Chapters

47 Chapters | 4:41:51 |

01

composer require security

5:07
02

make:user

5:57
03

Customizing the User Class

3:08
04

Building a Login Form

3:07
05

Firewalls & Authenticators

6:39
06

Authenticator & The Passport

6:24
07

Custom User Query & Credentials

6:04
08

Authentication Success & Refreshing the User

6:33
09

When Authentication Fails

7:19
10

Customize Error Messages & Adding Logout

7:33
11

Giving Users Passwords

5:26
12

Hashing Plain Passwords & PasswordCredentials

4:22
13

Security Listener System & Csrf Protection

6:40
14

Remember Me System

7:07
15

Always Remember Me & "signature_properties"

6:28
16

Denying Access, access_control & Roles

5:22
17

The Entry Point: Inviting Users to Log In

6:45
18

AbstractLoginFormAuthenticator & Redirecting to Previous URL

5:13
19

form_login: The Built-in Authenticator

5:42
20

More form_login Config

3:25
21

Denying Access in a Controller

4:57
22

Dynamic Roles

4:28
23

The Special IS_AUTHENTICATED_ Strings

9:18
24

Fetching the User Object

6:38
25

Custom User Methods & the User in a Service

7:21
26

Role Hierarchy

5:37
27

Impersonation: switch_user

5:27
28

User API & the Serializer

5:37
29

To use API Token Authentication or Not?

4:09
30

Registration Form

5:25
31

Manual Authentication

6:12
32

Making Questions owned by Users

5:13
33

Leveraging the Question Owner

6:09
34

Voters

6:27
35

Custom Voter

6:52
36

Verify Email after Registration

7:57
37

Verifying the Signed Confirm Email URL

7:18
38

Login Throttling & Events

6:11
39

Security Events & Listeners

4:00
40

Creating a Security Event Subscriber

8:47
41

Custom Redirect when "Email Not Verified"

7:16
42

2 Factor Authentication & Authentication Tokens

8:33
43

2fa with TOTP (Time-Based One Time Password)

5:20
44

Activating 2FA

5:34
45

Rendering the QR Code

6:14
46

QR Data & Scanning with an Authenticator App

4:35
47

Customize The 2-Factor Auth Form

5:53

> Symfony 5 > Symfony 5 Security: Authenticators

Buy Access to Course

20.

More form_login Config

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Using form_login isn't as flexible as a custom authenticator class... though a lot of stuff can be configured.

For example, right now, it's not checking our CSRF token. Enable that by saying enable_csrf: true:

            Copy Code

                            Show All Lines

                        54 lines
            |
            config/packages/security.yaml
        
            security:
        
                Show Lines

                                                    // ... lines 2 - 16
                            
                firewalls:
        
                Show Lines

                                                    // ... lines 18 - 20
                            
                    main:
        
                Show Lines

                                                    // ... lines 22 - 24
                            
                        form_login:
        
                Show Lines

                                                    // ... lines 26 - 29
                            
                            enable_csrf: true
        
                Show Lines

                                                    // ... lines 31 - 54

That's it! Over in the options, when you enable CSRF protection, it looks for a hidden field called _csrf_token with the string authenticate used to generate it. Fortunately, in our template, we're already using both of those things... so this is just going to work.

Seeing the Full List of Options

And there are even more ways we can configure this. Remember: to get this config, I ran debug:config security... which shows your current configuration, including defaults. But not all options are shown here. To see a full list, run config:dump security.

symfony console config:dump security

Instead of showing your actual config, this shows a huge list of example config. This is a much bigger list... here's form_login. A lot of this we saw before... but success_handler and failure_handler are both new. You can search the docs for these to learn how to control what happens after success or failure.

But also, later, we're going to learn about a more global way of hooking into the success or failure process by registering an event listener.

Anyways, we're not using our LoginFormAuthenticator anymore, so feel free to delete it.

And... I have good news! The core authenticator is doing one thing that our class never did! Up in authenticate()... this calls getCredentials() to read the POST data. Let me search for "session"... yup! This took me into getCredentials(). Anyways, after grabbing the submitted email - in this code that's stored as $credentials['username'] - it saves that value into the session.

It's doing that so that if authentication fails, we can read that and pre-fill the email box on the login form.

