it returns false (which is what was happening before), then no other methods are called on your authenticator and your request continues anonymously. But then, if that same anonymous request tries to access page that requires login, Symfony "kicks" them out. Specifically, it alls the *start()* method on your authentication, which is where we tell the user that they need to send authentication information.

Anyways, nice work - and I hope it makes a bit more sense now!

Cheers!

I've solved it! 🎉🎉🎉🎉🎉🎉
I had to add this line of code inside my supports() method in JwtAuthenticator!

     public function supports( Request $request ) {
	  return $request->headers->has( 'Authorization' ) && 0 === strpos( $request->headers->get( 'Authorization' ), 'Bearer ' );
     }

Found it in the final code of the new Security Tutorial inside the ApiTokenAuthenticator.php file.

Hey Ryan,
I can't authenticate via the custom jwt_(token_)authenticator :(
I get the Jwt(Token)Authenticator->start() method processed with returning a custom error message like this:

{
    "error": "auth required",
    "request": {
        "attributes": {},
        "request": {},
        "query": {},
        "server": {},
        "files": {},
        "cookies": {},
        "headers": {}
    },
    "$authException->getToken": null,
    "$authException->getMessageKey": "Authentication credentials could not be found.",
    "$authException->getMessageData": []
}

Would be great if you could help me out. I have spend yesterday whole day on this issue :(

Awesome! so the security check works properly by not allowing you to authenticate if the given user is disabled. Nice job man!

Hey Ryan,

1) This is my getUser():

public function getUser($credentials, UserProviderInterface $userProvider)
{
try {
$data = $this->jwtEncoder->decode($credentials);
} catch (JWTDecodeFailureException $e) {
throw new CustomUserMessageAuthenticationException('Invalid Token');
}

$username = $data['username'];

// For debug only
$userObj = $this->em
->getRepository('AppBundle\Entity\User\User')
->findOneBy(['username' => $username]);

var_dump($userObj);die;
// End debug

return $this->em
->getRepository('AppBundle\Entity\User\User')
->findOneBy(['username' => $username]);
}

This is the User Object that I get from the var_dump().
object(AppBundle\Entity\User\User)#1141 (14) {
["id":protected]=>
int(1)
["username":protected]=>
string(11) "tim@foo.com"
["usernameCanonical":protected]=>
string(11) "tim@foo.com"
["email":protected]=>
string(11) "tim@foo.com"
["emailCanonical":protected]=>
string(11) "tim@foo.com"
["enabled":protected]=>
bool(false)
["salt":protected]=>
NULL
["password":protected]=>
string(88) "R44WYsdJmxHRz88jnfOEmDVUjXjHDcV8Ub1g6sivkRqiX7MEHkB6u2DKWJgRmZ/RGnISWg7TFkucx/VnpaeCVw=="
["plainPassword":protected]=>
NULL
["lastLogin":protected]=>
NULL
["confirmationToken":protected]=>
NULL
["passwordRequestedAt":protected]=>
NULL
["groups":protected]=>
NULL
["roles":protected]=>
array(0) {
}
}

2) This is the solution! When I dump the credentials I get:

PHPUnit 6.5.11 by Sebastian Bergmann and contributors.

Host: localhost:8000
Date: Mon, 20 Aug 2018 15:04:04 +0000, Mon, 20 Aug 2018 15:04:04 GMT
Connection: close
X-Powered-By: PHP/7.1.16
Cache-Control: no-cache, private
Content-Type: application/problem+json
{
"detail": "Account is disabled.",
"status": 401,
"type": "about:blank",
"title": "Unauthorized"
}
F 1 / 1 (100%)

Time: 1.23 seconds, Memory: 24.00MB

There was 1 failure:

1) AppBundle\Test\Controller\API\JobOfferControllerTest::testPOSTJobOfferWorks
Failed asserting that 401 matches expected 201.

That clearly tells me the User is disabled!!!

So Now I've updated my createUser class with:
$user->setEnabled(true);

And everything works Fine now.

Thank you very much!

Hey Tim van der Zouwen!

Hmm... this IS strange! So, a few questions:

1) Once you get your User object, you ARE returning this from getUser() correct? Could you post the important parts of your authenticator?

