-
Notifications
You must be signed in to change notification settings - Fork 168
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improve logging of the user when he logged in programmatically #720
Improve logging of the user when he logged in programmatically #720
Conversation
f936142
to
6daffa8
Compare
6daffa8
to
a152c82
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall a good PR, with a great set of complete and well described tests. Just a few nitpick.
@@ -37,7 +37,8 @@ | |||
"symfony/http-kernel": "^4.4.20||^5.0.11||^6.0", | |||
"symfony/polyfill-php80": "^1.22", | |||
"symfony/psr-http-message-bridge": "^1.2||^2.0", | |||
"symfony/security-core": "^4.4.20||^5.0.11||^6.0" | |||
"symfony/security-core": "^4.4.20||^5.0.11||^6.0", | |||
"symfony/security-http": "^4.4.20||^5.0.11||^6.0" |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm not sure about this requirement. And to be frank, even the previous one could be invasive in some edge cases...
Maybe it's out of scope for this PR, but I think we should move these two requirements to require-dev
, and make the code that uses them optional.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I agree, definitely. However, making the code optional is a completely different topic that I don't want to tackle here. We need the security-http
package mostly because of the event classes that are part of it IIRC.
@cleptric can I ask for your review on this? |
Yep, can take a look tomorrow/next week. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we need to listen to an additional event?
The user ID is only set on the scope during a request that contains credentials, all subsequent requests to a route guarded with access_control
will only set the user's IP on the scope.
I found out that the |
Do you mind sharing the version of the framework you're using and the security:
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'plaintext'
providers:
users_in_memory:
memory:
users:
john: { password: 'doe', roles: ['ROLE_USER'] }
firewalls:
main:
provider: users_in_memory
http_basic:
realm: Secured Area
access_control:
- { path: ^/, roles: ROLE_USER } Note that with this config, even though I'm using HTTP basic authentication, a session is created so that the browser does not ask me the credentials at every page refresh |
security:
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
# used to reload user from session & other features (e.g. switch_user)
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
lazy: true
provider: app_user_provider
form_login:
# "app_login" is the name of the route created previously
login_path: login
check_path: login
logout:
path: logout
# where to redirect after logout
target: /
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#the-firewall
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/sentry, roles: ROLE_USER }
when@test:
security:
password_hashers:
# By default, password hashers are resource intensive and take time. This is
# important to generate secure password hashes. In tests however, secure hashes
# are not important, waste resources and increase test times. The following
# reduces the work factor to the lowest possible values.
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon |
I can't replicate the problem with your setup either. There are still some minor differences between my setup and yours, e.g. the user provider and password hasher, but it shouldn't matter at all. I'm using Symfony |
https://github.com/cleptric/symfony - Most logic is in the |
I have no clue on why it was working in my test project, but indeed the framework does not dispatch the two login-related events for each request. I readded back a listener for the |
016bae1
to
ecf154b
Compare
Looking good! @Jean85 can you take another look, please? |
User
context
Fixes #706. I had no time to test it on a real project, so please do it if you can before merging 🙏