WEBVTT

NOTE Created by CaptionSync from Automatic Sync Technologies www.automaticsync.com

00:00:00.276 --> 00:00:04.816 align:middle
Good morning everyone!

00:00:06.876 --> 00:00:11.736 align:middle
Did you drink your coffee already?

00:00:11.736 --> 00:00:18.796 align:middle
So, because you know, if you feel a little
bit sleepy I can scream really loud,

00:00:18.796 --> 00:00:22.966 align:middle
and I maybe do that sometimes during the
presentation, please don't be scared.

00:00:23.306 --> 00:00:28.756 align:middle
I promise I'm a really nice person,
especially when I'm sober, which is right now.

00:00:28.826 --> 00:00:30.286 align:middle
So we are fine.

00:00:30.856 --> 00:00:35.846 align:middle
Uh, I must say sometimes I say
some maybe bad and ugly words

00:00:36.396 --> 00:00:39.366 align:middle
and if you feel offended by it, (xxxx) you.

00:00:39.366 --> 00:00:39.916 align:middle
Oh no, sorry.

00:00:40.236 --> 00:00:41.886 align:middle
If you feel offended by it, okay.

00:00:41.886 --> 00:00:48.636 align:middle
I can ask, you can come and ask, I can ask
you a, you can ask me for apologies later.

00:00:48.636 --> 00:00:50.926 align:middle
And no problem, I can give you
hugs and everything is fine.

00:00:51.286 --> 00:00:58.706 align:middle
So, well, um, I, I must say also that
I'm from Brazil, I'm Brazilian, so, uh,

00:00:58.706 --> 00:01:03.376 align:middle
I'm sorry if I mess up some words in
English because, well, it's not my mother,

00:01:03.796 --> 00:01:05.696 align:middle
my mother English, it's really fine.

00:01:05.936 --> 00:01:07.026 align:middle
That's not my mother language.

00:01:07.076 --> 00:01:08.996 align:middle
So I'm really sorry about that too.

00:01:09.696 --> 00:01:11.046 align:middle
And maybe no, (xxxx) you again.

00:01:11.696 --> 00:01:14.136 align:middle
So I'm here to talk about security.

00:01:14.566 --> 00:01:21.766 align:middle
Um, what I want to talk about is, uh,
the Symfony framework that have, um,

00:01:21.766 --> 00:01:24.226 align:middle
amazing tool called the Security component.

00:01:24.896 --> 00:01:32.366 align:middle
You may use it with your whole application
running on Symfony or you can install it

00:01:32.426 --> 00:01:35.936 align:middle
by small parts, by packages using Composer.

00:01:36.486 --> 00:01:47.696 align:middle
And while I was studying this component, it is
extremely powerful, but I've been searching for,

00:01:47.696 --> 00:01:49.726 align:middle
you know, examples on the Internet.

00:01:49.866 --> 00:01:56.476 align:middle
Um, examples of code, I, I read,
uh, lots of lines of code on GitHub.

00:01:56.476 --> 00:02:02.906 align:middle
Um, I talked with people I know about the
component, the component, and I realized people,

00:02:03.506 --> 00:02:10.516 align:middle
like, open them the documentation, see some
lines of code and it's always Ctrl+C, Ctrl+V.

00:02:10.516 --> 00:02:17.426 align:middle
People don't understand the concepts behind, um,
some security problems and security solutions.

00:02:17.816 --> 00:02:23.336 align:middle
Okay? Um, if you don't know the concepts,
if you don't know how things work,

00:02:23.516 --> 00:02:28.136 align:middle
if you don't know the context you're dealing
with, I'm so sorry you're a (xxxx) developer.

00:02:29.266 --> 00:02:32.826 align:middle
Okay. Um, and this is not a problem.

00:02:33.036 --> 00:02:38.566 align:middle
Everyone is a (xxxxx) developer on some
level or something like: I can do frontend.

00:02:38.626 --> 00:02:43.666 align:middle
I mean, css hates me, so that's
why I stand in the back end stuff.

00:02:44.426 --> 00:02:49.576 align:middle
And especially for starting, if you're
new you, if you're a junior developer,

00:02:49.716 --> 00:02:51.696 align:middle
it's good to be a (xxxx) developer, you know?

00:02:52.116 --> 00:02:55.296 align:middle
Wake up every morning, look in the
mirror and say: I'm a (xxxxx) developer.

00:02:55.816 --> 00:03:00.096 align:middle
Because this will make you try harder when
you go to work, when you try to study.

00:03:00.406 --> 00:03:04.176 align:middle
Okay. So I'm going to play
around here with some concepts.

00:03:04.496 --> 00:03:09.356 align:middle
And I will present some, some of the
functions and tools you can use for,

00:03:10.046 --> 00:03:14.146 align:middle
from the Security component to
handle user access specifically.

00:03:15.176 --> 00:03:21.716 align:middle
We have some stages of user access,
but before I enter that, that's me.

00:03:22.356 --> 00:03:24.336 align:middle
Um, there's this...

00:03:24.336 --> 00:03:26.286 align:middle
Oh! My light doesn't work.

