…To see if things are working, let's just dump($request->request->all()), then die(): I know, that looks funny. Unrelated to security, if you want to read POST data off of the request, you use the $request->request property. Anyways, let's try it…

…at the beginning of every request, before the controllers? The logout process works the same way. All we need to do is tell Symfony what URL we want to use for logging out. In security.yaml, under your firewall, add a new key: logout and…

…getCredentials(), instead of returning, add $credentials = : Now, set the email onto the session with $request->getSession()->set(). Use a special key: Security - the one from the Security component - ::LAST_USERNAME and set this to $credentials['email']: Then, at the bottom, return $credentials: Try it…

…But! There's a cooler way. Add a 2nd argument to info: an array. Give it a user key - I'm just making that up - and set it to the user object: $this->security->getUser(): Unrelated to security, every method on the logger, like info()…

…serializer component! It's a kick butt way to turn objects into JSON, or any other format. I don't want to talk too much about the serializer right now: we're trying to learn security! But, I do want to use it. Find your…

…work! Open ApiTokenAuthenticator. Ok: this is our second authenticator, so it's time to use our existing knowledge to kick some security butt! For supports(), our authenticator should only become active if the request has an Authorization header whose value starts with the word "Bearer"…

…give them that new role. That's a bummer! But... don't worry! Symfony has our backs with a sweet feature called role_hierarchy. Open config/packages/security.yaml. Anywhere inside, I'll do it above firewalls, add role_hierarchy. Below, put ROLE_ADMIN set…

…that same, big, adorable empty authenticator we saw earlier. To tell Symfony to use this, open config/packages/security.yaml and add the new class under authenticators: If you're using that newer, fancier version of this command, it already did this for you. Lucky…

…engage. Perfect! We still have access but... well... anyone has access to this page right now. The simplest way to enforce our custom security logic is to add it right in the controller. Check it out: if ($article->getAuthor() !== $this->getUser()) and if !$this…

…I keep responsible version constraints in composer.json, ahem, no dev-master or * versions, this is pretty safe and also means I get bug fixes, security fixes and new features. And... hello Symfony 3.4! The best part? Ah, you guys already know it: thanks…

…install code. It will change for every version of the install. Huh. Composer includes a bit of built-in security: a sha hash to make sure that the installer hasn't been tampered with. If we tried to use these 4 commands in Ansible, it…

…yep! "Filter by Tag!". By the way, going to app_dev.php only works because I've already modified some security logic in that file to allow me to access it: Ok, back in our local machine, run the playbook... this time with -t deploy…

…s lame. Of course, you can solve this with that group system we talked about earlier, but that's usually overkill. And, there's a simpler way. In security.yml, let's take advantage of something called role hierarchies. It's simple, it's awesome!…

…along with security.yml and services.yml: The key point is that all of the files are just loading each other: it's all the same system. In fact, I could copy all of security.yml, paste it into config.yml, completely delete security.yml…

…that shows you exactly how long each part of your application took to render. This is amazing for debugging and profiling. There's also details in here on Twig, security, routes and other cool stuff. We'll keep exploring this as we go along. Ok…

…thing I was talking about earlier. This will lead you to wonderful applications. There's really nothing that we can't do now in Symfony. In the next courses, we'll use all this to master new tools like forms and security. Seeya next time!

…RouterInterface: Use the Option+Enter shortcut again to set up that property: Down in getLoginUrl(), return $this->router->generate('security_login'): So what happens when authentication is successful? It's awesome: the user is automatically redirected back to the last page they tried to visit…

…do nothing: Now, on to encoding that password. Symfony comes with a built-in service that's really good at encoding passwords. It's called security.password_encoder and if you looked it up on debug:container, its class is UserPasswordEncoder. We'll need that…

…copy the second line to create a private key, but change its path to the var/jwt directory: This asks you for a password - give it one! It adds another layer of security in case somebody gets your private key. I'll use happyapi. Perfect…

…to hide the fact that the username was wrong, you can throw a BadCredentialsException instead - you'll see me do that in a second. Checking the password is easy: $isValid = $this->get('security.password_encoder') ->isPasswordValid(). Pass it the $user object and the raw…