Chapters
47 Chapters
|
4:41:51
|
Login to bookmark this video
-
Course Code
Subscribe to download the code!
Subscribe to download the code!
-
This Video
Subscribe to download the video!
Subscribe to download the video!
-
Subtitles
Subscribe to download the subtitles!
Subscribe to download the subtitles!
-
Course Script
Subscribe to download the script!
Subscribe to download the script!
Scroll down to the script below, click on any sentence (including terminal blocks) to jump to that spot in the video!
Subscribe to jump to this part in the video!
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
This tutorial also works great for Symfony 6!
What PHP libraries does this tutorial use?
// composer.json
{
"require": {
"php": ">=8.2",
"ext-ctype": "*",
"ext-iconv": "*",
"babdev/pagerfanta-bundle": "^3.3", // v3.3.0
"composer/package-versions-deprecated": "^1.11", // 1.11.99.4
"doctrine/annotations": "^1.0", // 1.13.2
"doctrine/doctrine-bundle": "^2.1", // 2.6.3
"doctrine/doctrine-migrations-bundle": "^3.0", // 3.1.1
"doctrine/orm": "^2.7", // 2.10.1
"knplabs/knp-markdown-bundle": "^1.8", // 1.9.0
"knplabs/knp-time-bundle": "^1.11", // v1.16.1
"pagerfanta/doctrine-orm-adapter": "^3.3", // v3.3.0
"pagerfanta/twig": "^3.3", // v3.3.0
"phpdocumentor/reflection-docblock": "^5.2", // 5.2.2
"scheb/2fa-bundle": "^5.12", // v5.12.1
"scheb/2fa-qr-code": "^5.12", // v5.12.1
"scheb/2fa-totp": "^5.12", // v5.12.1
"sensio/framework-extra-bundle": "^6.0", // v6.2.0
"stof/doctrine-extensions-bundle": "^1.4", // v1.6.0
"symfony/asset": "5.3.*", // v5.3.4
"symfony/console": "5.3.*", // v5.3.7
"symfony/dotenv": "5.3.*", // v5.3.8
"symfony/flex": "^1.3.1", // v1.21.6
"symfony/form": "5.3.*", // v5.3.8
"symfony/framework-bundle": "5.3.*", // v5.3.8
"symfony/monolog-bundle": "^3.0", // v3.7.0
"symfony/property-access": "5.3.*", // v5.3.8
"symfony/property-info": "5.3.*", // v5.3.8
"symfony/rate-limiter": "5.3.*", // v5.3.4
"symfony/runtime": "5.3.*", // v5.3.4
"symfony/security-bundle": "5.3.*", // v5.3.8
"symfony/serializer": "5.3.*", // v5.3.8
"symfony/stopwatch": "5.3.*", // v5.3.4
"symfony/twig-bundle": "5.3.*", // v5.3.4
"symfony/ux-chartjs": "^1.3", // v1.3.0
"symfony/validator": "5.3.*", // v5.3.8
"symfony/webpack-encore-bundle": "^1.7", // v1.12.0
"symfony/yaml": "5.3.*", // v5.3.6
"symfonycasts/verify-email-bundle": "^1.5", // v1.5.0
"twig/extra-bundle": "^2.12|^3.0", // v3.3.3
"twig/string-extra": "^3.3", // v3.3.3
"twig/twig": "^2.12|^3.0" // v3.3.3
},
"require-dev": {
"doctrine/doctrine-fixtures-bundle": "^3.3", // 3.4.0
"symfony/debug-bundle": "5.3.*", // v5.3.4
"symfony/maker-bundle": "^1.15", // v1.34.0
"symfony/var-dumper": "5.3.*", // v5.3.8
"symfony/web-profiler-bundle": "5.3.*", // v5.3.8
"zenstruck/foundry": "^1.1" // v1.13.3
}
}
25 Comments
Hello!
I followed the advice of Ryan(RIP 😔) of making the user confirm that they scanned the code and register their user in Authy, but I get an error with the QR code.
The problem is that if a user does not confirm that they scanned the code and go somewhere else in the app, or logout, then tries to enable again the 2fa, the page renders the old QR code but the new TotpSecret is set. So, when I use Authy, I cannot login because the TotpSecret does not coincide.
If I refresh the page, everything works fine, but I don't know how to update the QR code when the route is only rendering the template.
I apologize if this is a silly question.
Hey Octavio,
Oh, so the QR code is not updated? I suppose you're using that
scheb/2fa-qr-codewe show in this video? It seems it was discontinued. From the package docs I see it suggest to usescheb_two_factor.security.totp_authenticatorservice instead, along withendroid/qr-codefor QR code generation. See this specific section in docs: https://github.com/scheb/2fa/blob/6.x/UPGRADE.md#scheb2fa-qr-code-packageI would suggest you to go that new way instead for more robust flow, that way I bet you will control when to update your TOTP secret and the QR code.
Cheers!
Hey Victor,
I am using scheb_two_factor.security.totp_authenticator service, along with endroid/qr-code. Let me show you my code.
The versions I'm working with are "endroid/qr-code": "^6.0", "scheb/2fa-bundle": "^7.11" and "scheb/2fa-totp": "^7.11". Apart from the versions and the code shown, the other thing different from the video is that I added a property to the user of isTotpEnabled and use it in isTotpAuthenticationEnabled(), as the video suggested.
As I said in my first post, everything works fine, except that if the user goes to another page or logout, without confirming the 2fa enable, and tries to enable 2fa again; the rendered twig template shows the past QR code. But, if I refresh the page, it shows the QR with the updated secretTotp.
Hey Octavio,
Oh, OK. So, do you use the "Go Back" button in the browser when you return to the page with the stale QA code? It sounds like a possible browser cache of an image. I wonder if you have the stale image even if you click links on your website? Like what about the scenario:
Will you have the past QR code? I mean, it's difficult to see if it's the same or a different because of minor QR code changes. Do you have any errors with it? Did you try to scan it and use the actual TOTP code to confirm enabling? did you see any errors?
Could you teporarily dump that
$qrCodeContent? Is it really the same hash you see on the 2st and 5th steps?Cheers!
Victor,
Yes, I have the stale image even if I click on my website. And to verify the QR code does not coincide with the hash, I scan the QR code to verify is the stale QR code and check Doctrine's database to verify that the user has a different hash in the 5th step. I also tried to scan that code and confirm the enabling of 2fa, but it obviously doesn't work; the code that Authy gives me, doesn't let me sign in.
I just dumped the $qrCodeContent and is not the same hash on the 2st and 5th steps.
Hey Octavio,
Hm, good debugging work! So, it seems like the image was somehow cached by the browser, and I suppose the
$qrCodeContentdump confirms it. As of a quick solution, I may think of do not regenerate the hash i.e. if the $totpSecret was already set - do not regenerate it. It should fix the problem with stale image, because the image should be still valid this way.Otherwise, you should somehow force browser to udpate the image properly. I wonder if you just add the timestamp to the image URL, so that the URL was something like this
/authentication/2fa/qr-code?t=12345678, i.e. in the place where you generate the image we can do it by passing extra params:path('app_qr_code', {'t': 'now'|date('U')})- it will be like a unique hash. So this way the URL will be slightly different every second which should push the browser to refresh the image properly.Or probably it can be done with some proper cache headers in the response of that QR code image. But I think the timestamp solution might be enough and pretty robust for browsers.
Cheers!
I can't install either of the QR code generators.
From composer require "endroid/qr-code:^3.0":
Problem 1
From composer require "scheb/2fa-qr-code:^5.12.1":
Problem 1
Hey @Ryan-L!
Other Ryan here! Hmm, this looks like no fun! It's odd... when you say
That should allow ANY version of version 3 to be installed - the last version being 3.9.7, which DOES support Symfony 5 (the version of Symfony used in this tutorial). But, perhaps there were other errors below - and I'm just focusing on this top one too much. For example, if you're using Symfony 6 code (vs the code from this actual tutorial), try this instead:
That'll install the newer version 4 of the library, which works with Symfony 6. There may be some changes, but I don't see anything too major.
Let me know if this helps!
Small (totally stupid) question: Why is the method that displays the QR code named displayGoogleAuthenticatorQrCode()?...
I mean you recommend Authy - hahaha ;)
I am back to this course to learn about 2FA - It might be worth updating it to SF6 and all the new attributes stuff :)
Hey elkuku!
Sorry for the slow reply - but happy new year :).
Lol, that's a good question! I'm pretty sure the answer to this is...l Ryan copying and pasting from the docs at some point 🤣
Definitely - we need to finish out the Symfony 6 course (Doctrine relations, forms and security) as early as we can this year. It's hard to look at annotations once you get used to attributes!
Cheers!
I'm getting this error. I'd like to tell it I AM trying to use Endroid\QrCode\Builder.
Attempted to load class "Builder" from namespace "Endroid\QrCode\Builder".
Did you forget a "use" statement for "PhpParser\Builder"?
I have seen that a GD library is a dependency so I've installed that. My php version is a bit low (7.2) but I can't really see it being that. Any ideas?
Hi @gazzatav! I hit the same roadblock that you. I'm using PHP 8.2. What I did was
It seems that in the latest version 3 of
Endroid\QrCodethe classEndroid\QrCode\Builder\Builderwas replaced byEndroid\QrCode\QrCode. After I had made the modifications above, everything worked fine for me.I hope this will help others facing the same roadblock.
Cheers!
Reading the endroid documentation, here is code that works with Symfony 6 and PHP 8.1 (and the scan results in a validation code):
Thanks @Francois This
endroid/qr-codelibrary has evolved fast and has a lot of major versions with changes.If using 3.0 as shown in the video/script, the code is actually (as @Webcu shows above):
I've update the script to this and the video should be updated soon!