00:03:26.526 --> 00:03:29.986 align:middle
So you can find me everywhere with Diana Arnos.

00:03:29.986 --> 00:03:30.846 align:middle
That's my name.

00:03:31.336 --> 00:03:37.486 align:middle
Uh, I like Sec, Music, I am tech leader from
the startup in Brazil and I am evangelist

00:03:37.486 --> 00:03:45.576 align:middle
of the user group of php and São Paulo Brazil
and the Brazilian chapter of PHP women that,

00:03:45.576 --> 00:03:48.616 align:middle
yes, we have a Brazilian
chapter of PHP women, okay?

00:03:49.896 --> 00:03:51.396 align:middle
Well, let's talk about user access.

00:03:52.276 --> 00:03:56.456 align:middle
When we think about user
access, well, it's easy right?

00:03:57.206 --> 00:04:02.206 align:middle
You just have to put some username, you have
to match up the passwords and let the user in.

00:04:02.906 --> 00:04:06.046 align:middle
It's like, oh, this is you, so you can get in.

00:04:06.646 --> 00:04:09.036 align:middle
But is this really that simple?

00:04:09.176 --> 00:04:16.446 align:middle
How, how do you think of when you
imagine the user entering your system,

00:04:17.436 --> 00:04:19.966 align:middle
what things our user can do?

00:04:20.496 --> 00:04:24.246 align:middle
You know, it doesn't matter what
kind of user we are talking about.

00:04:24.516 --> 00:04:27.626 align:middle
If there's one thing we know,
every user is really good at,

00:04:27.886 --> 00:04:30.056 align:middle
the user is good at (xxxx)ing up things.

00:04:30.536 --> 00:04:33.206 align:middle
The user will click where it shouldn't.

00:04:33.326 --> 00:04:35.556 align:middle
He will try a URL it shouldn't.

00:04:35.906 --> 00:04:41.276 align:middle
He will end up at the page you didn't even
imagine it existed, especially for dealing

00:04:41.276 --> 00:04:44.136 align:middle
with legacy, if you're working with legacy code.

00:04:45.516 --> 00:04:52.676 align:middle
So we have a few steps to think about, a
few situations when we talk about access.

00:04:53.556 --> 00:04:58.796 align:middle
You have the user and you must, you can
notice I'm a really good artist, you know,

00:04:59.926 --> 00:05:01.676 align:middle
and then you have to do the auth.

00:05:03.056 --> 00:05:12.306 align:middle
Uh, it's interesting to notice that when we talk
about auth and we use only the abbreviation,

00:05:12.396 --> 00:05:16.476 align:middle
it's because it's the same for
authentication and authorization,

00:05:16.476 --> 00:05:18.386 align:middle
because it's, they are separate things.

00:05:18.936 --> 00:05:24.096 align:middle
Okay. Not many, not many people think
about that, but they are separate things.

00:05:24.646 --> 00:05:27.206 align:middle
Okay, so you'll have the authentication step.

00:05:27.816 --> 00:05:32.896 align:middle
After the user is logged in, or it's
authenticated, it will have access

00:05:32.896 --> 00:05:36.676 align:middle
to many features, whatever
they are in your system.

00:05:37.836 --> 00:05:41.856 align:middle
Those features enable the
user to access some data.

00:05:42.436 --> 00:05:47.286 align:middle
It may be only visualization, it may
be only to edit or create, whatever.

00:05:47.796 --> 00:05:52.676 align:middle
Every data on your system is accessed
by the user through some features.

00:05:53.426 --> 00:05:57.326 align:middle
Yeah, if that doesn't happen, you're
having a problem, around, like...

00:05:58.106 --> 00:06:03.206 align:middle
I will try to not talk about
sql injection because you know,

00:06:03.266 --> 00:06:07.926 align:middle
it's a very common mistake people
usually do, especially developers

00:06:08.196 --> 00:06:10.236 align:middle
that they don't pay attention
to what they're doing.

00:06:10.736 --> 00:06:13.946 align:middle
But I'll try it hold myself, it's
not what I need to talk about,

00:06:13.946 --> 00:06:16.466 align:middle
but I really want to punch everyone
in the face when talking about that.

00:06:17.456 --> 00:06:25.676 align:middle
So you have session, and you have an interaction
with user authentication session and data

00:06:25.676 --> 00:06:32.576 align:middle
and feature all the time through all the system
and actually everything at the same time.

00:06:33.196 --> 00:06:35.816 align:middle
It's much more complex than
we usually think about.

00:06:36.456 --> 00:06:41.086 align:middle
And then you have the authorization
process: that's involved around everything.

00:06:41.786 --> 00:06:45.896 align:middle
Basically the authentication process is...

00:06:45.896 --> 00:06:53.336 align:middle
and the user data you have, they're combined
throughout the system to know, okay, does my,

00:06:53.606 --> 00:07:01.006 align:middle
does this user have access to this data or
to this screen, to this button, whatever.

