add an AccessDeniedHandler (fail) and a controller that allow to repr…

…oduce the issue described in symfony/symfony#25806
Rebolon · Jan 16, 2018 · d13adb1 · d13adb1
1 parent 9e61221
commit d13adb1
Show file tree

Hide file tree

Showing 7 changed files with 81 additions and 3 deletions.
diff --git a/README.md b/README.md
@@ -22,7 +22,7 @@ Here is how it has been created:
 
 * composer create-project symfony/skeleton sf-flex-encore-vuejs
 * cd sf-flex-encore-vuejs
-* composer req encore annotations twig api http profiler log doctrine-migrations admin webonyx/graphql-php
+* composer req encore annotations twig api http profiler log doctrine-migrations admin webonyx/graphql-php sec-checker
 * composer require --dev doctrine/doctrine-fixtures-bundle
 * yarn add vue vue-router quasar-framework quasar-extras vuelidate vue-apollo@next graphql apollo-client apollo-link apollo-link-http apollo-link-error apollo-cache-inmemory graphql-tag react react-dom prop-types
 * yarn add --dev vue-loader vue-template-compiler vue-router react-loader babel-preset-es2017 babel-preset-react testcafe sass-loader node-sass bootstrap@4.0.0-beta.2
@@ -76,6 +76,7 @@ The test_browser section represent all the browsers you want to use with the tes
 ## components
 
 * flex: new symfony system to make web dev life easier ; it works with recipes
+* sec-checker: a symfony component that will check security vulnerabilities from your PHP dependencies.
 * vuejs: top js framework to build SPA, or just widget on classic page
 * quasar: UX component library based on VueJS
 * encore: symfony solution to wrap webpack config and, once again, make your life simpler

diff --git a/config/packages/security.yaml b/config/packages/security.yaml
@@ -19,12 +19,13 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
         vuejs:
-            pattern: ^/(demo/(vuejs|form|login/(json|json/isloggedin|json/logout))|api)
+            pattern: ^/(demo/(vuejs|form|login/json(|/isloggedin|/logout||issue/*))|api)
             anonymous: ~
             json_login:
                 check_path: /demo/login/json
                 # this doesn't work, see in the security.yaml:12 for more explanation
                 #check_path: demo_login_json_check
+                failure_handler: App\Security\AccessDeniedHandler
             logout:
                 path:   demo_login_json_logout
                 target: index

diff --git a/db-model.png b/db-model.png
diff --git a/src/Controller/LoginJsonController.php b/src/Controller/LoginJsonController.php
@@ -57,7 +57,7 @@ public function loginJson(Request $request, CsrfToken $csrfTokenManager)
      * @todo: should we let it as is, or always return a 200 and in the Json content set the isLoggedIn to 0 or 1 ?
      * For instance i stay on my first choice
      *
-     * @Security("is_granted('IS_AUTHENTICATED_FULLY')")
+     * @Security("is_granted('IS_AUTHENTICATED_FULLY')", statusCode=403)
      * @Route(
      *     "/demo/login/json/isloggedin",
      *     name="demo_secured_page_is_logged_in",

diff --git a/src/Controller/_FIX_ISSUE_SF_25806_Controller.php b/src/Controller/_FIX_ISSUE_SF_25806_Controller.php
@@ -0,0 +1,28 @@
+<?php
+
+namespace App\Controller;
+
+use Symfony\Bundle\FrameworkBundle\Controller\Controller;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Method;
+use Sensio\Bundle\FrameworkExtraBundle\Configuration\Security;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\Routing\Annotation\Route;
+
+/**
+ * This class is just here to reproduce the behavior described in this issue:
+ * https://github.com/symfony/symfony/issues/25806
+ */
+class _FIX_ISSUE_SF_25806_Controller extends Controller
+{
+    /**
+     * @Security("is_granted('IS_AUTHENTICATED_FULLY')")
+     * @Route(
+     *     "/demo/login/json/issue/sf-25806",
+     *     )
+     * @Method({"GET"})
+     */
+    public function reproductionForIssueSF28506()
+    {
+        return new JsonResponse("data");
+    }
+}
diff --git a/src/EventSubscriber/ApiAuthSubscriber.php b/src/EventSubscriber/ApiAuthSubscriber.php
@@ -9,6 +9,17 @@
 use Symfony\Component\Security\Core\Exception\AccessDeniedException;
 use Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException;
 
+/**
+ * Class ApiAuthSubscriber
+ *
+ * This is for the Api-Platform Exception management. An issue has been created : https://github.com/api-platform/api-platform/issues/519
+ * I'll try to modify the behavior of ApiPlatform like Dunglas asked but for instance this is a Subscriber that can manage
+ * this for me.
+ *
+ * @todo remove this class if the solution of Dunglas is OK and merged into master
+ *
+ * @package App\EventSubscriber
+ */
 final class ApiAuthSubscriber implements EventSubscriberInterface
 {
     public static function getSubscribedEvents()

diff --git a/src/Security/AccessDeniedHandler.php b/src/Security/AccessDeniedHandler.php
@@ -0,0 +1,37 @@
+<?php
+
+namespace App\Security;
+
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\JsonResponse;
+
+// seen on this documentation https://symfony.com/doc/current/security/access_denied_handler.html
+use Symfony\Component\Security\Core\Exception\AccessDeniedException;
+use Symfony\Component\Security\Http\Authorization\AccessDeniedHandlerInterface;
+
+// but seems unrelated to json_login system :
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
+
+/**
+ * Class AccessDeniedHandler
+ *
+ * For Security Component, you need to implement your own AccessDeniedHandler
+ *
+ * @package App\Api\Security\Security
+ */
+// When i just implement AccessDeniedHandlerInterface as said on the doc, then i got a 500 :
+// Type error: Argument 1 passed to Symfony\Component\Security\Http\Authentication\CustomAuthenticationFailureHandler::__construct() must implement interface Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface, instance of App\Security\AccessDeniedHandler given, called in C:\dev\projects\fiducial\sf-flex-encore-vuejs\var\cache\dev\ContainerI18QW6b\getSecurity_Authentication_Listener_Json_VuejsService.php on line 8
+//class AccessDeniedHandler implements AccessDeniedHandlerInterface
+class AccessDeniedHandler implements AuthenticationFailureHandlerInterface, AccessDeniedHandlerInterface
+{
+    public function handle(Request $request, AccessDeniedException $accessDeniedException)
+    {
+        return new JsonResponse($accessDeniedException->getMessage(), 403);
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception)
+    {
+        return new JsonResponse($exception->getMessage(), 403);
+    }
+}