chore: improve configuration [ config/packages/security.yaml ]

68fc1610 · Fabrice Gangler · f1164a2a · 68fc1610
Commit 68fc1610 authored 8 months ago by Fabrice Gangler
--- a/webapp/config/packages/security.yaml
+++ b/webapp/config/packages/security.yaml
 security:
+    #############################################################################
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
+
+    #############################################################################
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
-        users_in_memory: { memory: null }
+        # used to reload user from session & other features (e.g. switch_user)
+        app_user_provider:
+            entity:
+                class: App\Entity\User
+                property: email
+
+    #############################################################################
+    #  https://symfony.com/doc/current/reference/configuration/security.html#session-fixation-strategy
+    session_fixation_strategy: invalidate
+    #       When authenticating users, the entire session is regenerated,
+    #       so the session ID is updated and all the other session attributes are lost.
+    #############################################################################
+
+    #############################################################################
+    role_hierarchy:
+        ROLE_CONTRIBUTOR:
+            - ROLE_USER
+        ROLE_ORGANISATION_ADMIN:
+            - ROLE_CONTRIBUTOR
+        ROLE_MODERATOR:
+            - ROLE_CONTRIBUTOR
+        ROLE_ADMIN:
+            - ROLE_MODERATOR
+        ROLE_SUPERADMIN:
+            - ROLE_ADMIN
+            - ROLE_ALLOWED_TO_SWITCH
+    #############################################################################
+    # Easy way to control access for large sections of your site
+    # Note: Only the *first* access control that matches will be used
+    # https://symfony.com/doc/current/security/access_control.html
+    access_control:
+#       - { route: 'superadmin_configuration',    roles: ROLE_SUPERADMIN }
+        - { path: ^/admin/configuration/,         roles: ROLE_SUPERADMIN }
+        - { path: ^/admin/,                       roles: ROLE_ADMIN }
+        - { path: ^/user/profile,                 roles: ROLE_USER }
+        - { path: ^/,                             roles: PUBLIC_ACCESS }
+        - { path: ^/health-check,                 roles: PUBLIC_ACCESS }
+        - { path: ^/account/login,                roles: PUBLIC_ACCESS }
+        - { path: ^/account/logout,               roles: PUBLIC_ACCESS }
+    #############################################################################
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            lazy: true
-            provider: users_in_memory
+            provider: app_user_provider
+            logout:
+                path: 'app_account_logout'
+                target: 'app_home'
+                # Send [ Clear-Site-Data ] HTTP Header to clears browsing data
+                #       https://symfony.com/doc/current/reference/configuration/security.html#clear-site-data
+                #       https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data
+                clear_site_data:
+                    - cookies
+                    - storage
+#                   - executionContexts
+#                   - cache
+            form_login:
+                enable_csrf: true
+                form_only: true # checks that the request content-type is application/x-www-form-urlencoded
+                always_use_default_target_path: false
+                login_path: 'app_account_login'
+                check_path: 'app_account_login'
+#               rate_limiter:
+#               login_throttling:
+#               switch_user: true  # https://symfony.com/doc/current/security/impersonating_user.html
+
+            ########### login_throttling ###################################################
+            # configure the maximum login attempts
+            # by default, the feature allows 5 login attempts per minute
+            #   login_throttling: null
+            #   login_throttling:
+            #       max_attempts: 5         # by default, the feature allows 5 login attempts per interval
+            #       interval: '15 minutes'  # by default = 1 minute
+            ################################################################################

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#the-firewall

-            # https://symfony.com/doc/current/security/impersonating_user.html
-            # switch_user: true
-
-    # Easy way to control access for large sections of your site
-    # Note: Only the *first* access control that matches will be used
-    access_control:
-        # - { path: ^/admin, roles: ROLE_ADMIN }
-        # - { path: ^/profile, roles: ROLE_USER }

 when@test:
    security: