…things into the public/ directory: they will be publicly accessible. We'll talk about private uploads soon - those are files where you need to do some security checks before you allow a user to see them. Change the directory to %kernel.project_dir% and then…

…able to see and edit other user accounts. We could hide the section entirely for moderators, or we could add some security so that only their own user account is visible to them. This is called "entity permissions". It answers the question of whether or…

…we're going to need the current user object, which we get via the security service. Let's autowire that: add public function __construct() - with a Security $security argument. Hit "alt" + "enter" and go "Initialize properties" to create that property and set it. Love it…

…file for the frontend. This means that users that visit our frontend are downloading snarkdown_controller and snarkdown itself. That's probably not a security problem... but it is wasteful and will slow down the frontend experience. My favorite way to fix this is to…

…on a Mac. Run: open bin/tailwindcss If this is the first time you've downloaded the file, it will ask you to verify that you do want to open it from a security standpoint. Okay! We now have the bin/tailwindcss executable, which does…

…Step 4 is to configure the firewall. This part we do need to do. Start by copying the two_factor stuff. Then open up config/packages/security.yaml. This new config can live anywhere under our main firewall. I'll paste it after form_login…

…https://app.lemonsqueezy.com/js/lemon.js. Also add the defer attribute. LemonSqueezy advises against self-hosting the lemon.js file, since you might miss out on new features and crucial security patches. Be sure to link it directly, to keep payment-related matters as…

…I'll say CHANGEME. You can't see me type that... only because Symfony hides it for security reasons. Since this is the first secret we've created, Symfony automatically created the secrets vault behind the scenes... which is literally a set of files that…

…good. What else do we have? Check out the "Fence Security Activated" message on the site. Let's imagine we need to create an API where someone can make an API request to turn the fence security on or off from anywhere. For example, if…

…after the user enables two-factor authentication, let's render a template with an image to this URL. Return $this->render('security/enable2fa.html.twig'). Copy the template name, head into templates/security, and create that: enable2fa.html.twig. I'll paste in a basic…

…this isTotpAuthenticationEnabled() method returned true. Second, the security "token" - that internal thing that wraps your User object when you log in - well, it matches one of the tokens in our configuration. Specifically, we get the UsernamePasswordToken when we log in via the form_login mechanism…

…and hit tab to get the use statement on top: For the most part, I've been using IS_AUTHENTICATED_REMEMBERED for security... so that you just need to be logged in... even if it’s via a "remember me" cookie. But I'm using…

…really easy. We could just autowire the LoginFormAuthenticator service up here and pass it in. But, in our security.yaml file, our main way of authenticating is form_login: That does activate an authenticator service behind the scenes - just like our custom LoginFormAuthenticator. The tricky…

…also JSON-LD or HAL JSON. Then there's hypermedia, linked data, status codes, error formats, documentation - including API spec documentation that can power Swagger. Then there's security, CORS, access control and other important features like pagination, filtering, validation, content-type negotiation, GraphQL... and..…

…this to dynamically create the query string. Technically, this is simple. But wait! What I’m about to show you is a huge security hole, I mean huge! Take the $limit variable and add it to the end of the string. This is called concatenation: …

…the file directly: it's not public. Instead, we're going to link to a Symfony route and controller and that controller will check security and return the file to the user. Let's do this in ArticleReferenceAdminController. Add a new public function, how about…

…it in action. To start, we need to create a custom authentication exception class. This will serve as the "signal" that we're in this "account not verified" situation. In the Security/ directory, add a new class: how about AccountNotVerifiedAuthenticationException. Make it extend AuthenticationException. And…

…out all the way - I don't want to dive into the form system - but we are going to get it started. And this is going to lead us to a really interesting security situation. Over in src/Controller/QuestionController.php... find the show() action…

…added enable_authenticator_manager: true. This enables the new security system. We're going to talk about that later. For now, set this to false so that we're still using the old security system. It also added something called password_hashers, which replaces encoders…

…This is actually great. Really! The deploy command automatically checks your composer.lock file to see if you're using any dependencies with known security vulnerabilities. Some of my Symfony packages do have vulnerabilities... and if this were a real app, I would upgrade those…