[Security] Automatically provide entry points from the custom_authenticator #37075
Conversation
28515bf to
9e7959d
Compare
|
|
||
| $entryPoints = []; | ||
| foreach ($config['services'] as $authenticatorId) { | ||
| if (class_exists($authenticatorId) && is_subclass_of($authenticatorId, AuthenticationEntryPointInterface::class)) { |
There was a problem hiding this comment.
Sadly, we can't do $container->findDefinition($authenticatorId)->getClass() here, as the ContainerBuilder is scoped for this extension.
Is there some magic trick we can do here to also check for non-FQCN service IDs?
|
Another suggestion - provided by @althaus:
cc @weaverryan do you have an opinion on how to handle this? (you're often better in recognizing the difference between "too magic" and "DX-friendly" than I am) |
|
My first impression was: yay! But... when I think further, I realize that eventually, you might have ugly config like this: main:
form_login: ~
entry_point: form_login
custom_authenticators:
services: [App\Security\CustomAuthenticator, App\Security\AnotherCustomAuthenticator]
entry_point: App\Security\CustomAuthenticatorIn this case, the So, I can think of 2 options:
So... probably 2 is best. In both cases, I'd like to avoid the |
|
@weaverryan 2 notes and that's why I think improving the log message is the best we can do:
|
|
Closing, see my previous comment on why I no longer believe this PR can ever work. I'll create another one that improves logging. |
… as entry_point (if supported) (wouterj) This PR was squashed before being merged into the 5.2 branch. Discussion ---------- [Security] Automatically register custom authenticator as entry_point (if supported) | Q | A | ------------- | --- | Branch? | 5.2 (hopefully?) | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | Fix #37068 | License | MIT | Doc PR | - @weaverryan came up with exactly the same issue as proposed by a contributor before (see referenced ticket). Back then, it was decided impossible to fix: see #37075. However, after some thinking we came up with a way to fix the issue and improve the DX for custom authenticators. The new authenticators are no longer required to implement `AuthenticationEntryPointInterface` (required for internal authenticators like the `RememberMeAuthenticator` and pre authenticated ones). This PR uses a compiler pass to check if a custom authenticator is supported: ```yaml security: firewalls: main: # in any case, if an entry_point is already configured it'll not be overriden # (http_basic remains the entry point here) http_basic: ~ custom_authenticator: App\Security\CustomAuthenticator entry_point: http_basic # if only one custom authenticator implements AuthenticationEntryPointInterface, # it's automatically configured as the entry point custom_authenticator: App\Security\CustomAuthenticator custom_authenticators: [App\Security\CustomAuthenticator, App\Security\NoEntryPointAuthenticator] # if no custom authenticator implements AuthenticationEntryPointInterface, # an error is thrown custom_authenticator: App\Security\NoEntryPointAuthenticator # if more than one authenticator implements AuthenticationEntryPointInterface, # the entry point must be configured explicitly (or an error is thrown) custom_authenticators: [App\Security\CustomAuthenticator, App\Security\AnotherCustomAuthenticator] entry_point: App\Security\CustomAuthenticator ``` --- I know this is very late for Symfony 5.2. It would be good to decide whether this can be included in the release, in order to smooth out the biggest struggle for people using custom authenticators for the first time. Commits ------- cab0672 [Security] Automatically register custom authenticator as entry_point (if supported)
This PR allows the custom authenticator factory to automatically configure the entry point or fail with an error if more than 1 entry point could be configured. This makes it behave the same as the guard factory.