Modern Security with Symfony's Shiny new Security Component

Modern Security
with Symfony's Shiny
new Security Component
by your friend Ryan Weaver
@weaverryan

View Slide

> Member of the Symfony docs team
> Some Dude at
SymfonyCasts.com
> Husband of the talented and
beloved @leannapelham
symfonycasts.com
twitter.com/weaverryan
Yo! I’m Ryan!
> Father to my much more
charming son, Beckett

View Slide

Security System:
A History
Part 1
@weaverryan

View Slide

2010
Today
…
…
…

View Slide

@weaverryan
What Happened?

View Slide

Massive, massive complexity
Original implementation based oﬀ of Java Spring
Powerful
Complex
… almost no-one understood how it worked
@weaverryan

View Slide

GET /foo
X-Token: abc123
Firewall
Auth
Listeners
Unauth'ed Token
abc123
Authentication
Manager
Auth
Providers
Auth'ed
token
Set onto security context
Do many other things
@weaverryan

View Slide

The Simple form_login
UsernamePasswordFormAuthenticationListener
↪ AbstractAuthenticationListener
$token = $this->authenticationManager->authenticate(
new UsernamePasswordToken($username, $password)
);
DaoAuthenticationProvider
↪ UserAuthenticationProvider
@weaverryan

View Slide

Max username length
User Checker
Almost no Centralization
Password checking
CSRF validation
Session ﬁxation
Password upgrading
AuthSuccessEvent
** This is centralized!
Set token on storage
In each auth listener In each auth provider
Auth Manager **
InteractiveLoginEvent
Success handler
Notify RememberMe

View Slide

What about Guard?
@weaverryan

View Slide

Guard: Big Beautiful Bandaid
GuardAuthenticationListener
↪ ->getCredentials()
↪ create an un-auth'ed token
↪ call AuthenticationManager
GuardAuthenticationProvider
↪ ->getUser()
↪ ->checkCredentials()
↪ onAuthenticationSuccess()/Failure()
@weaverryan

View Slide

Excess Complexity
Stiﬂes Innovation
@weaverryan

View Slide

The New Security Component
Part 2
@weaverryan
experimental in 5.2

View Slide

2010
Today
…
…

View Slide

class User implements UserInterface
{
// ...
public function getUsername(): string
{
return (string) $this->email;
}
public function getRoles(): array
{
$roles = $this->roles;
$roles[] = 'ROLE_USER';
return array_unique($roles);
}
public function getPassword(): string
{
return (string) $this->password;
}
public function eraseCredentials()
{
}
}
User class (Before)
@weaverryan

View Slide

class User implements UserInterface
{
// ...
public function getUsername(): string
{
return (string) $this->email;
}
public function getRoles(): array
{
$roles = $this->roles;
$roles[] = 'ROLE_USER';
return array_unique($roles);
}
public function getPassword(): string
{
return (string) $this->password;
}
public function eraseCredentials()
{
}
}
User class (After)
@weaverryan

View Slide

class AdminController extends AbstractController
{
public function admin()
{
$this->denyAccessUnlessGranted('ROLE_ADMIN');
}
}
Denying Access (Before)
# security.yaml
security:
# ...
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
@weaverryan

View Slide

class AdminController extends AbstractController
{
public function admin()
{
$this->denyAccessUnlessGranted('ROLE_ADMIN');
}
}
# security.yaml
security:
# ...
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
Denying Access (After)
@weaverryan

View Slide

security.yaml (Before)
security:
# ...
firewalls:
main:
lazy: true
anonymous: true
form_login: true
guard:
authenticators:
- App\Security\CustomAuthenticator
@weaverryan

View Slide

security.yaml (After)
security:
# ...
+ enable_authenticator_manager: true
firewalls:
main:
lazy: true
- anonymous: true
form_login: true
- guard:
- authenticators:
- - App\Security\CustomAuthenticator
+ custom_authenticators:
+ - App\Security\CustomAuthenticator
Anonymous users
are gone!!!
Authenticator classes
have a new look
@weaverryan
Activates the
new "mode"

View Slide

Dont Panic!
The changes are beautiful.
The migration path is short.
@weaverryan

View Slide

POST /login
[email protected]
&password=duck
Passport
(badges)
UserBadge PasswordCredentials CsrfBadge
events
CheckCredentialsListener
CsrfProtectionListener
SessionStrategyListener
UserCheckerListener
LoginThrottlingListener PasswordMigrationListener
Authenticators
Firewall

View Slide

Custom Authenticators
Part 3
@weaverryan

View Slide

New AuthenticatorInterface
@weaverryan
interface AuthenticatorInterface
{
function supports(Request $request): ?bool;
function createAuthenticatedToken(PassportInterface $passport): TokenInterface;
function onAuthenticationSuccess(Request $request, TokenInterface $token): ?Response;
function onAuthenticationFailure(Request $request, AuthException $exception): ?Response;
}
function authenticate(Request $request): PassportInterface;

View Slide

Example 1:
Login Form
@weaverryan

View Slide

class SecurityController extends AbstractController
{
/**
* @Route("/login", name="app_login")
*/
public function login(): Response
{
return $this->render('security/login.html.twig');
}
}

value="{{ csrf_token('authenticate') }}"
>

Sign in

View Slide

// src/Security/LoginFormAuthenticator
class LoginFormAuthenticator extends AbstractLoginFormAuthenticator
{
public function supports(Request $request): ?bool
{
}
public function authenticate(Request $request): PassportInterface
{
}
public function onAuthenticationSuccess(Request $request, TokenInterface $token): ?Response
{
}
protected function getLoginUrl(Request $request): string
{
}
}

