Part-DB.Part-DB-server/config/packages/security.yaml

security:
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'

    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\UserSystem\User
                property: name


    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            provider: app_user_provider
            lazy: true
            user_checker: App\Security\UserChecker
            entry_point: App\Security\AuthenticationEntryPoint

            # Enable user impersonation
            switch_user: { role: CAN_SWITCH_USER }

            custom_authenticators:
                - App\Security\ApiTokenAuthenticator

            two_factor:
                auth_form_path: 2fa_login
                check_path: 2fa_login_check
                enable_csrf: true

            login_throttling:
                max_attempts: 5 # per minute

            saml:
                use_referer: true
                user_factory: saml_user_factory
                persist_user: true
                check_path: saml_acs
                login_path: saml_login
                failure_path: login

            # https://symfony.com/doc/current/security/form_login_setup.html
            form_login:
                login_path: login
                check_path: login
                enable_csrf: true
                use_referer: true
                default_target_path: '/'

            logout:
                path: logout
                target: homepage

            remember_me:
                secret:   '%kernel.secret%'
                lifetime: 2592000 # 30 days in seconds

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # This makes the logout route available during two-factor authentication, allows the user to cancel
        - { path: ^/logout, role: PUBLIC_ACCESS }
        # This ensures that the form can only be accessed when two-factor authentication is in progress
        - { path: "^/\\w{2}/2fa", role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        # We get into trouble with the U2F authentication, if the calls to the trees trigger an 2FA login
        # This settings should not do much harm, because a read only access to show available data structures is not really critical
        - { path: "^/\\w{2}/tree", role: PUBLIC_ACCESS }
        # Restrict access to API to users, which has the API access permission
        - { path: "^/api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }
        # Restrict access to KICAD to users, which has API access permission
        - { path: "^/kicad-api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }
Initial commit 2019-02-23 16:49:38 +01:00			`security:`
Updated symfony/security recipe 2023-05-27 21:04:28 +02:00			`# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords`
Use the new authenticator system introduced in symfony 5.1 2022-08-14 17:09:57 +02:00			`password_hashers:`
			`Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'`
Added user entity and basic login/logout system. 2019-03-14 18:01:41 +01:00
Initial commit 2019-02-23 16:49:38 +01:00			`providers:`
Create a new DB user when somebody logs in using SAML 2023-02-20 23:04:20 +01:00			`# used to reload user from session & other features (e.g. switch_user)`
			`app_user_provider:`
Added user entity and basic login/logout system. 2019-03-14 18:01:41 +01:00			`entity:`
Added an option for mass creation of structured data. 2019-08-12 22:41:58 +02:00			`class: App\Entity\UserSystem\User`
Added user entity and basic login/logout system. 2019-03-14 18:01:41 +01:00			`property: name`
Use the new authenticator system introduced in symfony 5.1 2022-08-14 17:09:57 +02:00
Started to work on interfacing with keycloak 2023-02-20 22:10:24 +01:00
Initial commit 2019-02-23 16:49:38 +01:00			`firewalls:`
			`dev:`
			`pattern: ^/(_(profiler\|wdt)\|css\|images\|js)/`
			`security: false`
			`main:`
Use the new authenticator system introduced in symfony 5.1 2022-08-14 17:09:57 +02:00			`provider: app_user_provider`
Use LogoutEvent listener instead of deprecated LogoutHandler. 2020-05-31 13:48:36 +02:00			`lazy: true`
Allow to disable a user in admin settings. When a user is disabled, he can not login. 2019-10-26 23:22:27 +02:00			`user_checker: App\Security\UserChecker`
Return a 401 message with an JSON encoded body, if no authentication header is passed for an API request. Also for browser requests, a flash message is shown in that case, prompting the user to authenticate. This follows a suggestion from issue #494 2024-01-25 23:35:15 +01:00			`entry_point: App\Security\AuthenticationEntryPoint`
Initial commit 2019-02-23 16:49:38 +01:00
Added basic logic for impersonation 2023-07-04 00:31:13 +02:00			`# Enable user impersonation`
			`switch_user: { role: CAN_SWITCH_USER }`

Added own APIToken authenticator, so we can wrap the used API token inside the symfony security token 2023-08-17 00:17:02 +02:00			`custom_authenticators:`
			`- App\Security\ApiTokenAuthenticator`

