…type of security! This is a big & important topic, so let's take it head-on in part 2 of our API Platform tutorial: API token security? Or tried-and-true session based login form security? CSRF protection? SameSite Cookies? Ice Cream? Security firewall setup…

New security quest: I want to allow only the owner of a treasure to edit it. Right now, you're allowed to edit a treasure as long as you have this role. But that means you can edit anyone's treasure. Someone keep changing my…

Our security requirements are about to get... pretty complicated. And so, instead of testing all of that manually and hoping we don't break anything, I think it's time to take a few minutes to get a nice functional testing system set up. Spin…

…be allowed to do everything. Here's the first goal: only users with ROLE_MODERATOR should be allowed to go to the Questions CRUD section. Right now, if I hover over the security part of the web debug toolbar... yup! I only have ROLE_ADMIN..…

To make the security system understand what it means when we check for EDIT access on a Question object, we need a custom voter. And... to help us out, we can generate this. Find your terminal and run: symfony console make:voter Let's call…

Symfony's security system comes packed with a lot of cool stuff, like remember me, impersonation and voters. Heck, it even has built in support for a "login link" authenticator - also known as "magic login links". That's where you email a link to your…

While we're inside security.yaml, I want to talk about another really cool feature called switch_user. Imagine you're an admin user and you're trying to debug an issue that a customer saw. But, dang it! The feature works perfectly for you…

…those are terrible! We can fix those real quick: pass a variables array to first with label set to Password. For the second one: Repeat Password: Refresh. Looking good. Since the registration form has nothing to do with security, let's just finish this! Type…

…app/config/security.yml. Security - especially authentication - is all configured here. We'll look at this piece-by-piece, but there's one section that's more important than all the rest: firewalls: Your firewall is your authentication system: it's like the security desk…

Back to security! We need to make sure that you can only make a PUT request to update a CheeseListing if you are the owner of that CheeseListing. As a reminder, each CheeseListing is related to one User via an $owner property. Only that User…

We won't talk about security in this tutorial. But even still, we do need the concept of a user... because each treasure in the database will be owned by a user... or really, by a dragon. Later, we'll use this to allow API…

I like using access control in security.yaml to help me protect entire sections of my site... like everything under /admin requires some role: But most of the time, I protect my site on a controller-by-controller basis. Open QuestionController and find the new…

Our new EnclosureBuilderService is building the security systems and adding them to the Enclosure, but it's not creating any dinosaurs yet. That's a boring dinosaur park! Fortunately, that should be easy! Heck, we already have a class that's really great at doing…

The really neat thing about Symfony's security system is that it doesn't care at all about what your User class looks like. As long as it implements UserInterface, so, as long as it has these methods, you can do anything you want with…

…we have a user called abraca_admin@example.com with password tada. Sign in and... it's alive! Speaking of "security" and "firewalls" and other nerdery, Symfony ships with a new command to help debug and visualize your firewall. It's called, appropriately, debug:firewall…

There are two big parts to security in any app. First, how does your user authenticate? How do they log in? Honestly, that is the trickiest part... and it has really nothing to do with API Platform. We're authenticating via the json_login authenticator…

Here's the million-dollar question when it comes to security and APIs: does my site need some sort of API token authentication? There's a pretty good chance that the answer is no. Even if your app has some API endpoints - like ours - if…

We've gotta talk about one more thing: security. Specifically, CSRF attacks. Imagine if a malicious person built an HTML form on a totally different site, but set its action="" attribute to a URL on our site. Then, what if some user, like me, who…

There's really only 2 things you can do with security: Deny access Find out who is logged in To show that off, find newAction(). Let's update the flash message to include the email address of the current user. Surround the string with sprintf…

…And then: Does this app need to hash or check user passwords? We'll talk more about this in the security tutorial. But if users will need to log in to your site via a password and your app will be responsible for checking to…