…because we're dealing with payment stuff. You can also configure 2FA at a later time for even more security. Remember to use your real email because you'll need to confirm it before you can begin. We'll also send some test emails that…

…The user sends the plain-text password they want... then we're saving that directly into the database. That's a huge security problem... and it makes it impossible to log in as this user, because Symfony expects the password property to hold a hashed…

…but not normal users. Add treasure:write. That means anyone with access to the Patch operation can write to this field... which in reality, thanks to the security on that operation... and a custom voter we created... is just admin users and the owner. Try…

…in the database. I love that. This is all possible thanks to a powerful event listener system inside of security. Let's learn more about that next and see how we can leverage it to add CSRF protection to our login form... with about two…

…chain of decorated services. Ok, let's get to work setting the owner. Autowire our favorite Security service so we can figure out who is logged in: Then, before we do the saving, if $data is an instanceof DragonTreasure and $data->getOwner() is null and…

…to the next pattern, let's take a look at a real-world example. Symfony leverages Chain of Responsibility in its security component. It uses a concept called "Voters" to determine if a user has access to a specific resource or not. But Symfony implements…

…see that it's super simple: it just reads a very specific key from the session. This is the key that the security system sets when an anonymous user tries to access a protected page. Let's try this thing! We're already logged out…

…and we're implementing PasswordAuthenticatedUserInterface, I'm going to remove this comment above the method: Ok, let's forget about security for a minute. Instead, focus on the fact that we need to be able to store a unique password for each user in the…

…variable is literally going to be an AuthenticationException object. And remember, to figure out what went wrong, all AuthenticationException objects have a getMessageKey() method that returns an explanation. In templates/security/login.html.twig, let's render that. Right after the h1, say if error…

…to the data that they are not allowed to make - like they could set a field to foo but they aren't allowed to change it to bar because they don't have enough permissions. How should we handle that? It's security meets validation.

…we want to add the owner:read group. On the constructor, autowire the Security service as a property: Then, down here, if $object is an instanceof DragonTreasure - because this method will be called for all of our API resource classes - and $this->security->getUser() equals…

…message: {user} is voting on answer {answer} Pass this a second argument, which is called the logger "context". This is unrelated to security... it's just kind of cool. The second argument is an array of any extra data that you want to store along…

…they're basically doing the same thing that we are. So let's use this instead of our custom authenticator... which I would do in a real project unless I need the flexibility of a custom authenticator. In security.yaml, comment-out our customer authenticator..…

…security.yaml. Anywhere under our firewall, add logout: true: Internally, this activates a "listener" that looks for any requests to /logout. And actually, instead of just saying logout: true, you can customize how this works. Find your terminal and run: symfony console debug:config security…

…item, that central object is that single item. And that's really important. It's used in various places, like the security attribute: when we use is_granted, the object variable will be that "central" object. For example, if we make a Patch() request, that…

…But that won't work, as we're not authorized to send emails on behalf of that user. More on email security soon. Fortunately, there's a special email header called Reply-To for just this scenario. When building your email, set it with ->replyTo…

…have access. That sounds like a pain in the butt! Fortunately, Symfony has a feature just for this called role hierarchy. Open up config/packages/security.yaml and, anywhere inside of here... but I'll put it near the top, add role_hierarchy. Below this…

…none of our authenticators provide an entry point... so let's add one! Open up our authenticator: src/Security/LoginFormAuthenticator.php. If you want your authenticator to provide an entry point, all you need to do is implement a new interface: AuthenticationEntryPointInterface: This requires the…

…ApiPlatform/, let's also delete AdminGroupsContextBuilder. This was a complex way to make fields readable or writable by our admin... but we're going to solve that with ApiProperty security. Also get rid of the custom normalizer... which added a field and an extra group…

…once it's uploaded, we'll need a way to link to that file... except if you need to do a security check before letting the user download the file. Then you'll need to handle things in a totally different way. Um... so wow…