CODEWITHSUNDEEP
authenticationsymfonyoauthfirewall
Roubi
Roubi

Reputation: 2106

Symfony, security.yaml : using both form and token authentication for same uri

My Symfony 5 app provides:

For this purpose, my security.yaml uses two firewalls:

firewalls:
    api:
        pattern: ^/api(?!/doc$)
        security: true
        stateless: true
        oauth2: true
    main:
        lazy: true
        provider: app_user_provider
        form_login:
            login_path: app_login
            check_path: app_login
            enable_csrf: true
            default_target_path: app_index
            use_referer: true
        logout:
            path: app_logout
            target: app_index

Is this possible to also access api endpoints like api/entry/get/1 when connected as an admin (ie not with a token but through regular form login with credentials) ?

This would make using a swagger sandbox much easier.

Upvotes: 0

Views: 402

Answers (1)

V-Light
V-Light

Reputation: 3115

Is this possible to also access api endpoints like api/entry/get/1 when connected as an admin (ie not with a token but through regular form login with credentials) ?

I'd say in your current configuration, the answer is no.

Since you api firewall is stateless: true there's only one way to tell symfony that request should be considered as authenticated. The presence of Bearer token (it's probably a JWT) in each request. Without a valid token, all request to /api would be considered as unauthorized

In other words: symfony just do not check session/cookies for possible (previously) logged in (admin) user to allow/deny access for all /api routes.

Unfortunately, I hadn't an opportunity to work with OAuth2ServerBundle. So maybe there's a configuration for that.

BUT:

Try to play around with stateless and context

However, RESTful APIs are stateless by design, it's not just a fancy buzzword.

There is also a way to add "Authorize" button to your swagger doc/playgroung so anyone who has access to swaggerUI, could paste a valid auth-token (JWT) and all further request from swaggerUI would be authorized. See Swagger and JWT Token Authentication

I also had a wonderful experience with Insomnia http-client especially when I need to test/play with my apis.

It has great OAuth v.2 support. Free tier is more than enough for local development / quick testing. Just specify your token path, select GrantType as "Resource Owner" paste username/password of your admin user and insomnia will handle the rest automagically each time you hit a protected /api/entry/get/1

Upvotes: 1

Related Questions