Merge pull request #16 from albusss/auth_improvement

auth improvements
msalakhov · Oct 21, 2021 · 2a7af5b · 2a7af5b
2 parents 74aa509 + c2146e7
commit 2a7af5b
Show file tree

Hide file tree

Showing 8 changed files with 200 additions and 23 deletions.
diff --git a/app/.env b/app/.env
@@ -30,3 +30,9 @@ APP_SECRET=ccd80113c9ecc72e222101920ae5aa0a
 # DATABASE_URL="mysql://db_user:[email protected]:3306/db_name?serverVersion=5.7"
 DATABASE_URL="postgresql://db_user:[email protected]:5432/db_name?serverVersion=13&charset=utf8"
 ###< doctrine/doctrine-bundle ###
+
+###> symfony/lock ###
+# Choose one of the stores below
+# postgresql+advisory://db_user:db_password@localhost/db_name
+LOCK_DSN=semaphore
+###< symfony/lock ###
diff --git a/app/composer.json b/app/composer.json
@@ -32,6 +32,7 @@
         "symfony/property-access": "5.3.*",
         "symfony/property-info": "5.3.*",
         "symfony/proxy-manager-bridge": "5.3.*",
+        "symfony/rate-limiter": "5.3.*",
         "symfony/runtime": "5.3.*",
         "symfony/security-bundle": "5.3.*",
         "symfony/serializer": "5.3.*",

diff --git a/app/composer.lock b/app/composer.lock
diff --git a/app/config/packages/lock.yaml b/app/config/packages/lock.yaml
@@ -0,0 +1,2 @@
+framework:
+    lock: '%env(LOCK_DSN)%'
diff --git a/app/config/packages/security.yaml b/app/config/packages/security.yaml
@@ -2,8 +2,7 @@ security:
     # https://symfony.com/doc/current/security/experimental_authenticators.html
     enable_authenticator_manager: true
     password_hashers:
-        App\Entity\User:
-            algorithm: auto
+        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
 
     # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
     providers:
@@ -17,6 +16,7 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         user_secured_area:
+            lazy: true
             pattern:   ^/
             provider: app_user_provider
             form_login:
@@ -25,10 +25,13 @@ security:
                 default_target_path: /
                 username_parameter: email
                 password_parameter: password
+                enable_csrf: true
             logout:
                 path: app_logout
                 # where to redirect after logout
                 target: /login
+            login_throttling:
+                max_attempts: 3
 
             # activate different ways to authenticate
             # https://symfony.com/doc/current/security.html#firewalls-authentication

diff --git a/app/src/Controller/RegistrationController.php b/app/src/Controller/RegistrationController.php
@@ -11,8 +11,8 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Mime\Address;
 use Symfony\Component\Routing\Annotation\Route;
-use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
 use SymfonyCasts\Bundle\VerifyEmail\Exception\VerifyEmailExceptionInterface;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 
 class RegistrationController extends AbstractController
 {
@@ -24,7 +24,7 @@ public function __construct(EmailVerifier $emailVerifier)
     }
 
     #[Route('/register', name: 'app_register')]
-    public function register(Request $request, UserPasswordEncoderInterface $passwordEncoder): Response
+    public function register(Request $request, UserPasswordHasherInterface $passwordHasher): Response
     {
         $user = new User();
         $form = $this->createForm(RegistrationFormType::class, $user);
@@ -33,7 +33,7 @@ public function register(Request $request, UserPasswordEncoderInterface $passwor
         if ($form->isSubmitted() && $form->isValid()) {
             // encode the plain password
             $user->setPassword(
-                $passwordEncoder->encodePassword(
+                $passwordHasher->hashPassword(
                     $user,
                     $form->get('plainPassword')->getData()
                 )

diff --git a/app/src/Controller/ResetPasswordController.php b/app/src/Controller/ResetPasswordController.php
@@ -13,10 +13,10 @@
 use Symfony\Component\Mailer\MailerInterface;
 use Symfony\Component\Mime\Address;
 use Symfony\Component\Routing\Annotation\Route;
-use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
 use SymfonyCasts\Bundle\ResetPassword\Controller\ResetPasswordControllerTrait;
 use SymfonyCasts\Bundle\ResetPassword\Exception\ResetPasswordExceptionInterface;
 use SymfonyCasts\Bundle\ResetPassword\ResetPasswordHelperInterface;
+use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 
 #[Route('/reset-password')]
 class ResetPasswordController extends AbstractController
@@ -72,7 +72,7 @@ public function checkEmail(): Response
      * Validates and process the reset URL that the user clicked in their email.
      */
     #[Route('/reset/{token}', name: 'app_reset_password')]
-    public function reset(Request $request, UserPasswordEncoderInterface $passwordEncoder, string $token = null): Response
+    public function reset(Request $request, UserPasswordHasherInterface $passwordHasher, string $token = null): Response
     {
         if ($token) {
             // We store the token in session and remove it from the URL, to avoid the URL being
@@ -107,7 +107,7 @@ public function reset(Request $request, UserPasswordEncoderInterface $passwordEn
             $this->resetPasswordHelper->removeResetRequest($token);
 
             // Encode the plain password, and set it.
-            $encodedPassword = $passwordEncoder->encodePassword(
+            $encodedPassword = $passwordHasher->hashPassword(
                 $user,
                 $form->get('plainPassword')->getData()
             );