…our start() method in this situation? So what gives? Open up security.yml: Here's the problem: we have a single firewall. When an anonymous request accesses the site and hits a page that requires a valid user, Symfony has to figure out what one…

… So let’s hook this up! Some of this is specific to Silex’s security system, but in case you’re using something else, we’ll stay high level enough to see what types of things you need to do in your system to make…

…are working. We are denying access, sending a 401, and because of our security error handling in that ApiEntryPoint class, we’re sending a nice api problem format with the actual detail set to “Invalid Credentials.” Like before, this message comes from deep inside Silex…

…src/KnpU/CodeBattle/Security/Authentication/ApiEntryPoint.php // ... use KnpU\CodeBattle\Api\ApiProblemResponseFactory; class ApiEntryPoint implements AuthenticationEntryPointInterface { } So now, when this object is created we’re going to have access to this ApiProblemResponseFactory. Down below, we can just use it: // src/KnpU/CodeBattle/Security/Authentication/ApiEntryPoint…

…put our first scenario here, which is going to be the working scenario for creating a token. Even though a token relates to security it’s really no different than any other resource we’re creating, like a programmer resource. So the scenario for this…

…showAction will have an $id argument. From here, life is really familiar. First, do we need security? - always ask yourself that. I'm going to decide that anyone can fetch battle details out without being authenticated. So we won't add any protection. We will…

…is being saved, we’ll just ignore it. This is important because the function is called when any entity is saved: // src/Yoda/UserBundle/Doctrine/UserListener.php // ... public function prePersist(LifecycleEventArgs $args) { } Injecting the security.encoder_factory Dependency¶ We’re almost done. You’ve probably…

…id, redirect_uri and scope parameters. But we get an error: It's complaining about the redirect URL we're sending. For added security, OAuth servers allow, and sometimes require you to configure your redirect URL in your application. Go back to our application and…

…them without the client's credentials, as you'll see. Having two keys instead of one is a method often used in security to make it harder for attackers to compromise a system. Fortunately, COOP does support refresh tokens. Open up the CoopOAuthController where we…

…imagine that park security wants to control park fences from a mobile app, while vacationing thousands of miles away. Feature: Remote fence control API In order to control fence security from anywhere As an API user I need to be able to POST JSON instructions…

…inspire people to be the best chefs they can be... for their dogs. This is a pretty traditional Symfony app with a few controllers and some Twig templates. It also has two entities: A User entity for security, and a Recipe entity. On the site…

…user via the SearchFilter on CheeseListing. And using subresources means that you have more endpoints to keep track of, and, when we get to security, more endpoints means more access control to think about. So, use subresources if you want, but I don't recommend…

…the request headers, request content - which is really important when you're sending JSON - and all the goodies that you expect - cache, performance, security, Doctrine, etc. In addition to the little web debug toolbar AJAX tracker we just saw, there are a few other ways…

…what each does, the parameters of the input, what output to expect, details related to security... it basically tries to completely describe your API. So if you have one of these JSON configuration files, you can plug it into Swagger UI and... boom! You get…

…new Passport(). By the way, if you're new to the custom authenticator system and want to learn more, check out our Symfony 5 Security tutorial where we talk all about this. I'll go through the basics now, but the details live there. Before…

…I'll just create one... and log in is that user so that we have access to the PUT request: Thanks to the last tutorial, we already have security rules to prevent anyone from editing someone else's listing. Down here, for the JSON body…

…status code instead of allowing this: To fix that, we need to see if the user is an admin. Add a second argument to the constructor Security $security. I'll initialize this property: Then below, update the if statement: if the description is too short…

…if there is one, and if there is, call setIsMe(true) on it. Add public function __construct() with a Security $security argument. I'll hit Alt+Enter and go to "Initialize properties" to create that property and set it: Then down in onRequestEvent(), start with:…

…yes! Every record has isMe: true. Setting this to the correct value is probably the easiest part of the whole process. Start by adding a second argument to the constructor - Security $security - so we can get the authenticated user. I'll hit Alt+Enter and…

…hear: SPF, DKIM and DMARC. Here's the 60 second explanation of the first two. Both SFP and DKIM are security mechanisms where you can set specific DNS records that will say exactly who is allowed to send emails from your domain. SPF works by…