Chapters

47 Chapters | 4:41:51 |

01

composer require security

5:07
02

make:user

5:57
03

Customizing the User Class

3:08
04

Building a Login Form

3:07
05

Firewalls & Authenticators

6:39
06

Authenticator & The Passport

6:24
07

Custom User Query & Credentials

6:04
08

Authentication Success & Refreshing the User

6:33
09

When Authentication Fails

7:19
10

Customize Error Messages & Adding Logout

7:33
11

Giving Users Passwords

5:26
12

Hashing Plain Passwords & PasswordCredentials

4:22
13

Security Listener System & Csrf Protection

6:40
14

Remember Me System

7:07
15

Always Remember Me & "signature_properties"

6:28
16

Denying Access, access_control & Roles

5:22
17

The Entry Point: Inviting Users to Log In

6:45
18

AbstractLoginFormAuthenticator & Redirecting to Previous URL

5:13
19

form_login: The Built-in Authenticator

5:42
20

More form_login Config

3:25
21

Denying Access in a Controller

4:57
22

Dynamic Roles

4:28
23

The Special IS_AUTHENTICATED_ Strings

9:18
24

Fetching the User Object

6:38
25

Custom User Methods & the User in a Service

7:21
26

Role Hierarchy

5:37
27

Impersonation: switch_user

5:27
28

User API & the Serializer

5:37
29

To use API Token Authentication or Not?

4:09
30

Registration Form

5:25
31

Manual Authentication

6:12
32

Making Questions owned by Users

5:13
33

Leveraging the Question Owner

6:09
34

Voters

6:27
35

Custom Voter

6:52
36

Verify Email after Registration

7:57
37

Verifying the Signed Confirm Email URL

7:18
38

Login Throttling & Events

6:11
39

Security Events & Listeners

4:00
40

Creating a Security Event Subscriber

8:47
41

Custom Redirect when "Email Not Verified"

7:16
42

2 Factor Authentication & Authentication Tokens

8:33
43

2fa with TOTP (Time-Based One Time Password)

5:20
44

Activating 2FA

5:34
45

Rendering the QR Code

6:14
46

QR Data & Scanning with an Authenticator App

4:35
47

Customize The 2-Factor Auth Form

5:53

> Symfony 5 > Symfony 5 Security: Authenticators

Buy Access to Course

46.

QR Data & Scanning with an Authenticator App

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Challenge

With a Subscription, click any sentence in the script to jump to that part of the video!

Okay, status check. Any user can now enable two-factor authentication on their account by clicking this link. Behind the scenes, when they do that, we populate the totpSecret on the User object, save that to the database, and then render a QR code the user can scan. This QR code is a fancy image that contains two pieces of information. The first is the email of our user. Or, more precisely, if I scroll down to the "totp methods" in User, it contains whatever we return from getTotpAuthenticationUsername():

            
Copy Code

Show All Lines

                        268 lines
            |
            src/Entity/User.php
        
Show Lines

                                                    // ... lines 1 - 20
                            
            class User implements UserInterface, PasswordAuthenticatedUserInterface, TwoFactorInterface
        
            {
        
Show Lines

                                                    // ... lines 23 - 250
                            
                public function getTotpAuthenticationUsername(): string
        
                {
        
                    return $this->getUserIdentifier();
        
                }
        
Show Lines

                                                    // ... lines 255 - 266
                            
            }

The second thing the QR code image contains is the totpSecret. In a minute, I'm going to scan this code with an authenticator app, which will allow me to generate the correct two-factor authentication code that I'll need to log in. It does that by leveraging that secret.

Adding Extra Info to the QR Code

But first, there is some extra info that we can add to the QR code. Head over to config/packages/scheb_2fa.yaml. Under totp:, one of the most important things that you can add is called an issuer. I'm going to set this to Cauldron Overflow:

            
Copy Code

Show All Lines

                        12 lines
            |
            config/packages/scheb_2fa.yaml
        
            # See the configuration reference at https://github.com/scheb/2fa/blob/master/doc/configuration.md
        
            scheb_two_factor:
        
Show Lines

                                                    // ... lines 3 - 8
                            
                totp:
        
Show Lines

                                                    // ... line 10
                            
                    issuer: 'Cauldron Overflow'

That literally just added new information to the QR code image. Watch the image when we refresh. See that? It changed!

Thanks to this, in addition to the email and totpSecret, the code now contains an "issuer" key. If you want to learn about all the extra information that you can put here, check out the documentation or read about totp authentication in general. Because, for example, "issuer" is just a "totp concept"... that helps authenticator apps generate a label for our site when we scan this code.

Scanning with our Authenticator App

At this point, I want to pretend that we're a real user and test the entire flow. If we were a real user we would pull out our phone, open an authenticator app - like Google authenticator or Authy - and scan this code.

I like using Authy, here's what it looks like for me. I add a new account, scan and... got it! It reads my email and the "issuer" from the QR code and suggests a name and logo. If your company is well-known, it might actually guess the correct logo, but you can also add an image to your QR code in the same way that we added the “issuer”. When I accept this, it gives me codes!

