👍

@wouterj shouldn't authenticateUser take care of the user checker ?

If the API is up to debate, would the following work too? It's the API I use to login users manually in tests:

public function login(UserInterface $user, string $firewallName ='main');

The API is definitely up in the air. It's just a proposal. I would rather avoid calling it only login though because IMO the name should highlight this isn't how you implement a login feature where the user logs in via this method after you checked their password or whatever. It's simply a way to programmatically trigger a login for special cases.

Maybe we could use name like:

• simulateUserLogin(),
• authenticateUser()

Only suggestion 🙃 but that being said I'm all for it cause I end up in every project implementing such functionality for tests.

@stloyd Note that for tests, as of 5.1 there is https://symfony.com/blog/new-in-symfony-5-1-simpler-login-in-tests

I won't comment on the API proposal itself, as I have not been following "recent" developments in the auth area of Symfony, but I would warmly welcome simple, well documented and cast-in-stone methods to programatically log in / log out users.

ATM the process for me to log in a specific user in say, a console command, or in a controller for some crazy convoluted usecase is to... google it. The results which come up are generally different, varying on Symfony version, and do not instill great confidence for something as security critical.

With guard authenticators, make:registration-form gives you a working example of how to login from a controller. I always assumed that it was the 'right way' to do things.

Unlike make:auth, the registration command has not yet been updated to generate the proper line of code for the new 5.2 experimental stuff but I assume that will happen at some point. But it's easy enough to do. Sure you need to know about the UserAuthenticatorInterface and the security bundle's UserAuthenticator class but that seems to be a question of updating the documentation.

As far as logging in from a console command, considering that so much of the new security stuff is in the Security\Http namespace then I don't know how you could even approach it. I get wanting to do it for functional tests but to casually login to a console command and then authorize something? Seems like a hack no matter what you do.

This would be a great feature of the framework. We needed to authenticate the user after register, so we've created a custom service which handles the authentication by injecting LoginFormAuthenticator, GuardAuthenticatorHandler and RememberMeServicesInterface to make it work.

I'm not sure about code's stability, though, since we kind of bypass the authentication mechanism (by manually calling $guardAuthenticatorHandler->onAuthenticationHandler() after performing other required steps. So having it provided by the framework, it would be great.

Additionally, I'm not sure how this could be wrapped -- AFAIK, Authentication Manager will be the default in 6.0

This could also be an opportunity to fix #37575.

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

Nope, but #41274 is on the case 👍🏻

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

Carson! Hold your horses! :)

Up until now this could be done like this:

public function refreshToken(UserInterface $user): void
    {
        $this->container->get(TokenStorageInterface::class)->setToken(
            new UsernamePasswordToken($user, 'main', $user->getRoles())
        );
    }

Looking forward to implement the cleaner method in my project.