If you liked what you've learned so far, dive in!
Subscribe to get access to this tutorial plus
video, code and script downloads.
With a Subscription, click any sentence in the script to jump to that part of the video!
Login SubscribeSymfony's security system comes packed with a lot of cool stuff, like remember me, impersonation and voters. Heck, it even has built in support for a "login link" authenticator - also known as "magic login links". That's where you email a link to your user and they click that to log in.
One other really cool feature is login throttling: a way to prevent someone from a single IP address from testing passwords over and over again on your site... by trying to log in over and over and over again. And it's super easy to use.
Under your firewall, enable it with login_throttling: true
:
security: | |
... lines 2 - 20 | |
firewalls: | |
... lines 22 - 24 | |
main: | |
... lines 26 - 28 | |
login_throttling: true | |
... lines 30 - 62 |
If you stopped right there... and refreshed any page, you're going to get an error:
Login throttling requires the Rate Limiter component.
And then a helpful command to install it! Nice! Copy that, spin over to your terminal and run:
composer require symfony/rate-limiter
This package also installs a package called symfony/lock
, which has a recipe. Run:
git status
to see what it did. Interesting. It created a new config/packages/lock.yaml
, and also modified our .env
file.
To keep track of the login attempts, the throttling system needs to store that data somewhere. It uses the symfony/lock
component to do that. Inside of our .env
file, at the bottom, there's a new LOCK_DSN
environment variable which is set to semaphore
:
... lines 1 - 28 | |
###> symfony/lock ### | |
# Choose one of the stores below | |
# postgresql+advisory://db_user:db_password@localhost/db_name | |
LOCK_DSN=semaphore | |
### |
A semaphore... is basically a super easy way to store this data if you only have a single server. If you need something more advanced, check out the symfony/lock
documentation: it shows all the different storage options with their pros and cons. But this will work great for us.
So, step 1 was to add the login_throttling
config. Step 2 was to install the Rate Limiter component. And step 3 is... to enjoy the feature! Yea, we're done!
Refresh. No more error. By default, this will only allow 5 consecutive log in attempts for the same email and IP address per minute. Let's try it. One, two, three, four, five and... the sixth one is rejected! It locks us out for 1 minute. Both the max attempts and interval can be configured. Actually, we can see that.
At your terminal, run:
symfony console debug:config security
And... look for login_throttling
. There it is. Yup, this max_attempts
defaults to 5 and interval
to 1 minute. Oh, and by the way, this will also block the same IP address from making 5 times the max_attempts
for any email. In other words, if the same IP address quickly tried 25 different emails, it would still block them. And if you want an awesome first line of defense, I would also highly recommend using something like Cloudflare, which can block bad users even before they hit your server... or enable defenses if your site is attacked from many IP addresses.
So... I think this feature is pretty cool. But the most interesting thing for us about it is how it works behind-the-scenes. It works via Symfony's listener system. After we log in, whether successfully or unsuccessfully, a number of events are dispatched throughout that process. We can hook into those events to do all sorts of cool things.
For example, the class that holds the login throttling logic is called LoginThrottlingListener
. Let's... open it up! Hit Shift
+Shift
and open LoginThrottlingListener.php
.
Awesome. The details inside of this aren't too important. You can see it's using something called a rate limiter... which does the checking of if the limit has been hit. Ultimately, if the limit has been hit, it throws this exception, which causes the message that we saw. For those of you watching closely, that exception extends AuthenticationException
... and remember, you can throw an AuthenticationException
at any point in the authentication process to make it fail.
Anyways, this method is listening to an event called CheckPassportEvent
. This is dispatched after the authenticate()
method is called from any authenticator. At this point, authentication isn't successful yet... and the job of most listeners to CheckPassportEvent
is to do some extra checking and fail authentication if something went wrong.
This class also listens to another event called LoginSuccessEvent
... which... well, it's kind of obvious: this is dispatched after any successful authentication. This resets the rate limiter on success.
So this is really cool, and it's our first vision into how the event system works. Next, let's go deeper by discovering that almost every part of authentication is done by a listener. Then, we'll create our own.
// composer.json
{
"require": {
"php": "^7.4.1 || ^8.0.0",
"ext-ctype": "*",
"ext-iconv": "*",
"babdev/pagerfanta-bundle": "^3.3", // v3.3.0
"composer/package-versions-deprecated": "^1.11", // 1.11.99.4
"doctrine/annotations": "^1.0", // 1.13.2
"doctrine/doctrine-bundle": "^2.1", // 2.6.3
"doctrine/doctrine-migrations-bundle": "^3.0", // 3.1.1
"doctrine/orm": "^2.7", // 2.10.1
"knplabs/knp-markdown-bundle": "^1.8", // 1.9.0
"knplabs/knp-time-bundle": "^1.11", // v1.16.1
"pagerfanta/doctrine-orm-adapter": "^3.3", // v3.3.0
"pagerfanta/twig": "^3.3", // v3.3.0
"phpdocumentor/reflection-docblock": "^5.2", // 5.2.2
"scheb/2fa-bundle": "^5.12", // v5.12.1
"scheb/2fa-qr-code": "^5.12", // v5.12.1
"scheb/2fa-totp": "^5.12", // v5.12.1
"sensio/framework-extra-bundle": "^6.0", // v6.2.0
"stof/doctrine-extensions-bundle": "^1.4", // v1.6.0
"symfony/asset": "5.3.*", // v5.3.4
"symfony/console": "5.3.*", // v5.3.7
"symfony/dotenv": "5.3.*", // v5.3.8
"symfony/flex": "^1.3.1", // v1.17.5
"symfony/form": "5.3.*", // v5.3.8
"symfony/framework-bundle": "5.3.*", // v5.3.8
"symfony/monolog-bundle": "^3.0", // v3.7.0
"symfony/property-access": "5.3.*", // v5.3.8
"symfony/property-info": "5.3.*", // v5.3.8
"symfony/rate-limiter": "5.3.*", // v5.3.4
"symfony/runtime": "5.3.*", // v5.3.4
"symfony/security-bundle": "5.3.*", // v5.3.8
"symfony/serializer": "5.3.*", // v5.3.8
"symfony/stopwatch": "5.3.*", // v5.3.4
"symfony/twig-bundle": "5.3.*", // v5.3.4
"symfony/ux-chartjs": "^1.3", // v1.3.0
"symfony/validator": "5.3.*", // v5.3.8
"symfony/webpack-encore-bundle": "^1.7", // v1.12.0
"symfony/yaml": "5.3.*", // v5.3.6
"symfonycasts/verify-email-bundle": "^1.5", // v1.5.0
"twig/extra-bundle": "^2.12|^3.0", // v3.3.3
"twig/string-extra": "^3.3", // v3.3.3
"twig/twig": "^2.12|^3.0" // v3.3.3
},
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.3", // 3.4.0
"symfony/debug-bundle": "5.3.*", // v5.3.4
"symfony/maker-bundle": "^1.15", // v1.34.0
"symfony/var-dumper": "5.3.*", // v5.3.8
"symfony/web-profiler-bundle": "5.3.*", // v5.3.8
"zenstruck/foundry": "^1.1" // v1.13.3
}
}