API Token Authenticator Part 2!

Hey Scott!

Sorry for the slow reply. But yea, I'd be happy to help you with that :). So, when you don't send the Bearer token, it means that both of your authenticators do nothing (i.e. supports() returns false). This means that your request continues anonymously, then it hits some security check. At this point, Symfony calls the "entry point" for the firewall. In practice, that means it calls the "start" method for one of your two authenticators. You choose WHICH start() method (which entry point) should be used via the entry_point config under "guard" in security.yaml.

So, change the entry_point config to point to the ApiTokenAuthenticator class instead. Then, add some code in its start() method to return a JsonResponse.

The only downside is that if your site also supports normal users, if they try to access any page anonymously, they'll see a JsonResponse :). For the best of both worlds, in the start() method of your ApiTokenAuthenticator, you will need to (somehow) determine if the current request is an API request (then return JSON) or a web request (then redirect to the login page). How? Well, if all your URLs start with /api, that's one thing you could check for. Or, if your API exists only to power your own JavaScript, you could check if $request->isXmlHttpRequest(). It depends on your app :).

I hope this helps & reaches you in time!

Cheers!

I appreciate your help.

Your response was very helpful and pointed me in the right direction.

I only have a self-imposed deadline as this is a personal project for freelancing jobs. I am also looking for a new job (hopefully staying in Europe) . So, brushing up on some things.

Anyways, here is my solution in case it may help someone else.

<strong>security.yaml</strong>

    main:
            anonymous: true
            guard:
                authenticators:
                - App\Security\LoginFormAuthenticator
                - App\Security\ApiTokenAuthenticator

                entry_point: App\Security\ApiTokenAuthenticator

            logout:
                success_handler: App\Service\LogoutSuccessService

            remember_me:
                secret: '%kernel.secret%'
                lifetime: 2592000 # 30 days in seconds

In <strong>ApiTokenAuthenticator</strong>

public function start(Request $request, AuthenticationException $authException = null)
    {
       if('json' === $request->getContentType()) {
            $data = array(
                "@context" => "/contexts/Error",
                "@type" => "Error",
                "hydra:title" => "An error occurred",
                "hydra:description" => "Authentication Required.",
                "hydra:status" => Response::HTTP_UNAUTHORIZED
            );

            return new JsonResponse($data, Response::HTTP_UNAUTHORIZED);
        } else {
            return new RedirectResponse($this->router->generate('form_login'));
        }
    }

To be able to log out, API should get a JsonResponse and website should be redirected to login page. To do this, I had to do the following:

<strong>LogoutSuccessService</strong>

class LogoutSuccessService implements LogoutSuccessHandlerInterface
{

    private $router;

    public function __construct(RouterInterface $router)
    {
        $this->router = $router;
    }

    /**
     * Creates a Response object to send upon a successful logout.
     *
     * @param Request $request
     *
     * @return JsonResponse|RedirectResponse never null
     */
    public function onLogoutSuccess(Request $request)
    {
        if(null === $request->getContentType()) {
            return new RedirectResponse($this->router->generate('form_login'));
        } else {
            $data = array(
                "@context" => "/contexts/Message",
                "@type" => "Message",
                "hydra:title" => "Success",
                "hydra:description" => "You have successfully been logged out.",
                "hydra:status" => Response::HTTP_ACCEPTED
            );

            return new JsonResponse($data, Response::HTTP_ACCEPTED);
        }
    }
}

This is reference by the logout success_handler in <strong>secrity.yaml</strong>.

I haven't had time to test this with Behat or PHPUnit. But, seems to work when testing using PostMan and using a browser.

Awesome job Scott, thanks for sharing your solution :)

I hope you find the job you are looking for. Cheers!

Hey Gaetano,

The error you see: "Error 400: redirect_uri_mismatch" - clearly says that the redirect URL you're using mismatch the one you set in your Google Application. It also says "visit ..." some URL, try to follow that link and check what redirect URL you have there and compare it with URL you're actually redirecting. Even scheme might cause this error I think, so please, double check it - use HTTP or HTTPS in both.

I hope this helps!

Cheers!

Finally I did it...just a little of patience more..:)

Hey Gaetano,

Glad you were able to get it working, well done! :)

Cheers!

Hi,
thanks for your help. I changed a little bit my code and now I have another problem: 401 invalid credentials. I tried with the oauth of facebook but I have the follow error: something went wrong, try again later.... I think I have to leave for the moment and go on to finish this course. I am quite angry about it. :(

Hey Amy anuszewski

I don't know if it is a good or bad practice but if you want to refresh the token life, probably after a succesful API call is the best moment. You would only need to update the "expireAt" field of such token.

Cheers!

Hey Shaun T.!