00:07:01.406 --> 00:07:07.776 align:middle
You know, when we talk about not even only
user roles, but what can the user access,

00:07:07.896 --> 00:07:16.826 align:middle
it may be not only a simple visualization,
you know, maybe as a low security-level user,

00:07:16.856 --> 00:07:21.396 align:middle
couldn't see the names of the high
directors of the company, for example.

00:07:23.226 --> 00:07:26.136 align:middle
So we have, everything begins with a user.

00:07:26.926 --> 00:07:29.596 align:middle
You can't have an authentication
if you don't have the user.

00:07:30.386 --> 00:07:33.786 align:middle
And let's suppose we are using Symfony here.

00:07:33.786 --> 00:07:37.496 align:middle
It doesn't matter how you
create your user class.

00:07:38.486 --> 00:07:43.886 align:middle
The question, you may use, you may cod it
by hand or you may use the MakerBundle,

00:07:44.066 --> 00:07:49.386 align:middle
which is something very fun to, to
play with, but you have our user.

00:07:49.986 --> 00:07:55.856 align:middle
But then we have something really important for
all the authentication and authorization process

00:07:55.906 --> 00:07:59.446 align:middle
that will be used by the Security
component: that's a user provider.

00:08:00.266 --> 00:08:02.356 align:middle
What does the user provider do?

00:08:03.236 --> 00:08:11.916 align:middle
It gets, um, like, let's say, support
methods that handles your user data

00:08:12.106 --> 00:08:14.066 align:middle
in ways authentication can do with it.

00:08:14.786 --> 00:08:20.396 align:middle
You have two basic methods that must be
implemented by your user provider and,

00:08:20.396 --> 00:08:27.696 align:middle
but you can also add a few more, once
your start playing a little bit more

00:08:27.696 --> 00:08:30.636 align:middle
with the Security component and
specially Guard authenticators

00:08:30.696 --> 00:08:32.566 align:middle
that we'll talk in a second, okay?

00:08:32.936 --> 00:08:34.416 align:middle
So you have a user provider.

00:08:35.026 --> 00:08:41.846 align:middle
The user provider does basically two things, I
must say, it must do at least these two things.

00:08:42.026 --> 00:08:43.776 align:middle
First reload from session.

00:08:44.746 --> 00:08:47.106 align:middle
There is a way to disable
that and I'll talk about that,

00:08:47.106 --> 00:08:50.836 align:middle
but what is the reload from session stuff?

00:08:51.636 --> 00:09:00.806 align:middle
It serializes the User object and at the end
of every request, every request the user gets,

00:09:00.846 --> 00:09:03.116 align:middle
the user object gets serialized in session.

00:09:03.806 --> 00:09:08.526 align:middle
And after, every time it begins
a new request begun, or begins,

00:09:08.646 --> 00:09:11.966 align:middle
sorry, uh, it deserializes the object.

00:09:12.846 --> 00:09:18.146 align:middle
But it's not only that, it deserializes the
object from the session, then it makes a refresh

00:09:18.146 --> 00:09:23.716 align:middle
from the user based on the data on the
session from whatever your user data is:

00:09:23.716 --> 00:09:28.886 align:middle
it may be an API, please don't do that,
let's do REST, but it may be an AP,

00:09:28.886 --> 00:09:34.646 align:middle
it may be the database and it may be, I don't
know, memory, because it can do that too.

00:09:34.716 --> 00:09:37.846 align:middle
Please don't do that, but you can do that
from memory too - configuration files.

00:09:38.516 --> 00:09:41.446 align:middle
And then it compares: it's
like, okay, I have this user,

00:09:41.446 --> 00:09:44.086 align:middle
then I'll get this user from my database.

00:09:44.396 --> 00:09:47.706 align:middle
It compares both and sees:
Oh, if it's not the same user,

00:09:48.266 --> 00:09:51.896 align:middle
it de-authenticates the user:
it makes it login again.

00:09:52.706 --> 00:09:58.866 align:middle
There's some internal methods
that verify this that's outside

00:09:58.866 --> 00:10:01.596 align:middle
from the, the part of the user provider.

00:10:01.916 --> 00:10:03.556 align:middle
You can play around on that too.

00:10:04.346 --> 00:10:11.676 align:middle
But it's a security measure to guarantee that,
well, if you have some kind of middle-man,

00:10:11.966 --> 00:10:16.706 align:middle
middle-man, it's a very nice name, you
know, a man in the middle attack, okay,

00:10:16.766 --> 00:10:22.406 align:middle
if you have any kind of man-the-middle attack,
um, you have many kinds of men in the middle,

00:10:22.406 --> 00:10:29.246 align:middle
but one of that, one of the most
dangerous attacks on that is,

00:10:30.536 --> 00:10:32.356 align:middle
right playing with the user session.

00:10:32.876 --> 00:10:35.986 align:middle
Cause, you know that that things start there.

00:10:36.376 --> 00:10:39.306 align:middle
So let's suppose I am the man in the middle.

00:10:39.306 --> 00:10:44.086 align:middle
Then I will try to get the data from
your session and then I'll start playing

00:10:44.086 --> 00:10:47.776 align:middle
around because the server will think I am you.

