Skip to content

[Security] Allow in memory user to have extra fields #40097

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
wants to merge 1 commit into from
Closed

[Security] Allow in memory user to have extra fields #40097

wants to merge 1 commit into from

Conversation

noniagriconomie
Copy link
Contributor

@noniagriconomie noniagriconomie commented Feb 4, 2021
edited
Loading

Q A
Branch? 5.x
Bug fix? no
New feature? yes
Deprecations? no
Tickets Fix #40091
License MIT
Doc PR symfony/symfony-docs#14928 
# config/packages/security.yaml
security:
    providers:
        users_in_memory:
            memory:
                users:
                    aa: {password: 'aa', roles: 'ROLE_USER'}
                    bb: {password: 'bb', roles: ['ROLE_ADMIN', 'ROLE_USER'], extra_fields: {'name': 'John', 'age': 77}}
// $user -> Symfony\Component\Security\Core\User\User
$user->getExtraFields()['age']; // 77

@noniagriconomie noniagriconomie force-pushed the feature-40091 branch 3 times, most recently from 474eb6b to 365d506 Compare February 4, 2021 18:43
@noniagriconomie noniagriconomie changed the title [Security] Allow in memory user to have extra fields [WIP] [Security] Allow in memory user to have extra fields Feb 4, 2021
@noniagriconomie noniagriconomie changed the title [WIP] [Security] Allow in memory user to have extra fields [Security] Allow in memory user to have extra fields Feb 4, 2021
@noniagriconomie noniagriconomie mentioned this pull request Feb 4, 2021
Closed
@noniagriconomie noniagriconomie mentioned this pull request Feb 5, 2021
Merged
fabpot added a commit that referenced this pull request Feb 5, 2021
@fabpot
minor #40101 Update PULL_REQUEST_TEMPLATE.md (noniagriconomie)
c3d8328 
This PR was submitted for the 5.x branch but it was merged into the 4.4 branch instead.

Discussion
----------

Update PULL_REQUEST_TEMPLATE.md

| Q             | A
| ------------- | ---
| Branch?       | 5.x
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Tickets       | See #40097 (comment)
| License       | MIT
| Doc PR        | Doc introduced in symfony/symfony-docs#14830

ping @OskarStark do you think this can be valuable here? as this file is the entry point of all PRs

Commits
-------

41c7796 Update PULL_REQUEST_TEMPLATE.md
chalasr
chalasr requested changes Feb 5, 2021
View reviewed changes
Copy link
Member

@chalasr chalasr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A functional test would be nice :)

@chalasr chalasr added this to the 5.x milestone Feb 5, 2021
@stof
Copy link
Member

stof commented Feb 5, 2021

Does this really fit in the architecture of the new system where this User class is considered for deprecation ?

@ro0NL
Copy link
Contributor

ro0NL commented Feb 6, 2021

given the current situation, i figured the mapping was missing from an implementation pov, hence im 👍🏻

however i do think we should rename it to InMemoryUser eventually

LdapUser provides the same feature set, let alone user entites in the wild providing the full app feature set ... then this seems reasonable :)

@wouterj
Copy link
Member

wouterj commented Feb 6, 2021

I personally only see a use-case for the in-memory provider in simple demo applications. Do we really want to advocate using it in real applications? If the answer is no, then I'm in favor of not adding more lines that we need to maintain.

(btw, I would not say that the User is up for deprecation, but hopefully the credential related methods are. Any security system needs to have some sort of user/principal)

@ro0NL
Copy link
Contributor

ro0NL commented Feb 6, 2021

https://symfony.com/doc/current/security/user_provider.html#memory-user-provider

It’s not recommended to use this provider in real applications because of its limitations and how difficult it is to manage users.

we fix some limitation here. Managing YAML is debatable 😁

It may be useful in application prototypes and for limited applications that don’t store users in databases.

So it is useful for limited (non-prototype) apps actually?