Hmm. Well, I suppose like everything, it depends :). In this app, Symfony *is* our front-end and our back-end - some pages are HTML pages (a frontend) and some pages are API endpoints (a back-end). For the front-end part, Symfony *does* need to know where to redirect the user to when authentication fails. But, when Symfony is being treated like an API, then if authentication fails, it should simply return a 401 JSON response back to the API client. It would then be up to the frontend (e.g. JavaScript) to figure out what to do.

That's a long way of saying: if you are really building a frontend in JavaScript, then it should be capable of understanding the 401 JSON response sent back from Symfony and then it should redirect the user (or open some login dialog) itself.

Let me know if that answers your question!

Cheers!

Hey Jorge

Yeah, testing in Symfony4 got a bit weirder... but anyways, you only have to tweak your Doctrine config for your test environment, like this:

// config/packages/test/doctrine.yaml

doctrine:
    dbal:
        url: '%env(resolve:DATABASE_URL)%_test'

Cheers!

Hi MolloKhan , thanks for your answer.

I already did what you suggested, but it still takes the wrong DB URL, still using dev DB instead of test DB, really weird!

Cheers!

Hmm, that's odd. How are you testing it? Can you double check that you are actually running on "test" environment?

I'm running my tests with "./vendor/bin/simple-phpunit". The thing is that the authentication of the endpoints I'm testing, uses a JwtGuardAuthenticator class, that is getting the user using the repository. I've verified that it's querying the dev DB instead of my tests DB.

I've checked everything but still with the same problem.

Is there a reason to run "simple-phpunit"? Try running "phpunit" bin

./vendor/bin/phpunit

I'm using Php Unit Bridge:

https://symfony.com/doc/cur...

That's the way to run it. It shouldn't be the problem.

Hey Jorge!

Yea, as Diego mentioned, testing got a little strange in Symfony 4. It will be fixed in Symfony 4.2, with a small new feature and a change to the recipe. There are two issues:

1) The .env file is not read in the test environment. And so, all the environment variables need to be duplicated in phpunit.xml.dist. Diego's suggestion above to override the doctrine.dbal.url config setting via that special doctrine.yaml file in the test environment takes care of this part (though we will have a more robust solution soon).

2) Even after you've fixed the above, when you're running your tests, you need to make sure that you're actually in the test environment! That should be handled thanks to the APP_ENV environment variable in your phpunit.xml.dist file. However, if you are making real web requests from your test (e.g. via Guzzle), then those requests will execute your public/index.php file, which, just like when you load it in a browser, will load in the "dev" environment. That's the second piece that needs to be made more smooth. One easy way to fix this is to create an index_test.php file that is a duplicate of index.php, except that it defaults to the "test" environment.

Let me know if this helps! I think part (2) might be your issue - but I could also be totally wrong ;).

Cheers!

Hi weaverryan !

Thanks for your answer. Makes sense, I did all the suggested steps, but as you said, I'm using Guzzle and I was able to verify that the repositories where using my dev database instead of the tests one. I'll try that solution.

Thank you very much in advance.

Cheers!

BTW, you can use Symfony's client to make your http requests instead of Guzzle. I'm recommending it because it hits the test environment by default without having to create a special front controller (index_text.php as Ryan suggested)

Docs: https://symfony.com/doc/cur...

Cheers!

You are right MolloKhan , in fact, I started to do my tests with the Symfony's client, but later I adjusted those test using the Guzzle client. Now I have too much tests with this client so I don't want to spend more time change it. But it's good to know it for the future, thanks!

Cheers!

Hey Yahya E.

That's a known deprecation that will be fix (if it's not fixed yed) soon. Check this thread: https://github.com/symfony/...

Cheers!

Hey Yahya E.!

Hmm, yea, it could be. That is, at the very least, a very unhelpful error :). Can you post the exact security.yaml config that you have that gives you the error? You mentioned that the security.yaml you printed on the bottom also causes the error, but I would love to see the original one.

Thanks!

Dear Ryan,

This is latest <i>security.yaml</i> of the latest tutorial for Symfony Security in SyymfonyCasts.

security:
    encoders:
        App\Entity\User:
            algorithm: bcrypt

    role_hierarchy:
        ROLE_ADMIN: [ROLE_ADMIN_COMMENT, ROLE_ADMIN_ARTICLE, ROLE_ALLOWED_TO_SWITCH]

    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email
        # used to reload user from session & other features (e.g. switch_user)

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            anonymous: true

            guard:
                authenticators:
                    - App\Security\LoginFormAuthenticator
                    - App\Security\ApiTokenAuthenticator

                # redirect anonymous users to the login page
                entry_point: App\Security\LoginFormAuthenticator

            logout:
                path: app_logout

            remember_me:
                secret: '%kernel.secret%'
                lifetime: 2592000 # 30 days in seconds

            switch_user: true

            # activate different ways to authenticate

            # http_basic: true
            # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate

            # form_login: true
            # https://symfony.com/doc/current/security/form_login_setup.html

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # but, definitely allow /login to be accessible anonymously
        #- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        # require the user to fully login to change password
        #- { path: ^/change-password, roles: IS_AUTHENTICATED_FULLY }
        # if you wanted to force EVERY URL to be protected
        #- { path: ^/, roles: IS_AUTHENTICATED_REMEMBERED }

        # - { path: ^/admin, roles: ROLE_ADMIN }
        # - { path: ^/profile, roles: ROLE_USER }

This will give you an error saying that a problem with entry point. It will ask you indent entry_point to guard level. If you indent as requested, it will give you the previous error I wrote about security.firewall.map.

And this is the yaml I alternately wrote without entry point.

security:
    encoders:
        App\Entity\User:
            algorithm: bcrypt

    role_hierarchy:
        ROLE_ADMIN: [ROLE_ADMIN_COMMENT, ROLE_ADMIN_ARTICLE, ROLE_ALLOWED_TO_SWITCH]

    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email
        # used to reload user from session & other features (e.g. switch_user)

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        api:
            pattern: ^/api/
            guard:
                authenticators:
                    - App\Security\ApiTokenAuthenticator
        main:
            anonymous: true
            guard:
                authenticators:
                    - App\Security\LoginFormAuthenticator
                # redirects anonymous users to the login page

            logout:
                path: app_logout

            remember_me:
                secret: '%kernel.secret%'
                lifetime: 2592000 # 30 days in seconds

            switch_user: true

            # activate different ways to authenticate

            # http_basic: true
            # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate

            # form_login: true
            # https://symfony.com/doc/current/security/form_login_setup.html

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # but, definitely allow /login to be accessible anonymously
        #- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        # require the user to fully login to change password
        #- { path: ^/change-password, roles: IS_AUTHENTICATED_FULLY }
        # if you wanted to force EVERY URL to be protected
        #- { path: ^/, roles: IS_AUTHENTICATED_REMEMBERED }

        # - { path: ^/admin, roles: ROLE_ADMIN }
        # - { path: ^/profile, roles: ROLE_USER }

Still gives same error.

Hope this helps.

Hey Yahya E.!

Hmm, very interesting. Basically, what you're seeing should not happen :). So yes, it seems like a bug... in Symfony or some weird setup issue. Basically, that ".security.request_matcher.zfHj2lW" service is an internal service that's created to support your firewall (https://github.com/symfony/symfony/blob/9aaec948d5c0a626fbd1946b15afc76ea1345973/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php#L710 and https://github.com/symfony/symfony/blob/9aaec948d5c0a626fbd1946b15afc76ea1345973/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php#L279). It's consumed directly by the internal security.firewall.map service. This is all low-level plumbing that's handled automatically for you by the container.

So, you have hit a Symfony bug... or something similar indeed :). Here are some things we can do:

A) Manually clear your cache to see if it fixes things: rm -rf var/cache/*

B) Post your composer.lock file (a good option is to https://gist.github.com/). Basically, we can't reproduce this error. And, if it IS a symfony bug, it is probably only something that happens on a very specific version. If you post your composer.lock file, we can try to reproduce it using that.

Sorry you hit this! This type of thing is very strange and rare. But, unless I'm looking at the code wrong, I can't think of anything that you're doing in your code that would cause this - this looks like bad Symfony behavior.

Cheers!

Clearing cache rm -rf var/cache/* did not change the status.

Here is the gist contains 3 files:

composer.lock, symfony.lock and a custom file named .history - as my own log of the composer installations during the project:

https://gist.github.com/yahyaerturan/8c7e7757a5d946a55be0099084e609a0

That bad behaviour prevent me to use debug:config for all :(

I had the same problem. Right now I can't remember for sure what was the cause but I think my dependencies (security bundle???) were not up to date. Try that.

Hey guys!

Hmm. I am frustratingly stumped! I've used your composer.lock file so that I have the EXACT dependencies as you have, and have used the EXACT code from the tutorial up to this point. No matter what I do (I've tried making many different mistakes/typos) I cannot get the same error that you're getting. And, as I mentioned before, I can't even see how this is possible! But, if 2 people have gotten the error, then it's definitely looks like it could be legit.

Two last questions:

1) If you rm -rf vendor/* and composer install, same result?
2) Would it be possible to push your entire app to GitHub so I could reproduce the error myself? I thought composer.lock would be enough, but apparently not. I think it may be something somewhat unrelated that is causing the weird issue.

Cheers!