00:10:48.396 --> 00:10:54.956 align:middle
And still, still the, the, the component
doing that - verifying if there was any change

00:10:54.956 --> 00:11:00.836 align:middle
between the original user from the user
database and the data on the session,

00:11:01.046 --> 00:11:04.266 align:middle
there's still ways you can
play around and (xxxx) this up.

00:11:05.256 --> 00:11:13.086 align:middle
Because, well, if there ain't no time to updated
the user or the data didn't change anything,

00:11:13.176 --> 00:11:14.496 align:middle
you can still have problems with that.

00:11:14.496 --> 00:11:17.036 align:middle
And you have ways to deal with that here too.

00:11:18.336 --> 00:11:25.226 align:middle
Because, you can use a class that's a,
an interface you can put on User class

00:11:25.796 --> 00:11:29.046 align:middle
and you can implement them
a method called isEqualTo().

00:11:29.296 --> 00:11:38.256 align:middle
So, instead of using the, the, the, the default
method from Symfony, you can write your own.

00:11:39.056 --> 00:11:44.496 align:middle
But be careful, great power,
great, brings big responsibilities.

00:11:44.496 --> 00:11:49.346 align:middle
And then you have the second method you
must implement that is the load user.

00:11:50.456 --> 00:11:53.076 align:middle
Uh, you may look and say:
but they are the same thing!

00:11:53.076 --> 00:11:53.636 align:middle
No, they're not.

00:11:53.916 --> 00:11:58.126 align:middle
The load user does not do
anything with the session.

00:11:58.816 --> 00:12:01.086 align:middle
The load user, every time you have a feature

00:12:01.086 --> 00:12:04.626 align:middle
that needs the user data, it
will be calling this method.

00:12:05.566 --> 00:12:07.866 align:middle
Why would you implement the load user?

00:12:08.126 --> 00:12:13.866 align:middle
Well, like, if you don't want to use the
default methods and you are using like an API,

00:12:14.816 --> 00:12:17.816 align:middle
the built-in user providers that Symfony comes

00:12:17.816 --> 00:12:21.676 align:middle
with does not give you the methods
needed to get a user from an API.

00:12:22.346 --> 00:12:23.886 align:middle
So you can implement this here.

00:12:24.656 --> 00:12:32.806 align:middle
Okay. And here, and this is one
of many use-cases that can do,

00:12:32.806 --> 00:12:35.116 align:middle
you have to get the user from an API.

00:12:36.056 --> 00:12:39.926 align:middle
And now I feel a little bit better
talking about that because ya know,

00:12:40.036 --> 00:12:46.406 align:middle
you guys were watching Anthony's talk and he
was saying to please don't use microservices,

00:12:46.406 --> 00:12:49.396 align:middle
and I was going to say if you're
using a user micro-service.

00:12:50.276 --> 00:12:53.906 align:middle
So I can say we're using
a big user service, okay?

00:12:53.906 --> 00:12:59.636 align:middle
We're going to recover the
user data from the API.

00:12:59.876 --> 00:13:04.246 align:middle
These are the methods you're
going to mess around.

00:13:05.256 --> 00:13:11.396 align:middle
loadUserByUsername(), funny thing is, that's,
the username is not necessarily the username.

00:13:12.056 --> 00:13:16.456 align:middle
It's the thing that comes if you have...

00:13:16.726 --> 00:13:21.296 align:middle
It, it's the data that comes when you use
the method, getUsername() from the user.

00:13:21.596 --> 00:13:26.336 align:middle
Oh, but if I'm using the User class that's
default from Symfony, you will get the username.

00:13:26.496 --> 00:13:32.196 align:middle
Okay. But you can also make your custom
User class, so you can change your username,

00:13:32.196 --> 00:13:37.416 align:middle
I dunno maybe your identification of some kind.

00:13:38.146 --> 00:13:42.606 align:middle
But then you can create and code
all the data that comes here

00:13:42.916 --> 00:13:46.646 align:middle
and this gives you really
power over your application.

00:13:46.646 --> 00:13:52.226 align:middle
They get, this gives power to: Okay my user
is logging in, I am authenticating this user.

00:13:53.526 --> 00:13:55.586 align:middle
How am I to authenticate this user?

00:13:56.076 --> 00:13:59.496 align:middle
And uh, I know that most
people doesn't care about that.

00:13:59.986 --> 00:14:02.696 align:middle
People like, okay, I have
used the full functions.

00:14:02.696 --> 00:14:05.506 align:middle
Don't do that, please.

00:14:05.686 --> 00:14:09.186 align:middle
Well, everything, as everything you
can do on the Security component,

00:14:09.186 --> 00:14:14.336 align:middle
you configure it in the security.yaml:
that's right: config/packages/security.yaml.

00:14:15.046 --> 00:14:19.066 align:middle
Uh, when you make your custom
provider, you can set them here

00:14:19.546 --> 00:14:22.776 align:middle
and you can just add the id, user provider.

