…celebrate. Fortunately, Symfony has the perfect system just for this! Spin over and open up config/packages/security.yaml. Anywhere under your firewall add access_token: This activates a listener that will watch every request to see if it has an Authorization header. If it…

…but with a different set of roles? A set based on the scopes from the token? We're using the access_token security system. Hit Shift+Shift and open a core class called AccessTokenAuthenticator. This is cool: it's the actual code behind that authentication…

…our API resource objects are turned into JSON and how the JSON sent by the user is turned back into those same objects. Episode 2 was about security and included things like state processors - the key to running code before or after saving - custom fields…

…simple. We need to read the submitted email, query the database for that User object... and eventually check the user's password. The weird thing about Symfony's security system is that... we're not going to write this logic in the controller. Nope. When…

…2nd argument to CustomCredentials. For us, that's the submitted password: Let's pretend that all users have the same password tada! To validate that, return true if $credentials === 'tada': Air-tight security! If we return true from this function, authentication is successful! Woo…

…At the start of every request, before Symfony calls the controller, the security system executes a set of "authenticators". The job of each authenticator is to look at the request, see if there is any authentication information that it understands - like a submitted email and…

…since we want to really learn security, let's do this step-by-step... mostly by hand. Before we start thinking about authenticating the user, we first need to build a login page, which... if you think about it... has nothing to do with security…

…or a year... or whatever we configure. Let's add this. The first step is to go to config/packages/security.yaml and activate the system. We do this by saying remember_me: and then, below, setting one required piece of config: secret: set to…

…This is all super awesome... but it sure does crank up the complexity of our API, especially when it comes to security. For example, we can no longer see unpublished treasures from the GET collection or GET single endpoints. But we can still see unpublished…

…Yup, we have ROLE_USER. This is too boring... so let's add some true admin users! First, open config/packages/security.yaml... and, down under access_control, change this to once again require ROLE_ADMIN: Remember: roles are just strings that we invent... they…

…get our first look at authorization. That's the fun part where we get to run around and deny access to different parts of our site. The easiest way to kick someone out of your party is actually right inside of config/packages/security.yaml…

…delete that entirely. There are two ways that you can "force" the remember me system to always set a cookie even though the checkbox isn't there. The first is in security.yaml: set always_remember_me: to true: Yes, I totally just misspelled remember..…

… Override templates... at many different levels Take control of your forms Handling security Adding custom actions (and removing others) Updating and configuring the menu (like adding a link to kitten videos!) Hooking into events to do things before or after an entity is saved Adding…

…log out link. Access was granted for all three of these. In addition to IS_AUTHENTICATED_FULLY, there are a couple of other special strings that you can pass into the security system. The first is IS_AUTHENTICATED_REMEMBERED, which is super powerful... but can…

…some users the superpower to temporarily log in as someone else. Here's how. First, we need to enable the feature. In security.yaml, under our firewall somewhere, add switch_user: true: This activates a new authenticator. So we now have our CustomAuthenticator, form_login…

…can configure this. Remember: to get this config, I ran debug:config security... which shows your current configuration, including defaults. But not all options are shown here. To see a full list, run config:dump security. Instead of showing your actual config, this shows a…

…bin/console commands. Run php bin/console and look for the make section. Ooh. There's a ton of stuff here for setting up security, generating doctrine entities for the database (which we'll do in the next tutorial), making a CRUD, and much more…

…of a CRUD section as a whole. In that case, instead of trying to set permissions on every action like this, you can be lazy and use normal security. For example, head to the top of QuestionCrudController. Above the class, leverage the #[IsGranted] attribute from…

…through PHP. If your server is configured to execute any file ending in .php through PHP, that is a huge security risk. Ok, back to butterflies and ice cream. Even after we add validation to guarantee that the uploaded file is actually an image, the…

…uploaded article images? The first question to ask is: can these uploaded files be public to everyone? Or do we need to do some sort of security check before a user can view or download them? For article images, they can be public. But we…