Sorry, I should have been more clear. I had this problem with security.request_matcher.***** in my business project, not in this tutorial.
However, I was curious and I've just executed bin/console debug:config doctrine in the root of this tutorial and here is what I've experienced:
Step 1: Yes, I did get: "In GuardAuthenticationFactory.php line 100: The guard authentication provider cannot use the "App\Security\LoginFormAuthenticator" entry_point because another entry point is already configured by another provider! Either remove the other provider or move the entry_point configuration as a root key under your firewall (i.e. at the same level as "guard")."
And yes, I did get problem with security.request_matcher.***** when moved to the "guard" level but it doesnt matter right now.
Step 2: Opened GuardAuthenticationFactory and put `dd($defaultEntryPointId, $config['entry_point'])` after `if ($defaultEntryPointId) {`, executed debug:config again and got "App\Security\LoginFormAuthenticator" TWICE!!!
Step 3: Executed debug:config - 1, 2, 3 ... n times and IT WORKS!
Stop 4: rm -rf var/cache/*
Step 5: Deleted line with `dd` and executed debug:config --- BLOW!!! Error from Step 1.

But, but, but. After the steps I had written out above I randomly run debug:config doctrine three times in a row and I did get the config at the third time and the every following one!!!

Answering your question: when I remove both: cache and vendor, then composer install I do get this error with another entry point but only on the first comman run, then I'm good :)

Ryan, I will upload my repo to github and send you a link via email on ryan@knpuniversity.com. Give me a moment.

P.S. I would change the Exception message so it includes the name of this "another entry point". It is more explicit and a developer can see that both entry points are the same ones (like in out case both are App\Security\LoginFormAuthenticator)

weaverryan

rm -Rf vendor/*; composer install did the work. Now I can run ./bin/console debug:config doctrine in ease. Regarding my app, it is 100% copied from finish folder of Symfony Security track.

Hey Yahya E.!

Sorry for the slow delay! And... congrats! I'm 99% sure that you found a Symfony bug :). And it took me quite some time to track it down. Here is the issue report: https://github.com/symfony/...

The tl;dr; is this: there is a bug that causes the container cache to be rebuilt too often, when you're using the debug:config command. It doesn't affect anything else in the system. Basically, under the *right* situation, debug:config will break. But, nothing else in the system should be affected.

I hope this helps! Oh, also, at least when I was testing it, I would get the error the first time I ran debug:config, but not afterwards (basically it would only occur if the command had to be the container). I know you got it working, but I have a feeling that this might come back at some point - and I want you to know what's going on.

Cheers!

how to access translator in a Service?

Using translator: https://symfony.com/doc/current/translation.html#basic-translation

Dependency Injection: https://symfonycasts.com/screencast/dependency-injection

DI for services in Symfony 4: https://symfonycasts.com/screencast/symfony-fundamentals/create-service#proper-dependency-injection

And putting it all together:

use Symfony\Component\Translation\TranslatorInterface;

class SomeService
{
    private $translator;

    public __construct(TranslatorInterface $translator)
    {
        $this->translator = $translator;
    }

    public someAction()
    {
        $this->translator->trans('some text');
    }

How we can make Custom exceptions messages translated

The simplest way I see, is just translate the text before you pass it to the exception's constructor.

Hey Ivan,

Thank you for your help!

Cheers!

Thank you Ivan. It seems all about finding the correct interface as gate to service. Maybe one more question. If we create a trait, which we can use in several services, how we do it in a Trait? Because traits has no constructor?

Hey Yahya E.!

Ah! So, there are 2 options here:

1) (the cleaner, but less fancy solution): add the shortcut methods in your trait (e.g. private function translate()</code), but just assume that there is some $this->translator` property (maybe throw an exception that this is needed if it's not there). This means you still need to do the work of creating a constructor and setting the property... which is actually a good thing - because that's good clean coding.

2) Use this tricky: https://symfonycasts.com/screencast/symfony-fundamentals/logger-trait - but I don't love this solution for "required" dependencies: objects that you actually need to make your code work.

Cheers!

weaverryan Can you a little bit elaborate the first solution please?

It would be something like this:

...
class SomeService 
{
    use TranslatorTrait;

    public function __construct(TranslatorInterface $translator)
    {
        $this->setTranslator($translator);
    }
    ...
}

...
trait TranslatorTrait
{

private $translator;

protected function translate($message)
{
    ...
}

protected function setTranslator(TranslatorInterface $translator)
{
    $this->translator = $translator;
}

}

Cheers!

Hey Yahya,

Good question! You can execute "bin/console debug:autowiring" and find a proper translation service to know what type hint you need to use to get it. So, as you can see if you ran the command, you can type hint with "Symfony\Component\Translation\TranslatorInterface" in your ApiTokenAuthenticator's constructor. So, first of all, translate your message first and then create a custom exception with already translated message. Basically, the same as Ivan suggested to you below :)

Cheers!

Hey @Marcin

Sometimes it take us a couple of days to release the code blocks, sorry about that!