I take that back:
Endroid requires php: ^7.4||^8.0
So no builder class installed. Off to the ppa.
Oh dear, I upgraded to php 8.1 and now I'm in all sorts of other pain :(
Hey Gary,
I'm happy to see you were able to figure out the problem related to uninstalled package!
Hm, I see this course should work on PHP 8.1, are you having any issues running our course code on PHP 8.1? Or is it something related to your laptop?
Cheers!
Hi @victor , cannot get the qr-code at all. When I try to go to /authentication/2fa/qr-code I end up at /2fa which appears to be the route for the authentication form in the scheb/2fa-bundle. Debug:router shows a route '2fa_login' that I did not make. Grepping for that route, I find:
vendor/scheb/2fa-bundle/Resources/views/Authentication/form.html.twig: {{ provider }}
Any ideas how to configure this so it doesn't hi-jack my path when I type in /authentication/2fa/qr-code manually?
@vvictor , Update: I have seen a qr code but it had no secret in the content - kind of defeats the purpose. The login route is redirected to the path 2fa. 2fa is an entry in the firewall which seems to direct to itself so the login and qr code entry can never be completed. The 2fa path problem comes from the scheb/2fa package and is not of my making.
Hey Gary,
Let me clarify some things, did you download the course code and started from the start/ directory? Are you still on PHP 8.1? And if so, how did you make to install the package on PHP 8.1?
Cheers!
Hi Victor,
I downloaded the course files which I diffed/merged with my application which I've kept all the way from 'Charming Development'.
Now php8.1 is installed and working fine. The problem with that (in case anybody else gets stuck) was that after upgrading, php7.2 modules still hang around and need to be purged, though even that is not enough, as if you have a server running it can be holding on to its modules and you need to disable them so that you can purge them. Then there were new php modules to install like php8.1-gd for drawing the qr code. Then there is the simple matter of restarting the symfony server so that it has access to the new modules. (This seemed to be necessary, perhaps you could clarify, does the symfony server have all needed modules loaded in memory?)
In case it helps anyone else these are the php 8.1 modules I have installed (on Ubuntu - but the names should give a clue):
php8.1-apcu [installed by me]
php8.1-bz2 [installed by me]
php8.1-cli [installed by me]
php8.1-common [installed by me]
php8.1-curl [installed by me]
php8.1-gd [installed by me]
php8.1-mbstring [installed by me]
php8.1-opcache [installed by default]
php8.1-pgsql [installed by me]
php8.1-readline [installed by default]
php8.1-xml [installed by me]
php8.1-zip [installed by me]
For this project I have managed to uninstall packages that were deprecated and install more up-to-date packages ('composer update' will not do exactly the right thing!). I was stuck for a while getting pagerfanta to work but that's fine now. The docs for pagerfanta were a bit confusing because the link for the symfony framework on the babdev site took me to a github page instead of the babdev page for symfony. There is a link on the github page which does take you to the symfony framework page but then you get all sorts of confusion:
babdev/pagerfanta is deprecated, pagerfanta/pagerfanta has everything and pagerfanta has native support for twig. I eventually figured out I needed not just pagerfanta/pagerfanta but babdev/pagerfanta-bundle for symfony support and pagerfanta/twig for twig support. Actually you don't need pagerfanta/pagerfanta at all you can install what you need such as pagerfanta/core, pagerfanta/twig and pagerfanta/doctrine-orm-adapter.
I have watched ahead and I now see that the 2fa path and template are used re-purposed towards the end of the course. I can generate a qr-code image and to stop 2fa from taking over I just need to remove the secret from the database.
Cheers
Hey Gary,
Yeah, it sounds correct, you have to restart the server every time you installed a new PHP module (or remove it). So you did it correct.
About what modules are required? Good question! Symfony has a special tool for checking them, you can use Symfony CLI to check it with:
$ symfony check:requirements
It will show you if you're missing required modules, or recommended modules. You have to install all the required modules, but you can ignore recommended ones to run the Symfony project. Though, it's better to install recommended as well as it may improve your Symfony app.
What about the php8.1-gd - it's a PHP image library... So yes, it might be required for generating QR codes. What about others modules - well, it depends in your specific project. But you don't have to install all of them, Instead, install them by request, i.e. when you get an error that you need some new module - just install it and restart the web server. So, first of all, stick to recommendations of that "check:requirements" command
I hope this helps!
Cheers!
Yes, symfony check:requirements is a good tip. Errors about missing modules aren't always easy to read! At least I can go back and try the apcu lesson from way back. I couldn't do that with php7.2, or I didn't because it was experimental or something. Would it be useful to share my lock files so that you can see the versions installed to run on php8.1?
Hey Gary,
You can try to share, but it might be too long message for Disqus, lock files have really a lot of text. If you really want to share with others your lock file - I'd recommend you to create a Gist here https://gist.github.com/ and share the link to it - that would be the best.
Cheers!
Good Course
Thanks ❤️
"Houston: no signs of life"
Start the conversation!