IMHO it's just a persistence layer, and if in-memory fits ... it fits :)

@wouterj
Copy link
Member

wouterj commented Feb 6, 2021

It's not a "real" persistence layer, as it requires to use Symfony's User. Btw, it's very easy to implement your own in-memory user provider that uses a custom User class with all properties it needs:

class MyInMemoryUserProvider implements UserProvider
{
    private const USERS = [
        'wouter' => [...],
        // ...
    ];

    public function loadUserByUsername(string $username)
    {
        if (!$user = self::USERS[$username] ?? false) {
            throw new UsernameNotFoundException();
        }

        return new AppUser($user['username'], $user['password'], ...);
    }

    public function refreshUser(UserInterface $user)
    {
        return $this->loadUserByUsername($user->getUsername());
    }

    public function supportsClass(string $class)
    {
        return is_a($class, AppUser::class);
    }
}

So I'm honestly leaning more and more towards not adding more properties to the User class.

@Nyholm
Copy link
Member

Nyholm commented Feb 6, 2021

I personally only see a use-case for the in-memory provider in simple demo applications.

For context,
I've used in-memory provider on apps that only have one or two API users. Think of an internal microservice with a HTTP API.

@noniagriconomie
Copy link
Contributor Author

Hello, i am not aware of the deprecation of this class, where can i find more?

Also, as the prop already exists, i think it is more « finishing » the implementation than adding a new one
I do use very much this feature of in memory provider for apps where i do need only one or very few users (api, unitary admin) and having this extrafields could help avoid adding user related data in a « hacky » way

@chalasr
Copy link
Member

chalasr commented Feb 7, 2021

We don't need to deprecate this class and the corresponding provider, only renaming it (already possible) and make it follow the rework of the UserInterface when it's time to.
This makes configurable a property that already exists on something that has no on-going rework and has been proven useful, nothing fancy here.
There is no reason to "feature freeze" this code area, I think we should relax and just let the work happen as it comes.

@chalasr
Copy link
Member

chalasr commented Feb 14, 2021

Rebase needed. Don't hesitate to tell us if you need help to finish this PR @noniagriconomie

@noniagriconomie noniagriconomie force-pushed the feature-40091 branch 5 times, most recently from ad04e86 to 4c4ee49 Compare February 18, 2021 09:37
@noniagriconomie
Copy link
Contributor Author

@chalasr rebase done and a test added
review appreciated :)

@chalasr chalasr self-requested a review February 18, 2021 10:17
OskarStark
OskarStark approved these changes Feb 23, 2021
View reviewed changes
src/Symfony/Component/Security/Core/Tests/User/InMemoryUserProviderTest.php
@@ -25,6 +25,7 @@ public function testConstructor()
$user = $provider->loadUserByUsername('fabien');
$this->assertEquals('foo', $user->getPassword());
$this->assertEquals(['ROLE_USER'], $user->getRoles());
$this->assertEquals(['name' => 'John', 'age' => 77, 'salary' => 1234.56], $user->getExtraFields());
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

assertSame ?

Same for the others in this file

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not know if it is related to this PR to change the method name

and for this new added line I just duplicate the above line to keep things similar

if asked/decided I can handle it inside this PR of course :)

@fabpot
Copy link
Member

fabpot commented Feb 25, 2021

I agree with @wouterj and I don't think we want to add this feature. I understand the use case and I have the same on some small applications. But as already mentioned, there are simple ways to achieve what you want without support in the framework. Even if adding it in core in not a lot of code, I think that this sends the wrong signal.

@OskarStark
Copy link
Contributor

@noniagriconomie would you then send the proposed code snippet by Wouter as a docs PR to help others achieve this more easily? Thanks

@wouterj
Copy link
Member

wouterj commented Feb 25, 2021

For reference: the extraFields property in User was added specially for LDAP: #31532 (back then, the specialized LdapUser didn't exists yet). It may even make sense to deprecate that functionality in the main User imho.

@noniagriconomie
Copy link
Contributor Author

hey, ok understood even if I really thought this was a nice addition
lets close for now, I will see if a doc snippet could be usefull

@noniagriconomie noniagriconomie deleted the feature-40091 branch March 3, 2021 08:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@OskarStark OskarStark OskarStark approved these changes

@wouterj wouterj Awaiting requested review from wouterj

@chalasr chalasr Awaiting requested review from chalasr

Assignees
No one assigned
Labels
Feature Security Status: Reviewed
Projects
None yet
Milestone
5.4
Development

Successfully merging this pull request may close these issues.

Allow extra fields on memory users config.
9 participants
@noniagriconomie @stof @ro0NL @wouterj @Nyholm @chalasr @fabpot @OskarStark @carsonbot