00:14:23.286 --> 00:14:28.876 align:middle
Uh, I didn't show the, that piece of code
because I was showing the things you needed to,

00:14:29.646 --> 00:14:34.676 align:middle
to code, but at the end of the class,
there's a method that supports class,

00:14:34.876 --> 00:14:39.666 align:middle
that's called supportsClass() that will
show the framework you're using the class

00:14:39.666 --> 00:14:41.056 align:middle
as a custom user provider.

00:14:41.786 --> 00:14:45.046 align:middle
But it's a, it's a, it's a common line.

00:14:45.046 --> 00:14:47.366 align:middle
You can find the line of code
on the documentation itself.

00:14:49.296 --> 00:14:53.546 align:middle
After the user: Ok, I have my
user, I have my user class,

00:14:53.546 --> 00:14:57.026 align:middle
I have my user data and I have a user provider.

00:14:57.416 --> 00:15:00.766 align:middle
The user provider will always
be used during the request

00:15:00.766 --> 00:15:03.146 align:middle
and authentication and authorization methods.

00:15:04.006 --> 00:15:05.446 align:middle
Okay. I did this step.

00:15:05.866 --> 00:15:08.226 align:middle
So now I'm going to talk about authentication.

00:15:09.306 --> 00:15:12.646 align:middle
And we have authentication providers.

00:15:12.806 --> 00:15:17.466 align:middle
Uh, I don't know, most people, first
time they're trying to mess with, uh,

00:15:17.466 --> 00:15:20.566 align:middle
the Security component, they
are trying to do things

00:15:20.566 --> 00:15:22.296 align:middle
from out-of-the-box, because you can do that.

00:15:22.646 --> 00:15:26.036 align:middle
It'll just put: okay, I created
a project, I have my user,

00:15:26.036 --> 00:15:29.026 align:middle
I can use the MakerBundle, everything's fine.

00:15:29.476 --> 00:15:35.126 align:middle
So, you need to fix or do something
different with the authentication.

00:15:36.076 --> 00:15:40.446 align:middle
And then you start, like jumping from
class to class and you're like: oh my God,

00:15:40.446 --> 00:15:44.666 align:middle
this authentication is magic because it's
not in the controller, it's not everywhere.

00:15:45.266 --> 00:15:49.346 align:middle
The authentication on on Symfony
runs before the controller is called.

00:15:50.646 --> 00:15:54.626 align:middle
It's almost like a, a middleware
idea, it's not exactly a middleware,

00:15:54.926 --> 00:15:56.496 align:middle
but it runs before the controller.

00:15:57.296 --> 00:16:00.876 align:middle
And for that, you can create
authentication providers.

00:16:01.196 --> 00:16:04.756 align:middle
Symfony already has some
authentication providers built-in.

00:16:05.216 --> 00:16:07.966 align:middle
But if you read the documentation,
they will ask,

00:16:07.966 --> 00:16:10.116 align:middle
they will say it's better
if you create your own.

00:16:10.886 --> 00:16:13.786 align:middle
But here, you don't have
custom authentication provider,

00:16:13.786 --> 00:16:15.856 align:middle
you have what's called a guard authenticator.

00:16:16.856 --> 00:16:20.786 align:middle
But let's suppose we're going to, you have...

00:16:20.856 --> 00:16:28.136 align:middle
When you create a user provider, you
have one user provider for your class.

00:16:28.426 --> 00:16:31.096 align:middle
Here you can have lots of
authentication providers.

00:16:31.806 --> 00:16:37.176 align:middle
And every authentication provider is,
they always runs before each request.

00:16:37.496 --> 00:16:44.196 align:middle
Always. And so you may have, you need to pay
attention to the order things are happening.

00:16:44.696 --> 00:16:47.116 align:middle
How many providers you have on authentication.

00:16:47.526 --> 00:16:51.546 align:middle
And you must take care to,
don't let one mess up the other.

00:16:51.896 --> 00:16:57.676 align:middle
Okay? Umm, okay, I won't use the
built-in, please don't use the built-in,

00:16:58.046 --> 00:17:02.116 align:middle
I repeat this many, many, many times:
please don't use the built-in authenticator.

00:17:03.036 --> 00:17:04.626 align:middle
And then, you have to do your own.

00:17:05.586 --> 00:17:07.296 align:middle
You can create a guard authenticator.

00:17:07.456 --> 00:17:11.476 align:middle
It runs at the, it's the, on
the same, the same context;

00:17:11.476 --> 00:17:14.156 align:middle
they run every time before each request.

00:17:14.386 --> 00:17:16.416 align:middle
You can create lots of guard authenticators.

00:17:16.976 --> 00:17:20.476 align:middle
But, this class, when you
create a Guard authenticator,

00:17:21.096 --> 00:17:24.376 align:middle
it gives you full control of
the authentication process.

00:17:25.276 --> 00:17:32.826 align:middle
You can, you can analyze and, you know,
deal with data since the beginning

00:17:32.826 --> 00:17:34.776 align:middle
of the request to the end of the request.

00:17:35.746 --> 00:17:40.576 align:middle
You will use an interface that brings
seven methods you need to implement,

00:17:40.876 --> 00:17:43.816 align:middle
but you can put more, and you can do a lot more.