Logging in

So we are ready! Let's try it! Log out... and then log back in with abraca_admin@example.com, password tada. Submit and... sweet! Instead of actually being logged in, we're redirected to the two-factor authentication page! This happened for two reasons. First, the user has two-factor authentication enabled on their account. Specifically, this isTotpAuthenticationEnabled() method returned true. Second, the security "token" - that internal thing that wraps your User object when you log in - well, it matches one of the tokens in our configuration. Specifically, we get the UsernamePasswordToken when we log in via the form_login mechanism.

If we try going anywhere else on the site, it kicks us right back here. The only place we can go to is /logout if we wanted to cancel the process. This is because the two-factor bundle will now deny access to any page on our site unless you've explicitly allowed it via the access_control rules, like we did for /logout and for the URL showing this form. This form is ugly, but we'll fix that soon.

Ok, back to pretending I'm a real user. I'll open up my authenticator app, type in a valid code: 5, 3, 9, 9, 2, 2 and... got it! We're logged in! So cool!

Next, let's customize that two-factor authentication form... because it was ugly.

2 Comments

Sort By

Soufiyane 1 year ago

when i try to log in, they don't take me to the page where i need to insert the code from QR-Code, please help

| Reply |

weaverryan SFCASTS Soufiyane 1 year ago

Hey @Soufiyane!

Hmmm. Ok, so once you've got the bundle installed and configured, when you log in, the bundle calls the ->isTotpAuthenticationEnabled() method on your User object. If this returns true, it should redirect to the QR code page. If it returns false, it will not do that. So that's the first place to look: triple-check that this method IS returning true for your user. If it is, let me know, and we can debug further - it would likely be some sort of missing configuration related to the bundle :).

Cheers!

1 | Reply |

This tutorial also works great for Symfony 6!

symfony 5.3

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "babdev/pagerfanta-bundle": "^3.3", // v3.3.0
        "composer/package-versions-deprecated": "^1.11", // 1.11.99.4
        "doctrine/annotations": "^1.0", // 1.13.2
        "doctrine/doctrine-bundle": "^2.1", // 2.6.3
        "doctrine/doctrine-migrations-bundle": "^3.0", // 3.1.1
        "doctrine/orm": "^2.7", // 2.10.1
        "knplabs/knp-markdown-bundle": "^1.8", // 1.9.0
        "knplabs/knp-time-bundle": "^1.11", // v1.16.1
        "pagerfanta/doctrine-orm-adapter": "^3.3", // v3.3.0
        "pagerfanta/twig": "^3.3", // v3.3.0
        "phpdocumentor/reflection-docblock": "^5.2", // 5.2.2
        "scheb/2fa-bundle": "^5.12", // v5.12.1
        "scheb/2fa-qr-code": "^5.12", // v5.12.1
        "scheb/2fa-totp": "^5.12", // v5.12.1
        "sensio/framework-extra-bundle": "^6.0", // v6.2.0
        "stof/doctrine-extensions-bundle": "^1.4", // v1.6.0
        "symfony/asset": "5.3.*", // v5.3.4
        "symfony/console": "5.3.*", // v5.3.7
        "symfony/dotenv": "5.3.*", // v5.3.8
        "symfony/flex": "^1.3.1", // v1.21.6
        "symfony/form": "5.3.*", // v5.3.8
        "symfony/framework-bundle": "5.3.*", // v5.3.8
        "symfony/monolog-bundle": "^3.0", // v3.7.0
        "symfony/property-access": "5.3.*", // v5.3.8
        "symfony/property-info": "5.3.*", // v5.3.8
        "symfony/rate-limiter": "5.3.*", // v5.3.4
        "symfony/runtime": "5.3.*", // v5.3.4
        "symfony/security-bundle": "5.3.*", // v5.3.8
        "symfony/serializer": "5.3.*", // v5.3.8
        "symfony/stopwatch": "5.3.*", // v5.3.4
        "symfony/twig-bundle": "5.3.*", // v5.3.4
        "symfony/ux-chartjs": "^1.3", // v1.3.0
        "symfony/validator": "5.3.*", // v5.3.8
        "symfony/webpack-encore-bundle": "^1.7", // v1.12.0
        "symfony/yaml": "5.3.*", // v5.3.6
        "symfonycasts/verify-email-bundle": "^1.5", // v1.5.0
        "twig/extra-bundle": "^2.12|^3.0", // v3.3.3
        "twig/string-extra": "^3.3", // v3.3.3
        "twig/twig": "^2.12|^3.0" // v3.3.3
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.3", // 3.4.0
        "symfony/debug-bundle": "5.3.*", // v5.3.4
        "symfony/maker-bundle": "^1.15", // v1.34.0
        "symfony/var-dumper": "5.3.*", // v5.3.8
        "symfony/web-profiler-bundle": "5.3.*", // v5.3.8
        "zenstruck/foundry": "^1.1" // v1.13.3
    }
}