mirror of
https://github.com/Part-DB/Part-DB-server.git
synced 2025-06-20 17:15:51 +02:00
f0519ae0b3
Also for browser requests, a flash message is shown in that case, prompting the user to authenticate. This follows a suggestion from issue #494
75 lines
2.9 KiB
YAML
75 lines
2.9 KiB
YAML
security:
|
|
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
|
|
password_hashers:
|
|
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
|
|
|
|
providers:
|
|
# used to reload user from session & other features (e.g. switch_user)
|
|
app_user_provider:
|
|
entity:
|
|
class: App\Entity\UserSystem\User
|
|
property: name
|
|
|
|
|
|
firewalls:
|
|
dev:
|
|
pattern: ^/(_(profiler|wdt)|css|images|js)/
|
|
security: false
|
|
main:
|
|
provider: app_user_provider
|
|
lazy: true
|
|
user_checker: App\Security\UserChecker
|
|
entry_point: App\Security\AuthenticationEntryPoint
|
|
|
|
# Enable user impersonation
|
|
switch_user: { role: CAN_SWITCH_USER }
|
|
|
|
custom_authenticators:
|
|
- App\Security\ApiTokenAuthenticator
|
|
|
|
two_factor:
|
|
auth_form_path: 2fa_login
|
|
check_path: 2fa_login_check
|
|
enable_csrf: true
|
|
|
|
login_throttling:
|
|
max_attempts: 5 # per minute
|
|
|
|
saml:
|
|
use_referer: true
|
|
user_factory: saml_user_factory
|
|
persist_user: true
|
|
check_path: saml_acs
|
|
login_path: saml_login
|
|
failure_path: login
|
|
|
|
# https://symfony.com/doc/current/security/form_login_setup.html
|
|
form_login:
|
|
login_path: login
|
|
check_path: login
|
|
enable_csrf: true
|
|
use_referer: true
|
|
default_target_path: '/'
|
|
|
|
logout:
|
|
path: logout
|
|
target: homepage
|
|
|
|
remember_me:
|
|
secret: '%kernel.secret%'
|
|
lifetime: 2592000 # 30 days in seconds
|
|
|
|
# Easy way to control access for large sections of your site
|
|
# Note: Only the *first* access control that matches will be used
|
|
access_control:
|
|
# This makes the logout route available during two-factor authentication, allows the user to cancel
|
|
- { path: ^/logout, role: PUBLIC_ACCESS }
|
|
# This ensures that the form can only be accessed when two-factor authentication is in progress
|
|
- { path: "^/\\w{2}/2fa", role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
|
|
# We get into trouble with the U2F authentication, if the calls to the trees trigger an 2FA login
|
|
# This settings should not do much harm, because a read only access to show available data structures is not really critical
|
|
- { path: "^/\\w{2}/tree", role: PUBLIC_ACCESS }
|
|
# Restrict access to API to users, which has the API access permission
|
|
- { path: "^/api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }
|
|
# Restrict access to KICAD to users, which has API access permission
|
|
- { path: "^/kicad-api", allow_if: 'is_granted("@api.access_api") and is_authenticated()' }
|