00:17:44.696 --> 00:17:45.856 align:middle
There's an example.

00:17:46.286 --> 00:17:50.436 align:middle
Um, I'm really sorry I messed up
the PSRs here, because you know,

00:17:50.436 --> 00:17:52.656 align:middle
but it's just so they can fit all in.

00:17:53.226 --> 00:17:57.266 align:middle
These are the seven methods
you need to use, at least,

00:17:58.346 --> 00:18:01.496 align:middle
by extending the AbstractGuardAuthenticator.

00:18:02.066 --> 00:18:10.056 align:middle
Okay? Uh, why, um, why would you, need most
authenticator, to create one by yourself?

00:18:10.186 --> 00:18:19.336 align:middle
You know, like if you want to use a JWT
authentication, API tokens authentication,

00:18:19.336 --> 00:18:21.426 align:middle
you don't have those built in on Symfony.

00:18:22.086 --> 00:18:25.456 align:middle
Anytime, basically everything
you need to do with an API,

00:18:25.616 --> 00:18:28.836 align:middle
you have to create an authenticator,
a specific authenticator.

00:18:29.596 --> 00:18:36.796 align:middle
So, here you come from, since the beginning,
you know, this function here, the start() one.

00:18:37.296 --> 00:18:42.506 align:middle
It's basically, it tells the authenticator what
to do when, okay: this user isn't logged in.

00:18:42.506 --> 00:18:44.156 align:middle
Or this user is incorrect.

00:18:44.796 --> 00:18:46.556 align:middle
It runs the start() authentication.

00:18:47.226 --> 00:18:48.886 align:middle
Uh, supportsRememberMe().

00:18:49.336 --> 00:18:56.046 align:middle
this function, remember me, you find on
the user provider class or the user class,

00:18:56.366 --> 00:19:01.846 align:middle
it's basically to get the user from
the session and keep it logged in.

00:19:01.966 --> 00:19:04.966 align:middle
You may disable that if you want to.

00:19:05.256 --> 00:19:09.766 align:middle
You may check credentials, um, what
we'll do an authentication success.

00:19:10.526 --> 00:19:15.496 align:middle
If you look at this class and if you
look up on the Internet for examples

00:19:15.496 --> 00:19:23.546 align:middle
of its implementations, you'll find that some,
a little bit of similarity with programming

00:19:23.546 --> 00:19:28.656 align:middle
by events, you know: when it does logged in,
when the request starts, when the request ends,

00:19:29.206 --> 00:19:32.206 align:middle
when it's not the same user,
when they users change.

00:19:32.436 --> 00:19:40.596 align:middle
Okay? And to configure that, you can do
that, or again, on the security.yaml.

00:19:41.996 --> 00:19:44.086 align:middle
Here is a firewall.

00:19:44.086 --> 00:19:49.666 align:middle
I'm not talking specifically about the
firewalls because it's a very extensive subject

00:19:50.176 --> 00:19:52.686 align:middle
and it's very fun to play with too.

00:19:53.386 --> 00:19:56.446 align:middle
But let's suppose we all know what
we're doing with the firewalls.

00:19:56.516 --> 00:19:58.766 align:middle
And, pay attention, if you
don't know what you're doing,

00:19:58.896 --> 00:20:01.446 align:middle
you're going to mess up your whole application.

00:20:02.136 --> 00:20:09.326 align:middle
But down there, in my main
farewell, I have some authenticators.

00:20:09.986 --> 00:20:12.016 align:middle
And why is this authenticators?

00:20:12.296 --> 00:20:14.316 align:middle
You can have lots, as I said before.

00:20:14.796 --> 00:20:18.116 align:middle
And then you just put the namespace
of your personalized authenticator.

00:20:18.146 --> 00:20:19.456 align:middle
It's really simple when you do that.

00:20:20.146 --> 00:20:26.806 align:middle
Uh, I would like to call the attention to the
bottom lines here, because there's an option

00:20:27.216 --> 00:20:34.046 align:middle
in your firewall, in your configuration that's
called stateless, cause I'm talking a lot

00:20:34.046 --> 00:20:36.206 align:middle
about recovering user from session.

00:20:36.206 --> 00:20:40.366 align:middle
There is a serialization that goes on
session of the user, blah, blah, blah, blah.

00:20:41.096 --> 00:20:45.746 align:middle
When you'll turn on stateless,
you can work with REST API's,

00:20:46.376 --> 00:20:48.916 align:middle
because there's no state on your session.

00:20:49.266 --> 00:20:52.396 align:middle
And I must say it's one of
the best ways to do that.

00:20:52.576 --> 00:20:58.756 align:middle
I try to, to think like that, because you can
avoid a lot of security problems by doing that.

00:21:00.026 --> 00:21:01.606 align:middle
But you can do stateless: true.

00:21:01.606 --> 00:21:05.906 align:middle
If stateless is true here, you don't
need to implement that method that,

00:21:06.366 --> 00:21:08.256 align:middle
that's that load users from session.

00:21:08.796 --> 00:21:09.896 align:middle
You can leave it blank.

00:21:10.416 --> 00:21:15.096 align:middle
We can leave it whatever message, because when
your application is configured for stateless,

00:21:16.036 --> 00:21:19.846 align:middle
they won't be calling that method any time soon.

00:21:19.946 --> 00:21:33.836 align:middle
So. And then, you have, I can say, talking some
of, like, it's like a sneak peek on user roles,

00:21:34.476 --> 00:21:42.406 align:middle
because you know, it's again, a very
extended subject, but before I talk quickly

00:21:42.406 --> 00:21:48.466 align:middle
about user roles, I will like you to
think about, you're maybe thinking,

00:21:48.706 --> 00:21:54.526 align:middle
man that girl is talking (xxxx) the whole time,
why I'm sitting here, blah blah blah, user here,

00:21:54.526 --> 00:21:57.796 align:middle
blah, blah, blah, blah again
and blah, blah, blah, stateless.

00:21:58.316 --> 00:22:03.576 align:middle
But to get to here, because every,
everyone loves to talk about ACLs.

00:22:04.236 --> 00:22:06.036 align:middle
Okay, I have to handle access.

00:22:06.036 --> 00:22:07.086 align:middle
I have user roles.

00:22:07.516 --> 00:22:13.736 align:middle
But notice, pay attention to how many steps
you must think before you get to user roles.

00:22:13.806 --> 00:22:18.146 align:middle
If we're not thinking about
that, you may have problems.

00:22:19.066 --> 00:22:25.186 align:middle
That... you will have design flaws in your
application and that can be, and will be,

00:22:25.186 --> 00:22:29.906 align:middle
exploited by malicious, I
would say malicious attacker,

00:22:29.906 --> 00:22:32.896 align:middle
but an attacker is malicious anyway, so.

00:22:33.436 --> 00:22:40.626 align:middle
Um, user roles: this is a quick configuration,
You'll do that on your User entity.

00:22:41.326 --> 00:22:44.496 align:middle
Um, you have them, this method getRoles().

00:22:45.506 --> 00:22:57.156 align:middle
Um, the big thing here when you talk about user
roles is that you can have a hierarchy of roles,

00:22:58.106 --> 00:23:05.366 align:middle
and, you won't get this: Okay, I will make this
admin role and then I will configure this admin

00:23:05.366 --> 00:23:12.466 align:middle
to have access to this page, that page,
will visualize this data, that data,

00:23:13.006 --> 00:23:18.986 align:middle
but actually you begin configuring
your roles from the bottom to the top.

00:23:19.736 --> 00:23:23.096 align:middle
So when you talk about the
admin role, you just have to say

00:23:23.096 --> 00:23:25.226 align:middle
that the admin role have all the others.

00:23:26.146 --> 00:23:34.496 align:middle
Uh, another interesting fact, when you login or
access your application, without being logged in

00:23:34.556 --> 00:23:38.366 align:middle
or logged in as anonymous user, uh, the, the,

00:23:38.366 --> 00:23:45.646 align:middle
the component have a very interesting concept
that, uh, it's like, it's not exactly that,

00:23:45.706 --> 00:23:49.836 align:middle
but it's like the anonymous
user, it's kind of a user role.

00:23:50.666 --> 00:23:55.906 align:middle
So even if you're, okay, you're coding
then, and you're and you're trying something

00:23:55.906 --> 00:24:02.206 align:middle
and you have the error on dev mode and you
have the profiler bar under your application,

00:24:02.206 --> 00:24:09.026 align:middle
if you are like, anonymous, okay, I'm not logged
in and I'm, I'm on the poor mode of the browser.

00:24:09.026 --> 00:24:13.896 align:middle
I mean the anonymous mode of the browser,
and you answered that and you go check

00:24:14.276 --> 00:24:20.136 align:middle
if you're authenticated, because you have
the user information on the status bar,

00:24:21.166 --> 00:24:25.206 align:middle
you'll see that it will show you that
you are authenticated as an anon.

00:24:26.416 --> 00:24:33.316 align:middle
And basically, uh, the user role
anon don't have any permissions.

00:24:34.306 --> 00:24:42.686 align:middle
So, every time you are not logged in, the
application and treats you like you are logged

00:24:42.766 --> 00:24:47.476 align:middle
in with a user to have no,
no permissions at all.

00:24:47.876 --> 00:24:51.606 align:middle
And this is a very interesting fact because
when you're coding your application and thinking

00:24:51.606 --> 00:24:56.676 align:middle
about the security issues
or access, or permissions,

00:24:57.656 --> 00:25:01.076 align:middle
you don't have to think on the "no" option.

00:25:01.106 --> 00:25:05.166 align:middle
It's like: okay, I will remove this and that

00:25:05.546 --> 00:25:08.056 align:middle
and this guy can do that,
no, he's logged in as anon.

00:25:08.926 --> 00:25:14.636 align:middle
And you can even mess with that and give
the anonymous user access to some features

00:25:14.636 --> 00:25:18.246 align:middle
of your system or your application
without being logged in.

