-
-
Notifications
You must be signed in to change notification settings - Fork 612
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Security] Deprecate current system in favor of a JWTTokenAuthenticator (Guard) #184
Conversation
@weaverryan Your help would be really appreciated, as your are the father of this great tool (guard). |
@chalasr The main idea for V2 is to replace the legacy system by a new one based on the Guard Component. It would help transition but it would also mean too much work to maintain both systems. |
@slashfan Agreed, though upgrading can stay soft using the JWTGuardFactory that could reproduce the same configuration as for the legacy system ( We also even need some security options such as |
@chalasr Agreed ! Let's try to keep the transition smooth, we'll remove the old system in a V3 |
c340d54
to
46ca099
Compare
@slashfan I'm facing an issue. One of the main advantages of Guard is that the end user can have several authenticators per firewall. firewalls:
api:
lexik_jwt_guard: ~ Instead of the "normal" way: firewalls:
api:
guard:
lexik_jwt_authenticator.jwt_authenticator Because like this (second way), we can't pass any config option. I'll investigate, then keep you informed. |
We could move the security configuration to the bundle configuration (extractors, prefix) and use it to configure the lexik_jwt_authenticator.jwt_authenticator service. By default the bundle would provide one preconfigured authenticator (this one) and if another firewall needs to use JWT with a different configuration the developer would just have to create another authenticator service extending this one and overriding its configuration. What do you think ? That would simplify the factory. |
@slashfan It seems to be the better alternative, good idea! Now that we go in this way, I'm not sure about the usefulness of the factory added here, I'm afraid that it could be more confusing than useful, let me know what do you think. BTW, the branch of this PR is part of the main repo, not on my fork, do not hesitate to make changes as you want. |
Even better if we can get rid of the new factory class ! Less code = less problems :) |
9e6b8ca
to
7a46f92
Compare
I would like to discuss about some of our current config options, in order to keep them or not during the migration to Guard. The primary point of the Next, the That's all. All opinions are really welcome. |
000ac15
to
fd58b3f
Compare
bca69f6
to
9a0d9d7
Compare
e10e23c
to
e6a187b
Compare
d4fe3ff
to
5a57443
Compare
2ba412d
to
baab05a
Compare
baab05a
to
4df86f5
Compare
Retrieve user from the dynamic userProvider Catch possible encode/decode failure exceptions (better after #162) Handle token extractors configuration Split configuration for readability Require browser-kit for tests Refactor functional tests structure Add more functional tests Depreciate current system classes Tests subscribing to authentication events Update CHANGELOG according to these changes Document config-related changes in UPGRADE.md Deprecate JWTManagerInterface in favor of JWTTokenManagerInterface Improve functional tests by adding CallableEventSubscriber Avoid calling onAuthenticationFailure() from start() Grammar Scrutinizer fixes
* Refactor encoder exceptions * Define encode/decode exceptions message from Encoder, Remove auto-renew behavior * Code quality tweeaks
565ccfe
to
358ff29
Compare
358ff29
to
595fa5f
Compare
* Document how to add/remove token extractors
595fa5f
to
63d7e55
Compare
I plan to merge this one in the next days |
See #132 discussion.
@slashfan after you started to work on, I made some changes.
I'm really not an expert in the Guard component itself, but it seems make our life easier from all sides.
Should we propose it as an alternative or deprecate the "legacy" way in favor of this?What's next?Exclude legacy tests from CIMute deprecations using symfony/phpunit-bridge