…bigger. The other thing I want to show you is under "Recommendations" on the left. There are 3 types of recommendations... and we have one of each: the first is a security recommendation, the second is a quality recommendation and the third a performance recommendation…

…keep going! Because the article {id} is in the URL, add an Article $article argument. Oh, and we need security! You can only upload a file if you have access to edit this article. In our app, we check that with this @IsGranted("MANAGE", subject=…

…and, with any lucky, some security systems that - thanks to our tests - won't fail as soon as a storm rolls in or a developer leaves early for lunch. To make sure our dinosaurs don't once again rule the Earth, you should totally code…

…of this password encoding stuff for us. Nice! We just need to tell it which encoder algorithm to use. Go back to security.yaml. Add one new key: encoders. Below that, put the class name for your User class: App\Entity\User. And below that…

…endpoint. Notice I'm giving the new user a blank password. Does that mean someone could login as the user by entering a blank password? That would be a huge security hole! The problem is that the user isn't choosing a password. In fact…

…exchanging an authorization code for a token, and using the token; Authentication (single sign-on) using OAuth; Handling expired tokens; Using refresh tokens; Integrating and authentication with Facebook; OAuth integration with Google+; What to look out for with security and how you can tighten things.

…the list says: SessionInterface aliases are deprecated, use $requestStack->getSession() instead. It's being referenced by the LoginFormAuthenticator service. Let's go check that out! Open src/Security/LoginFormAuthenticator.php. Ahh. I'm autowiring the SessionInterface service. In Symfony 6, that service no longer exists…

…which will be a string. Eventually, in the security tutorial, we'll change this to be a relationship to a User entity. Use the 255 length and make it not nullable. Oh, and one more: a votes property that's an integer so that people…

…ones, like ResponseListener. Let's open that one up. I'll hit Shift+Shift to open ResponseListener.php: get the one from http-kernel/, not security. It says: ResponseListener fixes the Response headers based on the Request. Let's... find out what that means. Inside…

…from here because it is also defined in translation.yaml... and someone realized it was pointless and a bit confusing to have it in both places. The cookie settings are a bit more interesting: they activate two security-related features. The first is cookie_secure…

…out, it's super minor: It disables a validator in the test environment that makes a network request and is a security-related feature that just isn't needed in your tests. The last new file is in the same directory - webpack_encore.yaml: Which..…

…MAILER_DSN secret... but add an extra --local flag to the end: So far... this looks identical to before. I'll paste in my Mailtrap value... which the command hides for security reasons. And... fascinating! This didn't change our dev vault at all! Nope…

…values and the private key to decrypt them. Storing the secrets in plain text but removing the decrypt key from production is really the same thing from a security standpoint. The point is: there's no security difference. Let's delete the .env.prod.local…

…have an object that is instantiated on every request... but only needs to do real work in rare cases. Certain event subscribers - like our AgreeToTermsSubscriber - Symfony security voters & Twig extensions are other examples from Symfony. These services might be quick to instantiate... so no problem…

…references. Now add the methods="GET" - yes you can leave off the curly braces when there's just one method - and name="admin_article_list_references". Down in the method, add the Article argument and don't forget the security check: @IsGranted("MANAGE", subject="article")…

…API, we would want to have a different endpoint for making a GET request to /admin/article/references/{id} that would return the JSON for that one reference. Inside, add the ArticleReference $reference argument and then we'll add our normal security check. In fact…

… Back in the controller, copy the $disposition line - we're going to put this back in a minute. Then, delete everything after the security check, paste the $disposition line, but comment it out for now. Ok, let's go steal some code from the docs…

…So, one afternoon, in an office somewhere, uh, we were having a security scan, um, and certain requests were hanging on certain conditions. Um, and basically it boiled down to the fact that the text protocol of Memcached cannot really handle new lines in the…

…over $initialDinosaurs as $dinosaurs and say, this->addDinosaur($dinosaur). That was the mistake that other programmer made: I'm using addDinosaur() instead of just setting the $dinosaurs property directly because that method contains the security checks. So... that should be it! Let's try phpspec…

…have a normal entity class that also has a getUsername() method and a getRoles() method. It's really, pretty boring. The other file that was modified was config/packages/security.yaml. Go back to your terminal and run: git diff to see what changed. Ah…