00:25:18.246 --> 00:25:21.286 align:middle
And you can do that simply by using
a (inaudible) the configuration,

00:25:22.406 --> 00:25:29.986 align:middle
setting up some paths or URLs or patterns that
you're, the anonymous user can have access to.

00:25:30.956 --> 00:25:32.996 align:middle
Okay? And you can mess around with that too.

00:25:32.996 --> 00:25:37.486 align:middle
You can, you've: okay, you have access
here and I'm using the Guard authenticator

00:25:37.486 --> 00:25:43.546 align:middle
and for any anon user, it can only see
this kind of data, not that kind of data.

00:25:43.876 --> 00:25:48.136 align:middle
And this is where you would configure.

00:25:49.236 --> 00:25:52.566 align:middle
The guy here: access_control.

00:25:52.996 --> 00:25:54.446 align:middle
You have your firewall configuration.

00:25:54.446 --> 00:25:58.066 align:middle
I was, as I was talking, the
anonymous user there in the main.

00:25:59.096 --> 00:26:03.496 align:middle
Then you have access_control,
so, you can play here.

00:26:03.496 --> 00:26:08.716 align:middle
This, this makes your life a lot easier when
you will filter access on your application.

00:26:09.496 --> 00:26:14.226 align:middle
You may give that: Okay, I will enter,
um, I don't know the welcome screen

00:26:14.226 --> 00:26:20.496 align:middle
after the user has logged in, and I have a
dashboard, but I have a specific dashboard,

00:26:20.496 --> 00:26:25.686 align:middle
I don't know with financial
information that only the admins can see.

00:26:26.976 --> 00:26:29.296 align:middle
So when I have a low user accessing,

00:26:30.146 --> 00:26:33.786 align:middle
I can author that information
right on the template, on Twig.

00:26:34.446 --> 00:26:38.816 align:middle
You can call the user role
that, it's like app user access.

00:26:39.566 --> 00:26:44.236 align:middle
But let's suppose you're not
thinking of, on that kind of detail.

00:26:44.446 --> 00:26:48.656 align:middle
You can do something quick,
or quicker, or faster.

00:26:48.656 --> 00:26:50.106 align:middle
That's the better word to say that.

00:26:50.546 --> 00:26:56.606 align:middle
So you have it here: access_control and then
you can say right here, like what's the role?

00:26:57.506 --> 00:26:59.726 align:middle
Which role have access to which pages?

00:27:00.196 --> 00:27:06.856 align:middle
Or you can think about path, you can think about
URLs or hosts, that's the option you can use,

00:27:07.526 --> 00:27:11.266 align:middle
and then you can make everything
just from the configuration file.

00:27:12.286 --> 00:27:19.936 align:middle
If I have a simple application, if
I have, a with only like editing,

00:27:20.676 --> 00:27:25.166 align:middle
I dunno employee's information,
you can set it up through here.

00:27:25.286 --> 00:27:32.216 align:middle
And every time we need to change something:
Oh God, the director's said that the guy

00:27:32.216 --> 00:27:40.106 align:middle
from the next department have to see the
page "B", now, and he can only see the "A".

00:27:40.406 --> 00:27:44.846 align:middle
You don't have to change on lines
of code, you can do right here.

00:27:45.796 --> 00:27:52.856 align:middle
But of course you can only do right here easily
if you pay attention since the beginning: user,

00:27:53.456 --> 00:27:58.256 align:middle
user provider, authentication,
guard authenticator.

00:27:58.826 --> 00:28:03.396 align:middle
How does, how do I handle my requests
before I reach the controller?

00:28:03.876 --> 00:28:06.876 align:middle
Because with, sometimes we are used to
doing authentication on the controller.

00:28:06.876 --> 00:28:09.276 align:middle
That's not one of the best ways to do that.

00:28:09.436 --> 00:28:14.476 align:middle
So. And that's how you can play with user roles.

00:28:15.106 --> 00:28:21.996 align:middle
Okay. Um, I could talk a lot more
about that, specifically security,

00:28:21.996 --> 00:28:27.856 align:middle
I like to talk about that, but unfortunately
I won't have time to talk about all the stuff

00:28:27.856 --> 00:28:29.366 align:middle
that comes from the security component.

00:28:29.506 --> 00:28:34.926 align:middle
But I would like to say thank you.

00:28:35.306 --> 00:28:37.966 align:middle
It's a, thank you for being here.

00:28:37.966 --> 00:28:44.006 align:middle
Thank you for listening to my bad English
and I'm here to answer all your questions.

00:28:44.006 --> 00:28:45.836 align:middle
Not only here, but I'll be here all day.

00:28:45.836 --> 00:28:51.866 align:middle
So come and talk to me on Twitter and
Instagram because I'm kind of hipster developer.

00:28:52.536 --> 00:28:57.546 align:middle
So if anyone has questions, or
you may, I don't know, curse me?

00:29:11.556 --> 00:29:24.516 align:middle
I can hear that too.

00:29:25.656 --> 00:29:33.876 align:middle
Thank you.

00:29:37.436 --> 00:29:41.096 align:middle
Thank you.