2) Are you 100% sure that checkCredentials() is *never* called?

I'm asking these simple questions because the situation just doesn't make sense yet :). As you probably know, if you return a UserInterface object from getUser(), then checkCredentials() is ALWAYS called. Here's the core code that handles that: https://github.com/symfony/...

The ONLY thing that is checked between these two methods is the $this->userChecker->checkPreAuth($user);. Here is the core UserChecker - https://github.com/symfony/... - it IS possible that this is causing some sort of failure - I would double check.

Let me know what you find out!

Cheers!

Hello,

I'm trying to use this in my project. But I will always get stuck in the start() function.
- symfony/symfony: v3.4.1
- lexik/jwt-authentication-bundle: v2.5.4

When I debug my JwtTokenAuthenticator.php I get the following:

01] getCredentials(){
   ...
   var_dump($token);die;
}

I get a token.

So when I debug:

02] getUser(){
  ...
  var_dump($data);var_dump(date('d-M-Y H:i:s',$data['exp']));var_dump(date('d-M-Y H:i:s')); die;
}

Gives me:

array(3) {
  ["iat"]=>
  int(1534753991)
  ["exp"]=>
  int(1534757591)
  ["username"]=>
  string(11) "tim@foo.com"
}
string(20) "20-Aug-2018 09:33:11"
string(20) "20-Aug-2018 08:33:11"

The ->findOneBy(['username' => $username]); also gives me a valid $user object.

03] I expect to go to:

    public function checkCredentials($credentials, UserInterface $user)
    {
        return true;
    }

But instead I end up in:

 public function start(Request $request, AuthenticationException $authException = null)
    {
        return new JsonResponse([
            'error' => 'auth requirerd'
        ],402);
    }

Can somebody explain to me why what is going wrong.

You nailed it! Well also, because when you refresh the page, that bar at the bottom is final, "static" information about the request that just finished. Even if you DID login via another tab using a traditional session-based approach, the bar on the original page would still just sit there and say "Anonymous". The only magic-updating part of the bar is the cool part that shows the AJAX requests :).

Happy to help! Cheers!

Aaah yes, I can see in the profile bar that each ajax request is authenticated, but the user remains unauthenticated in the bar. I presume this is because the state is stored in the client side when you setup a web app as an api, as opposed to a traditional web app where the authenticated user is stored is a server session variable.

Thanks for your help :)

Hey Shaun!

Hmm. MAYBE :). When you load the site in your browser, you're probably not (somehow) sending the JWT token, right? So it makes sense that you would not be authenticated? Or are you doing something interesting for this :).

If you use your JWT to make a few authenticated API requests to your system, you should then be able to go to /_profiler to see a list of those requests. If you click the link next to one of them, you'll enter into the profiler for that page. Then, click on the Security tab on the left to see if you are authenticated on that request. You *should* be there.

Cheers!

Hi guys,

I've implemented JWT Authenticator with Guard in my app just like the one in this tutorial, however the Symfony Debug bar shows the user as unauthenticated, is this expected behaviour?

Hey einue!

Sorry for the late reply - for some reason Disqus put your comment in Spam :(.

Check out this issue: https://stackoverflow.com/q... - it is likely your problem!

Cheers!

Hey einue ,

I believe you can get access to all those headers via Symfony Request object, i.e:

dump($request->headers->all());

I mean, you can avoid apache_request_headers() function call and that extra check with function_exists(). Isn't that data set? I thought it should be parsed with Symfony Request.

Cheers!

It seems like the authorization header is saved in the apache_request_headers.

If I add this Code

if (!$request->headers->has('Authorization') && function_exists('apache_request_headers')) {
    $all = apache_request_headers();
    if (isset($all['Authorization'])) {
        $request->headers->set('Authorization', $all['Authorization']);
    }
}

at the beginning of getCredentials, it works with the authorization key. But that's in fact not a really nice solution... Now i implement an eventListener to fix that.

Hi Victor Bocharsky , thanks for the fast repsonse. I followed the video tutorial. I also changed the status code in the newAction. Then i get the error: Failed asserting that 200 matches expected 201.

If I change the 'Authorization' key in getCredentials to 'Test' and also in the testPOSTProgrammerWorks-Method. It works fine.
It seems like the Authorization-Header doesn't work. I use a vagrant box with apache.

