…the cache directory. To get our site working, we're setting the entire var/ directory to 777: This includes cache/, logs/ and sessions/. This is a bummer for security. Here's my big question: after we deploy, which files truly need to be writable by…

…Guard - no matter what crazy authentication system you have - the first step is always to create an authenticator class. Create a new directory called Security and inside, a new class: how about LoginFormAuthenticator: The only rule about an authenticator is that it needs to extend…

…The process is easy: we'll walk through each method and just fill in the logic. But if you want to know more - check out the Symfony security course. First: getCredentials(). Our job is to read the Authorization header and return the token - if any…

… We have this great system where users are actually being authenticated! Now we can start checking for security everywhere we need it. In newAction we’re requiring that you are logged in: // src/KnpU/CodeBattle/Controller/Api/ProgrammerController.php // ... public function newAction(Request $request) { } Awesome…

…probably work! However, I tend to view things like this: security is best when you're trying to completely prevent access to an operation. Validation is best when the restrictions you need to apply are based on the data that's being sent, like preventing…

If your login system looks similar to the traditional email & password or username & password setup, Symfony has a nice, built-in authentication mechanism to help. In config/packages/security.yaml, under the main firewall, add a new key: json_login. Below that, set check_path…

…obvious if you put something in the wrong spot. Press Shift+Shift and search for a file that's closely related to our new feature: TargetPathTrait. Ok, this lives in the Security component. I'll double click on the directory to move there. At first…

…after registering. But... it's not as awesome as it could be. Let me show you why. First, look at my app/config/security.yml file. In order to access any URL that start with /admin, you need to be logged in. For example, if…

There's one last teeny, tiny little detail we need to worry about with webhooks: replay attacks. These are a security concern but also a practical one. We already know that nobody can send us, random, fake event data because we fetch a fresh event…

Question: if config.yml is so important - then what the heck is the point of all of these other files - like config_dev.yml, config_test.yml, parameters.yml, security.yml and services.yml. What is their purpose? The answer is environments. Now, I don…

…Auto-Completion¶ With the base Controller, we can give ourselves shortcuts to develop faster and faster. Inside RegisterController, my IDE recognizes the setToken method on the security context automatically. Actually, this only works because I’m using an awesome Symfony2 plugin for PHPStorm. The getSecurityContext…

…with authentication and make it possible to login, let’s try out our first piece of authorization and start denying access! Head back to security.yml. The easiest way to deny access is via the access_control section. Let’s use its regular expression coolness…

…actual login form? Well, that’s our job - the security layer just helps us by redirecting the user here. Oh, and there’s a really popular open source bundle called FosUserBundle that gives you a lot of what we’re about to build. The good…

…route called event, which is our event list page. Use that for target: # app/config/security.yml # ... firewalls: To make the logout route, let’s add another method inside SecurityController and use the @Route annotation: // ... // src/Yoda/UserBundle/Controller/SecurityController.php /** @Route("/logout", name="logout…

…s prod environment, we’ll be able to customize how this looks. We’ll cover how to customize error pages in the next episode. The access_control section of security.yml is the easiest way to control access, but also the least flexible. Change the…

…of the Api Platform series! In part 1, we built a fully-featured API. Then in part 2 we leveled-up by adding a robust security system, security checks and user-specific fields. So what's left? In part 3, we're taking customizations to…

Over the next hour, we're going to take you through some of the most difficult areas of Symfony learning all about security, forms, and parts of Doctrine. We'll also see testing and learn more about how Symfony's service container works. When you…

…Vue app that I built. It has a login form... but it doesn't work yet: it will be up to us to bring it to life. Now before we dive into security, one question I sometimes get is: Hey Ryan, the interactive docs are…

…recipe system. In Symfony 6, those features include new JavaScript tools and a new security system... just to name two of the many new things. Symfony is also lightning fast with a huge focus on creating a joyful developer experience, but without sacrificing programming best…

…right there - or by going to /api/docs.json. A few minutes ago, we added some config to API Platform called Authorization: The end result is that it added these security sections down here. Yup, it's that simple: this config triggered these new sections…