niftycent.com
NiftyCent
PL
Login
Rynek
Zniżki

New in Symfony 6.2: Security Improvements (Part 1)

Simpler Programmatic Login

Contributed by
Arnaud Frézet and Robin Chalas
in #41274.

Logging in users programmatically is a common need in many applications. That's why in Symfony 6.2 we're adding a login() method to the Security service. On any service or controller, you can now do this:

use Symfony\Component\Security\Core\Security;
// ...

class SomeService
{
    public function __construct(
        private Security $security,
    ) {
    }

    public function someMethod()
    {
        // fetch a UserInterface object somehow (e.g. from a database)
        $user = ...

        // login the user programmatically
        $this->security->login($user);

        // if you have many authenticators associated to the current firewall,
        // you must pass explicitly the name of authenticator to use
        $this->security->login($user, 'form_login');
        $this->security->login($user, SomeApiKeyAuthenticator::class);

        // ...
    }
}

Custom Target URL When Impersonating Users

Contributed by
Antoine Makdessi
in #46338.

Similar to the feature that allows to configure the target URL after login, in Symfony 6.2 we're adding a new feature to allow you configure the target URL after impersonating a user. To do so, define the new target_url option under the switch_user option of your firewall:

# config/packages/security.yaml
security:
    # ...

    firewalls:
        main:
            # ...
            switch_user:
                # ...
                target_url: https://example.com/...

Contributed by
Mathias Brodala
in #46567.

When using login links to implement passwordless authentication, the lifetime of those links is configured globally for all. In Symfony 6.2 we're adding a feature so you can configure the lifetime per link. Use the third optional argument of createLoginLink() to override the global lifetime with a new custom value (in seconds):

// this login link will have a lifetime of 60 seconds
$loginLinkDetails = $loginLinkHandler->createLoginLink($user, null, 60);
$loginLink = $loginLinkDetails->getUrl();

Multiple User Checkers per Firewall

Contributed by
Michael Babker
in #46064.

User checkers allow you to define additional checks performed during the authentication of a user, to verify if the identified user is allowed to log in. You can only apply one user checker per firewall, which makes it harder to share logic.

Imagine an application that has two firewalls (e.g. API and traditional web login) and needs to apply these checkers: for both firewalls, check that the user account is not disabled; for the API firewall, check also that user has API access.

In Symfony 6.2 we're introducing a new "chained user checker" feature so you can call multiple user checkers for a firewall. To do so, apply to each user checker the tags corresponding to the firewall where it applies (tags follow the pattern security.user_checker.).

In Symfony 6.2, the previous example can be solved as follows:

namespace App\Security\User;

use Symfony\Component\DependencyInjection\Attribute\Autoconfigure;
use Symfony\Component\Security\Core\User\UserCheckerInterface;

#[Autoconfigure(tags: [['security.user_checker.main' => ['priority' => 10]]])]
#[Autoconfigure(tags: [['security.user_checker.api' => ['priority' => 10]]])]
final class DisabledAccountUserChecker implements UserCheckerInterface
{
    // ...
}

#[Autoconfigure(tags: [['security.user_checker.api' => ['priority' => 5]]])]
final class ApiAccessAllowedUserChecker implements UserCheckerInterface
{
    // ...
}
            <hr style="margin-bottom: 5px" />
            <div style="font-size: 90%">
                <a href="https://symfony.com/sponsor">Sponsor</a> the Symfony project.
            </div>

https://symfony.com/blog/new-in-symfony-6-2-security-improvements-part-1?utm_source=Symfony%20Blog%20Feed&utm_medium=feed

Utworzony 2y | 23 lis 2022, 17:20:06


Zaloguj się, aby dodać komentarz

Inne posty w tej grupie

New in Symfony 7.3: Extra Runtime Dot Env Files
New in Symfony 7.3: Extra Runtime Dot Env Files

Contributed by Nathan Page in

1 maj 2025, 08:40:12 | Symfony
SymfonyOnline June 2025: Where Have the Women of Tech History Gone?
SymfonyOnline June 2025: Where Have the Women of Tech History Gone?

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

30 kwi 2025, 14:20:02 | Symfony
New in Symfony 7.3: Arbitrary User Permission Checks
New in Symfony 7.3: Arbitrary User Permission Checks

Contributed by Nate Wiebe in

30 kwi 2025, 09:30:12 | Symfony
SymfonyOnline June 2025: Automate Everything with Your Personal Army of Robots
SymfonyOnline June 2025: Automate Everything with Your Personal Army of Robots

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

29 kwi 2025, 15:10:03 | Symfony
New in Symfony 7.3: Slug and Twig Constraints
New in Symfony 7.3: Slug and Twig Constraints

The Validator component provides dozens of constraints ready to use in your applications. In Symfony 7.3, we've added two new constraints to the list.

Slug Constraint

29 kwi 2025, 10:30:02 | Symfony
SymfonyOnline June 2025: Multi-Tenantize the Symfony components
SymfonyOnline June 2025: Multi-Tenantize the Symfony components

SymfonyOnline June 2025 is almost here, starting in almost 2 months on:

June 10-11: Workshop days. It is possible to attend 1 two-day training or 2 one-day trainings. June 12-13: Online confe

28 kwi 2025, 15:50:10 | Symfony
New in Symfony 7.3: Twig Extension Attributes
New in Symfony 7.3: Twig Extension Attributes

Contributed by Jérôme Tamarelle in

28 kwi 2025, 08:50:09 | Symfony
Techie
Techie