Let's do it! Go to our controller: src/Controller/SecurityController.php. This AuthenticationUtils has one other useful method. Pass a new variable to the template called last_username - you can call it last_email if you'd like - set to $authenticationUtils->getLastUsername():

            Copy Code

                            Show All Lines

                        31 lines
            |
            src/Controller/SecurityController.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class SecurityController extends AbstractController
        
            {
        
                Show Lines

                                                    // ... lines 12 - 14
                            
                public function login(AuthenticationUtils $authenticationUtils): Response
        
                {
        
                    return $this->render('security/login.html.twig', [
        
                Show Lines

                                                    // ... line 18
                            
                        'last_username' => $authenticationUtils->getLastUsername(),
        
                    ]);
        
                }
        
                Show Lines

                                                    // ... lines 22 - 29
                            
            }

Once again, this is just a helper to read a specific key off of the session.

Now, in the template - login.html.twig - up here on the email field, add value="{{ last_username }} ":

            Copy Code

                            Show All Lines

                        39 lines
            |
            templates/security/login.html.twig
        
                Show Lines

                                                    // ... lines 1 - 4
                            
            {% block body %}
        
            <div class="container">
        
                <div class="row">
        
                    <div class="login-form bg-light mt-4 p-4">
        
                        <form method="post" class="row g-3">
        
                Show Lines

                                                    // ... lines 10 - 15
                            
                            <div class="col-12">
        
                Show Lines

                                                    // ... line 17
                            
                                <input type="email" name="email" id="inputEmail" class="form-control" value="{{ last_username }}" required autofocus>
        
                            </div>
        
                Show Lines

                                                    // ... lines 20 - 33
                            
                        </form>
        
                    </div>
        
                </div>
        
            </div>
        
            {% endblock %}

Cool! If we go to /login... it's already there from filling out the form a minute ago! If we enter a different email... yes! That sticks too.

Next: let's get back to authorization by learning how to deny access in a controller... in a number of different ways.

6 Comments

Sort By

Francois 11 months ago edited

I do not get the pre-filled email input once I have logged out. Is this normal? Is it because the session data has been erased at logout?

| Reply |

Victor SFCASTS Francois 11 months ago

Hey Francois,

You can totally ignore that value={{ last_username }} of course if it's not something you need. But the idea behind this thing is to keep the last username user entered - useful when they have misprint their credentials, e.g. password so they don't need to retype the username again and try a different password. That's a common practice on may websites over the internet, but that's totally up to you. Of course when you log out going to the /logout URL - the session will be destroyed and you will not see that last_username anymore.

Cheers!

| Reply |

Soufiyane 2 years ago edited

how can we implement this if we kept using the old loginFormAuthonticator on the onAuthenticationFailure method?

| Reply |

weaverryan SFCASTS Soufiyane 2 years ago

Hey @Soufiyane!

Are you referring to how to print the "last username" thing? If so, the 2 steps are:

1) In your custom authenticator, in authenticate(), after reading the email, call:

$request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);

2) In your controller, read that value in the same way as see in this chapter :).

Let me know if that helps!

Cheers!

| Reply |

Lechu85 3 years ago edited

Hi. I stayed with the custom login in my project. Can you show me how to add $authenticationUtils-> getLastUsername(), in this case? In case without form_login: it didn't work :)

| Reply |

MolloKhan SFCASTS Lechu85 3 years ago edited

Hey Leszek,

You only need to inject the service Symfony\Component\Security\Http\Authentication\AuthenticationUtils into your Controller's method, or in case you need it in your authenticator, you can add another argument constructor and inject it there

Cheers!

