Add native auth security config

- Configure firewall for native auth - Add shared context between the two firewalls - Add access control restrictions for native auth paths
2025-08-29 17:46:02 +08:00 · 2022-08-09 15:20:57 +01:00 · 2022-08-09 15:20:57 +01:00 · c3e02d8113
commit c3e02d8113
parent e4e3c009f2
2 changed files with 23 additions and 2 deletions
--- a/config/packages/dev/web_profiler.yaml
+++ b/config/packages/dev/web_profiler.yaml
@ -1,6 +1,6 @@
 web_profiler:
    toolbar: true
-    intercept_redirects: true
+    intercept_redirects: false

 framework:
    profiler: { only_exceptions: false }
--- a/config/packages/security.php
+++ b/config/packages/security.php
@ -194,7 +194,8 @@ return static function (ContainerConfigurator $containerConfig) {
            ],
            'firewalls' => array_merge_recursive($baseFirewall, [
                'main' => [
-                    'pattern' => '^/',
+                    'context' => 'app_context',
+                    'pattern' => '^/(?!auth)',
                    'saml' => [
                        'provider' => 'app_user_provider',
                        // Match SAML attribute 'uid' with username.
@ -209,6 +210,22 @@ return static function (ContainerConfigurator $containerConfig) {
                        'path' => 'saml_logout'
                    ]
                ],
+                'auth' => [
+                    'context' => 'app_context',
+                    'pattern' => '^/auth',
+                    'lazy' => true,
+                    'provider' => 'app_user_provider',
+                    'json_login' => [
+                        'provider' => 'app_user_provider',
+                        'check_path' => 'native_auth_login',
+                    ],
+                    'login_throttling' => [
+                        'max_attempts' => $maxAttempts,
+                    ],
+                    'logout' => [
+                        'path' => 'native_auth_logout'
+                    ]
+                ],
            ]),
            'access_control' => [
                ['path' => '^/login$', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
@ -218,6 +235,10 @@ return static function (ContainerConfigurator $containerConfig) {
                ['path' => '^/saml/metadata', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
                ['path' => '^/saml/acs', 'roles' => 'ROLE_USER'],
                ['path' => '^/saml/logout', 'roles' => 'ROLE_USER'],
+                ['path' => '^/auth', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
+                ['path' => '^/auth/login', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
+                ['path' => '^/auth/session-status', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
+                ['path' => '^/auth/logout', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
                ['path' => '^/$', 'roles' => 'ROLE_USER'],
                ['path' => '^/api', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY'],
                ['path' => '^/api/graphql', 'roles' => 'IS_AUTHENTICATED_ANONYMOUSLY'],