Reputation: 249
Symfony 6.2 does not reach token handler on token authentication
Symfony 6.2 does not reach custom token handler while executing a request if token_extractors equals to header in the security.yml.
Here is the security.yml
security:
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
providers:
access_token_provider:
entity:
class: App\Entity\AccessToken
property: secret
firewalls:
main:
lazy: true
provider: access_token_provider
stateless: true
pattern: ^/
access_token:
token_extractors: header
token_handler: App\Security\AccessTokenHandler
access_control:
- { path: ^/, roles: ROLE_ADMIN }
Here is the custom token handler, as you can see it shoud dump the token and die, and id does that if the token provided in query string.
namespace App\Security;
use App\Repository\AccessTokenRepository;
use Doctrine\ORM\NonUniqueResultException;
use SensitiveParameter;
use Symfony\Component\Security\Core\Exception\BadCredentialsException;
use Symfony\Component\Security\Http\AccessToken\AccessTokenHandlerInterface;
use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
readonly class AccessTokenHandler implements AccessTokenHandlerInterface
{
public function __construct(private AccessTokenRepository $accessTokenRepository)
{
}
/**
* @throws NonUniqueResultException
*/
public function getUserBadgeFrom(#[SensitiveParameter] string $accessToken): UserBadge
{
var_dump($accessToken);
die;
$accessToken = $this->accessTokenRepository->getOneByToken($accessToken);
if (!$accessToken || !$accessToken->isValid()) {
throw new BadCredentialsException('Invalid credentials.');
}
return new UserBadge($accessToken->getId());
}
}
Authorization header generated by API client looks like this:
Authorization: Bearer 00000000-0000-0000-0000-000000000000
What's wrong in my implementation?
I tried to change token_extractors to query_string and provide token in GET parameters, and it does reach.
Query string looks like this:
localhost:8001/users?access_token=00000000-0000-0000-0000-000000000000
Upvotes: 2
Views: 857
Answers (2)
Reputation: 712
Base on Symfony\Component\Security\Http\AccessToken\HeaderAccessTokenExtractor Authorization token have to match this regex /^%s([a-zA-Z0-9\-_\+~\/\.]+)$/.
For my case I use @ character and itwas not working with header.
Upvotes: 1
Reputation: 249
The problem was caused by Apache misconfiguration.
Apache didn't pass Authorization token to PHP due to default configuration and security reasons.
Adding CGIPassAuth On to a directory context solved this.
<Directory /var/www/html>
CGIPassAuth On
</Directory>
https://httpd.apache.org/docs/trunk/mod/core.html#cgipassauth
Upvotes: 2
Related Questions
- Update dictionary with nested dictionary
- Update a specific key in JSON Array using PYTHON
- How to modify nested JSON with python
- How to update a value in nested JSON file using python?
- Update json object by adding new attribute in python
- Python - update item in an existing json file
- Updating value of a key in JSON with Python
- Python: How to update the JSON data in Python
- Update arrays in json object
- Update JSON value for a particular key, preserving JSON structure