1 | Reply |

This tutorial also works great for Symfony 6!

symfony 5.3

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "babdev/pagerfanta-bundle": "^3.3", // v3.3.0
        "composer/package-versions-deprecated": "^1.11", // 1.11.99.4
        "doctrine/annotations": "^1.0", // 1.13.2
        "doctrine/doctrine-bundle": "^2.1", // 2.6.3
        "doctrine/doctrine-migrations-bundle": "^3.0", // 3.1.1
        "doctrine/orm": "^2.7", // 2.10.1
        "knplabs/knp-markdown-bundle": "^1.8", // 1.9.0
        "knplabs/knp-time-bundle": "^1.11", // v1.16.1
        "pagerfanta/doctrine-orm-adapter": "^3.3", // v3.3.0
        "pagerfanta/twig": "^3.3", // v3.3.0
        "phpdocumentor/reflection-docblock": "^5.2", // 5.2.2
        "scheb/2fa-bundle": "^5.12", // v5.12.1
        "scheb/2fa-qr-code": "^5.12", // v5.12.1
        "scheb/2fa-totp": "^5.12", // v5.12.1
        "sensio/framework-extra-bundle": "^6.0", // v6.2.0
        "stof/doctrine-extensions-bundle": "^1.4", // v1.6.0
        "symfony/asset": "5.3.*", // v5.3.4
        "symfony/console": "5.3.*", // v5.3.7
        "symfony/dotenv": "5.3.*", // v5.3.8
        "symfony/flex": "^1.3.1", // v1.21.6
        "symfony/form": "5.3.*", // v5.3.8
        "symfony/framework-bundle": "5.3.*", // v5.3.8
        "symfony/monolog-bundle": "^3.0", // v3.7.0
        "symfony/property-access": "5.3.*", // v5.3.8
        "symfony/property-info": "5.3.*", // v5.3.8
        "symfony/rate-limiter": "5.3.*", // v5.3.4
        "symfony/runtime": "5.3.*", // v5.3.4
        "symfony/security-bundle": "5.3.*", // v5.3.8
        "symfony/serializer": "5.3.*", // v5.3.8
        "symfony/stopwatch": "5.3.*", // v5.3.4
        "symfony/twig-bundle": "5.3.*", // v5.3.4
        "symfony/ux-chartjs": "^1.3", // v1.3.0
        "symfony/validator": "5.3.*", // v5.3.8
        "symfony/webpack-encore-bundle": "^1.7", // v1.12.0
        "symfony/yaml": "5.3.*", // v5.3.6
        "symfonycasts/verify-email-bundle": "^1.5", // v1.5.0
        "twig/extra-bundle": "^2.12|^3.0", // v3.3.3
        "twig/string-extra": "^3.3", // v3.3.3
        "twig/twig": "^2.12|^3.0" // v3.3.3
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.3", // 3.4.0
        "symfony/debug-bundle": "5.3.*", // v5.3.4
        "symfony/maker-bundle": "^1.15", // v1.34.0
        "symfony/var-dumper": "5.3.*", // v5.3.8
        "symfony/web-profiler-bundle": "5.3.*", // v5.3.8
        "zenstruck/foundry": "^1.1" // v1.13.3
    }
}

Previous Chapter

Next Chapter

More form_login Config

Share this awesome video!

Keep on Learning!

Seeing the Full List of Options

6 Comments

Delete comment?

What PHP libraries does this tutorial use?

	security:
Show Lines	// ... lines 2 - 16
	firewalls:
Show Lines	// ... lines 18 - 20
	main:
Show Lines	// ... lines 22 - 24
	form_login:
Show Lines	// ... lines 26 - 29
	enable_csrf: true
Show Lines	// ... lines 31 - 54

Show Lines	// ... lines 1 - 9
	class SecurityController extends AbstractController
	{
Show Lines	// ... lines 12 - 14
	public function login(AuthenticationUtils $authenticationUtils): Response
	{
	return $this->render('security/login.html.twig', [
Show Lines	// ... line 18
	'last_username' => $authenticationUtils->getLastUsername(),
	]);
	}
Show Lines	// ... lines 22 - 29
	}

Show Lines	// ... lines 1 - 4
	{% block body %}
	<div class="container">
	<div class="row">
	<div class="login-form bg-light mt-4 p-4">
	<form method="post" class="row g-3">
Show Lines	// ... lines 10 - 15
	<div class="col-12">
Show Lines	// ... line 17
	<input type="email" name="email" id="inputEmail" class="form-control" value="{{ last_username }}" required autofocus>
	</div>
Show Lines	// ... lines 20 - 33
	</form>
	</div>
	</div>
	</div>
	{% endblock %}

More form_login Config

Keep on Learning!

Seeing the Full List of Options

Rendering "last_username" On the Login Form

6 Comments

What PHP libraries does this tutorial use?