…nothing! Just, "Welcome to Dinosaur Park". Instead of creating a park full of dinosaurs and then worrying about security... ahem... we don't have any code yet. We're going to build this dino factory and write tests all at the same time. The de…

…puts the short name... so go copy the use statement and put it down here. Try it! Yes! One more test passing. I want to go through one more example next... and also add some security to the enclosures. Our guests have been terrorized enough.

…PHP web server. Ok, load this up in your browser: http://localhost:8000. Welcome to AquaNote! This is the same project we've been building in our main Symfony tutorials, but without any security logic. Gasp! See that Login link? It's a lie! It…

… First, autowiring looks for a service whose id exactly matches the type-hint. In other words, it looks for a service whose id is Symfony\Component\Security\Core\Encoder\UserPasswordEncoder: If that exists, it's used... always. This is the main way that autowiring works…

…id isn't referenced anywhere, so remove that. The app.security.login_form_authenticator is used in two places: security.yml and also UserController: Copy the new service id - the class name. In security.yml, just replace the old with the new: Next, in UserController…

…trusted_proxies configuration was removed. Open up app/config/config.yml: there it is! Just take that out: The option was removed for security reasons. If you did have a value there, check out the docs to see the replacement. Ok, even though composer update…

…match what we put in the config: Notice the URL for this is just /genus/feed. It does not start with /easyadmin. And so, it's not protected by our access_control security. That should be enough to get started. Refresh! There's our link…

…this is not the right use statement. I'll re-add TokenStorageInterface: make sure you choose the one from Security\Core\Authentication: In our method, fetch the user with $user = $this->tokenStorage->getToken()->getUser(). And if the User is not an instanceof our User…

…In base.html.twig, add a link tag for build/layout.css: Copy that. We need to do this again on our two pages: app/Resources/FOSUserBundle/views/Security/login.html.twig. Override the block stylesheets, call parent() and add the link tag to login…

…joins over and fetches the related User data all at once... this entire page is built with one query: Well, except for the query that loads my security user from the database. So this is cool! Well, its maybe cool - as we talked about earlier…

…return the exact same data we already have? Yes! We do this not because we need to, but for security. If we read the request JSON directly, it's possible that the request is coming from some external, mean-spirited person instead of from Stripe…

…into your browser! Ah, that's a little security check that prevents any non-local users from accessing our dev environment. Just for now, go into the web/ directory, open app_dev.php, and comment-out the two security lines: Refresh again! Hey, it's…

…is never, ever sent to our servers... which is the greatest news I have ever heard from a security standpoint. I do not want to handle your CC number: this would greatly increase the security requirements on my server. Instead, when you hit "Pay", this…

…best features of Twig is that it automatically escapes any HTML that you render. That gives you free security from XSS attacks. And for those few times when you do want to print HTML, just add the |raw filter: Refresh again: it's rending in…

…the next parts, we're going to start adding big features: like talking to a database, forms, security and more. And when we do, I've got some exciting news: because of your work here, it's all going to make sense. Let's keep…

…now bin/console server:run: Try out /login. To use guard, we need a new class. I'll create a new directory called Security, but that's not important. Call the class WeirdFormAuthenticator.Next, make this class implement GuardAuthenticatorInterface or extend the slightly easier AbstractGuardAuthenticator: …

…and open up DefaultController. Go down to sillyLoginAction(). OK, pretend that something went wrong and we can't figure it out. If this security.authentication_utils is the problem, we might want to use dump() to print it out. Below that, throw a new Exception…

…to see: you need to study the stack trace. This ultimately starts with AppKernel::registerContainerConfiguration() where our configuration files are loaded. The second is complaining about bad configuration in security.yml: that's also our fault, and we'll fix it in a minute. But…

…fix one more: the csrf notice. In this case, a config key was renamed from csrf_provider to csrf_token_generator in security.yml. A lot of changes are like this: simple renames: Clear the cache and refresh: And boom! The only deprecation left is…

…a $robot property and set it: In checkCredentials(), if (!$this->robot->doesRobotAllowAccess()) then throw a really clear new CustomUserMessageAuthenticationException() that says "RANDOM SECURITY ROBOT SAYS NO!": And I'll even put quotes around that. This is when we would normally go to services.yml and…