security:
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'

    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\UserSystem\User
                property: name


    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            provider: app_user_provider
            lazy: true
            user_checker: App\Security\UserChecker
            entry_point: form_login

            # Enable user impersonation
            switch_user: { role: CAN_SWITCH_USER }

            custom_authenticators:
                - App\Security\ApiTokenAuthenticator

            two_factor:
                auth_form_path: 2fa_login
                check_path: 2fa_login_check
                enable_csrf: true

            login_throttling:
                max_attempts: 5 # per minute

            saml:
                use_referer: true
                user_factory: saml_user_factory
                persist_user: true
                check_path: saml_acs
                login_path: saml_login
                failure_path: login

            # https://symfony.com/doc/current/security/form_login_setup.html
            form_login:
                login_path: login
                check_path: login
                enable_csrf: true
                use_referer: true
                default_target_path: '/'

            logout:
                path: logout
                target: homepage

            remember_me:
                secret:   '%kernel.secret%'
                lifetime: 2592000 # 30 days in seconds

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # This makes the logout route available during two-factor authentication, allows the user to cancel
        - { path: ^/logout, role: PUBLIC_ACCESS }
        # This ensures that the form can only be accessed when two-factor authentication is in progress
        - { path: "^/\\w{2}/2fa", role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        # We get into trouble with the U2F authentication, if the calls to the trees trigger an 2FA login
        # This settings should not do much harm, because a read only access to show available data structures is not really critical
        - { path: "^/\\w{2}/tree", role: PUBLIC_ACCESS }
        # Restrict access to API to users, which has the API access permission
        - { path: "^/api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }
        # Restrict access to KICAD to users, which has API access permission
        - { path: "^/kicad-api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }