…Later, if you do use FOSUserBundle, you’ll be a lot more dangerous with it. Generating the User Entity¶ Ok, forget about security! Seriously! Just think about the fact that we want to store some user information in the database. To do this, we’ll…

Repository Security¶ Now, let’s have our users provide an email and let them login using it or their username. Giving the User an Email¶ Let’s start like we always do, by adding the property to the User class with some Doctrine annotations: // src…

…Symfony Voters are the work horses of authorization. But they're not well-understood and are totally under-utilized. So let's take our wild security business logic and see how a customer voter can centralize things and make your controller and templates dead simple.

…scope is called SCOPE_TREASURE_CREATE... which maps to ROLE_TREASURE_CREATE. So we look for that. Also, in security.yaml, via role_hierarchy, if you log in via the login form, you get ROLE_FULL_USER... and then you automatically also get ROLE_TREASURE…

…Oh, but see this enable_authenticator_manager key? In Symfony 5.3 - the version I'm using - the old and new security systems live side-by-side and you get to choose which one you want! When you set enable_authenticator_manager to true, you…

…Validation, check! The next thing we need to re-add - code that used to live on User - is security. Up here on the API level, for the entire resource, require is_granted("ROLE_USER"). This means that we need to be logged in to use…

It's security time! Symfony 5.3 comes with a reimagined version of its security system and I ❤️it! Yes, it's still super flexible & dependable. But the "guts" have been streamlined and simplified, making it easier to get your job done and giving you…

…simultaneously. But, let's take a moment to look at our handleCheckout() action. We may have a potential security issue on our hands here. Malicious users might attempt to send an AJAX request to this endpoint using a different LemonSqueezy customer ID. This could override…

…at any time during the authentication process, we can throw an AuthenticationException - from Security - and that will cause authentication to fail: And there are a bunch of subclasses to this class, like BadCredentialsException. You can throw any of these because they all extend AuthenticationException. Check…

…that we need to clean up. In ArticleAdminController, we created this endpoint... but we didn't add any security on it! It's open entirely to the world: there's no @IsGranted annotation above the method or above the class. Now... this might be ok …

…I kept saying we would encrypt the passwords with bcrypt? Do you remember actually configuring that anywhere? Nope! We need to do that. Open security.yml. Add an encoders key, then AppBundle\Entity\User: bcrypt: If you want, you can configure a few other options…

…Then, we'll turn to authorization, with roles, voters and other good stuff: Security & Firewall Fundamentals Creating a custom login form Making a User (ooOOOoo) User Providers (why you need them, but don't care) Password Encryption Logging out! Protecting entire URLs with access_control…

…if you want to hide your documentation so that nobody will use your API, that's a bad plan. That's security through obscurity. If your API lives out on the web, you need to assume people will find it and you need to properly…

Transcript & caption for the talk will be added soon.

…to say if $targetPath = $this->getTargetPath() with $request->getSession() and main. Let's break this down. First, the main string is just the name of our firewall. In both the old and new security config, that's its key. Second, what does getTargetPath() do…

…and "Design Configuration". Before we keep going... we need to talk security! Because right now, I can log out and go back to /easyadmin with no problem. This is totally open to the public. Fun! How can we configure security in EasyAdminBundle? We don't…

Coming soon...

Here be dragons! We've built a pretty sweet API for storing dragon treasures... but we've completely neglected one minor detail: security! In this tutorial, we'll secure our API Platform-powered API in every way imaginable... and spin up a nifty test suite…

Dinosaurs, check! Enclosures, check! But... we forgot to add security to the enclosures! Ya know, like electric fences! Dang it, I knew we forgot something. The dinosaurs have been escaping their enclosure and... of course, terrorizing the guests. The investors are not going to like…

…keeps going like normal. We don’t have to worry about checking the password because Symfony still does that for us. Ok, enough about security and Doctrine! But give yourself a high-five because you just learned some of the most powerful, but difficult stuff…