Hey einue ,

The code in start/ and finish/ is different for this course. Also, status code should be 201 (not 200) as we have in "symfony-rest4/finish/src/AppBundle/Controller/ApiProgrammerController" file -> "newAction()" method -> and see 201 status code on line 45: "$response = $this->createApiResponse($programmer, 201);".

Do you watch videos or are you following this tutorial by course scripts and code blocks only? Because, right in this video I see we return 201 in newAction().

I'd be glad to help you to figure out this problem.

Cheers!

Hy, can you update the finish folder in the download project?
I think the TokenControllerTest is missing and the ProgrammerControllerTest is not up to date.

I followed your tutorial and I still get the 200 instead of the 201 status code for testPOSTProgrammerWorks.
I put an echo json_encode($request); in the getCredentials Function. And by running the test, i got an empty request:
{"attributes":{},"request":{},"query":{},"server":{},"files":{},"cookies":{},"headers":{}}

I don't know, whats going wrong?

Hey @Greg!

haha, it's ok to ask, someone else might find it useful :)
and yes, if you have two different ways of accessing to your app (web, API), it's recommended to configure two firewalls

Cheers!

Hi,

It's me again ;)

I have a little question about guard if I want to use guard for the api and for the web.

I suppose I need 2 classes one for the web and one for the API but in security.yml, do I just declare the 2 services under the authenticators key ?

Thanks again for all.

Edit: One more time I really should to watch all the videos before I open my mouth ;)
2 firewalls are the solution.
isn't it?

Cheers!

Yes! Code would be very helpful :). In general, the 401 happens when you try to access a secured endpoint, and there is NO authentication information on the request. Have you added code to your start() method yet? If so, if you modify the response in that method (e.g. change it to a 402), does that change your response to a 402 or is it still a 401? Typically, the start() method is responsible for returning the 401, but I want to be sure.

To debug, I would look hard at your getCredentials() method. My guess is that this method is returning null, even when there is a JWT in the request. If I'm correct, then because you are returning null, the authenticator is being skipped, and so you ultimately receive the 401.

Cheers!

Hey Rajesh Patel

Could you show us your code? So we can help you debugging

Cheers!

i have done all the code according to tutorial but its always return 401 Unauthorized.I am sending authorization header with JWT tokens but its not working can anyone help me please?

Hey Ayham Hasan!

In that case you could inject the "TokenStorage" into your Subscriber class (By using dependency injection), and then, retrieve the User from it. Actually you would be "almost" duplicating all the logic that Symfony's BaseController does

This is the right namespace of the TokenStorage:
Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;

// in somewhere from your subscriber class

$user = $this->tokenStorage->getToken();
        
if (!is_object($user = $token->getUser())) {
    // user is not logged in        
}

Cheers!

Hi, I have one question, I would like to call $this->getUser() not in Controller like in LocaleSubscriber class, how could I do that??

Hey Zuhayer,

When you have more than one service which extends the same class - you need to stop using "autowire: true" and set your dependencies manually. It's a normal behavior - system just can't determine by itself what service to inject. So you have to take this work on yourself. It's rare, but sometimes it happens like in your example with SonataAdminBundle.

Cheers!

When I configure autowire i get an error

jwt_token_authenticator:
class: AppBundle\Security\JwtTokenAuthenticator
autowire: true
Unable to autowire argument of type "Doctrine\ORM\EntityManager" for the service "jwt_token_authenticator". Multiple services exist for this class (doctrine.orm.default_entity_manager, sonata.admin.entity_manager).

How to resolve this error, or is this normal behavior when using SonataAdminBundle?
------------
Currently I am manually configuring and it works:

arguments: ['@lexik_jwt_authentication.encoder', '@doctrine.orm.entity_manager', '@api.response_factory']

Hey Rakib,

It's weird. Could you please show your current content of security.yml file? At least security.firewalls section. You could show it in comment here or better use GitHub Gist for that.

Cheers!

[Symfony\Component\Config\Definition\Exception\InvalidConfigurationException]
Unrecognized option "guard" under "security.firewalls.main"
why Unrecognized ? cant move forward :-(
did as you said . help pls