View Slide

{
return $request->attributes->get('_route') === 'app_login'
&& $request->isMethod('POST');
}

View Slide

{
$email = $request->request->get('email');
$password = $request->request->get('password');
return new Passport(
new UserBadge($email, function ($email) {
return $this->userRepository->findOneBy(['email' => $email]);
}),
new PasswordCredentials($password)
);
}

View Slide

Done!
@weaverryan

View Slide

User Checker
Event Listeners: Authentication Work Horses
Password checking
CSRF validation
Session ﬁxation
Password upgrading
Set token on storage
Notify RememberMe
Events: 6 centralized events

View Slide

Badges: Extra Passport Info
@weaverryan
// ...
}),
new PasswordCredentials($password),
[
// badges
]
);

View Slide

Badges: CSRF Protection
value="{{ csrf_token('authenticate') }}"
>
$csrfToken = $request->request->get('_csrf_token');
// ...
}),
[
new CsrfTokenBadge('authenticate', $csrfToken)
]
);
Badges can require
that a listener
"resolves" them.

View Slide

Badges: Password Upgrading
// ...
}),
[
new CsrfTokenBadge('authenticate', $csrfToken),
new PasswordUpgradeBadge($password, $this->userRepository)
]
);
This PasswordUpgradeBadge is no longer required.
Your password will be upgraded automatically as long
as your user provider implements the upgrader interface
(which happens always if you use make:user)

View Slide

Possibilities?
Login Throttling & Events
@weaverryan

View Slide

security:
# ...
firewalls:
main:
# ...
# max at 3 login attempts per minute
login_throttling:
max_attempts: 3
$ composer require symfony/rate-limiter

View Slide

Events, Events, Events!
CheckPassportEvent
Has access to the Passport & all badges
AuthenticatedTokenCreatedEvent
Has access - and can change - the authenticated token
LoginSuccessEvent
Success! Has Passport, Token, User & Response
LoginFailureEvent
Failure :( . But, has to the auth exception, Passport & Response

View Slide

Legacy Events
AuthenticationSuccessEvent
It's ﬁne, but LoginSuccessEvent is more powerful
InteractiveLoginEvent
Don't use: what *is* an "interactive" login?
Don't use these: there are better events now!

View Slide

And…
Core Authenticators are Readable!
@weaverryan

View Slide

class JsonLoginAuthenticator implements AuthenticatorInterface
{
{
$credentials = $this->getCredentials($request);
$passport = new Passport(new UserBadge($credentials['username'], function ($username) {
return $this->userProvider->loadUserByUsername($username);
}), new PasswordCredentials($credentials['password']));
if ($this->userProvider instanceof PasswordUpgraderInterface) {
$passport->addBadge(
new PasswordUpgradeBadge($credentials['password'],
$this->userProvider
)
);
}
return $passport;
}
}
json_login

View Slide

API Token Authentication
@weaverryan

View Slide

{
return $request->headers->has('X-AUTH-TOKEN');
}

View Slide

{
$token = $request->headers->get('X-AUTH-TOKEN');
return new SelfValidatingPassport(
new UserBadge($token, function($token) {
$apiToken = $this->apiTokenRepository->findOneBy([
'token' => $token
]);
if (null === $apiToken) {
throw new CustomUserMessageAuthenticationException(
'Invalid API token'
);
}
return $apiToken->getUser();
})
);
}

View Slide

Various other Improvements
Part 4
@weaverryan

View Slide

Anon. Anonymous Users are Gone!
security:
# ...
access_control:
- { path: ^/login, roles: PUBLIC_ACCESS }
- { path: ^/, roles: ROLE_USER }
• If a user isn't authenticated, the User is null
• If you need to explicitly allow access:

View Slide

2fa No Longer Requires Hacks

View Slide

LogoutEvent
class LogoutSubscriber implements EventSubscriberInterface
{
public function onLogout(LogoutEvent $event)
{
$user = $event->getToken()->getUser();
// ...
$response = new RedirectResponse('...');
$event->setResponse($response);
}
public static function getSubscribedEvents()
{
return [LogoutEvent::class => 'onLogout'],
}
}

View Slide

Magic Login Link
security:
firewalls:
main:
login_link:
check_route: login_check
signature_properties: ['id']

View Slide

Magic Login Link
public function requestLoginLink(LoginLinkHandlerInterface $loginLinkHandler)
{
if ($request->isMethod('POST')) {
$email = $request->request->get('email');
$user = $userRepository->findOneBy(['email' => $email]);
$loginLinkDetails = $loginLinkHandler->createLoginLink($user);
$loginLink = $loginLinkDetails->getUrl();
// send it with Notifier
}
}

View Slide

Complexity is Gone
@weaverryan

View Slide

What else can we make?
@weaverryan

View Slide

Me:
@weaverryan
THANK YOU!
Security Hero:
@wouterj

View Slide

Modern Security with Symfony's Shiny new Security Component

Modern Security with Symfony's Shiny new Security Component

weaverryan

More Decks by weaverryan

Other Decks in Technology

Featured

Transcript