Implemented the two factor auth login form. 2019-12-23 18:45:32 +01:00			`two_factor:`
			`auth_form_path: 2fa_login`
			`check_path: 2fa_login_check`
Use the newer scheb/2fa bundle instead of scheb/two_factor_bundle Currently the U2F auth is broken, as there is no plugin supporting it in the new system 2022-08-13 23:33:05 +02:00			`enable_csrf: true`
Implemented the two factor auth login form. 2019-12-23 18:45:32 +01:00
Added login rate throttling 2023-02-11 21:55:24 +01:00			`login_throttling:`
			`max_attempts: 5 # per minute`
Initial commit 2019-02-23 16:49:38 +01:00
Started to work on interfacing with keycloak 2023-02-20 22:10:24 +01:00			`saml:`
Create a new DB user when somebody logs in using SAML 2023-02-20 23:04:20 +01:00			`use_referer: true`
			`user_factory: saml_user_factory`
Revert "Moved all user info updating logic into SAMLUserFactory" This reverts commit 960ee342e410bcb1672d2cefae02eaeb10ff5059. 2023-02-24 00:12:44 +01:00			`persist_user: true`
Started to work on interfacing with keycloak 2023-02-20 22:10:24 +01:00			`check_path: saml_acs`
			`login_path: saml_login`
Use login form page to show error messages on Part-DB side 2023-02-21 23:11:16 +01:00			`failure_path: login`
Started to work on interfacing with keycloak 2023-02-20 22:10:24 +01:00
Initial commit 2019-02-23 16:49:38 +01:00			`# https://symfony.com/doc/current/security/form_login_setup.html`
Added user entity and basic login/logout system. 2019-03-14 18:01:41 +01:00			`form_login:`
			`login_path: login`
			`check_path: login`
Use the new authenticator system introduced in symfony 5.1 2022-08-14 17:09:57 +02:00			`enable_csrf: true`
Added user entity and basic login/logout system. 2019-03-14 18:01:41 +01:00			`use_referer: true`
Use language setting of users when logging in. 2019-09-12 17:50:33 +02:00			`default_target_path: '/'`
Added user entity and basic login/logout system. 2019-03-14 18:01:41 +01:00
			`logout:`
			`path: logout`
			`target: homepage`
Initial commit 2019-02-23 16:49:38 +01:00
Added a remember me function to the login form. 2019-03-14 18:27:29 +01:00			`remember_me:`
			`secret: '%kernel.secret%'`
			`lifetime: 2592000 # 30 days in seconds`

Initial commit 2019-02-23 16:49:38 +01:00			`# Easy way to control access for large sections of your site`
			`# Note: Only the first access control that matches will be used`
			`access_control:`
Implemented the two factor auth login form. 2019-12-23 18:45:32 +01:00			`# This makes the logout route available during two-factor authentication, allows the user to cancel`
Use PUBLIC_ACCESS role instead of IS_AUTHENTICATED_ANONYMOUSLY role 2022-08-14 19:11:42 +02:00			`- { path: ^/logout, role: PUBLIC_ACCESS }`
Implemented the two factor auth login form. 2019-12-23 18:45:32 +01:00			`# This ensures that the form can only be accessed when two-factor authentication is in progress`
Added 2FA with U2F keys. 2019-12-29 13:35:30 +01:00			`- { path: "^/\\w{2}/2fa", role: IS_AUTHENTICATED_2FA_IN_PROGRESS }`
			`# We get into trouble with the U2F authentication, if the calls to the trees trigger an 2FA login`
			`# This settings should not do much harm, because a read only access to show available data structures is not really critical`
Use PUBLIC_ACCESS role instead of IS_AUTHENTICATED_ANONYMOUSLY role 2022-08-14 19:11:42 +02:00			`- { path: "^/\\w{2}/tree", role: PUBLIC_ACCESS }`
Added permissions to control access to API and manage API tokens 2023-08-26 22:57:50 +02:00			`# Restrict access to API to users, which has the API access permission`
			`- { path: "^/api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }`
Added an very basic API implementation for KICAD 2023-10-09 00:55:42 +02:00			`# Restrict access to KICAD to users, which has API access permission`
			`- { path: "^/kicad-api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }`