Welcome back! In the previous lesson, we enhanced the security of our Symfony MVC application by hashing passwords during user registration. Now, it's time to take another crucial step in securing our application: implementing user login and securing routes.

Authentication ensures that only registered users can access certain parts of your application, while authorization controls what those users can do within the app. By the end of this lesson, you will be able to add user login functionality and secure routes in your Symfony MVC application.

Before we start implementing the security features, we need to ensure that Symfony's security bundle is installed in our project. This bundle provides all the necessary tools and configuration options to manage authentication and authorization.

To install the security bundle, run the following Composer command:

Bash
Copy to clipboard
1composer require symfony/security-bundle

This command will add the security bundle to your project, and Symfony will automatically update your configuration files to include the default security settings.

First, we need to make our User entity compatible with Symfony's security system, which requires that the entity implement UserInterface and PasswordAuthenticatedUserInterface. These interfaces define the methods necessary for authentication and password management.

Here’s how we update our User entity to implement these interfaces:

php
Copy to clipboard
1<?php
2
3namespace App\Entity;
4
5use Doctrine\ORM\Mapping as ORM;
6use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
7use Symfony\Component\Security\Core\User\UserInterface;
8
9#[ORM\Entity(repositoryClass: "App\Repository\UserRepository")]
10#[ORM\Table(name: "users")]
11#[ORM\UniqueConstraint(name: "username_unique", columns: ["username"])]
12class User implements UserInterface, PasswordAuthenticatedUserInterface
13{
14    #[ORM\Id]
15    #[ORM\GeneratedValue]
16    #[ORM\Column(type: "integer")]
17    private $id;
18
19    #[ORM\Column(type: "string", length: 255, unique: true)]
20    private $username;
21
22    #[ORM\Column(type: "string", length: 255)]
23    private $password; // Hashed password
24
25    #[ORM\Column(type: "json")]
26    private array $roles = [];
27
28    // Other methods previously implemented...
29
30    public function getRoles(): array
31    {
32        $roles = $this->roles;
33        $roles[] = 'ROLE_USER';
34
35        return array_unique($roles);
36    }
37
38    public function setRoles(array $roles): self
39    {
40        $this->roles = $roles;
41
42        return $this;
43    }
44
45    public function eraseCredentials()
46    {
47        // If you store any temporary, sensitive data, clear it here
48    }
49}

We implement the UserInterface and PasswordAuthenticatedUserInterface in our User entity to allow Symfony to handle our users correctly for authentication. This ensures that our Symfony application can identify users accurately and manage their roles. For instance, the getRoles() method returns the roles assigned to the user, ensuring every user has at least the role ROLE_USER.

Next, we need to ensure that every new user gets a default role. In our UserService, we set the user's role when we create a new user:

php
Copy to clipboard
1<?php
2
3namespace App\Service;
4
5use App\Entity\User;
6use App\Repository\UserRepository;
7use Doctrine\ORM\EntityManagerInterface;
8use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
9
10class UserService
11{
12    // Properties, constructor and other methods...
13
14    public function create(string $username, string $plainPassword): User
15    {
16        $user = new User();
17        $user->setUsername($username);
18
19        $hashedPassword = $this->passwordHasher->hashPassword($user, $plainPassword);
20        $user->setPassword($hashedPassword);
21
22        $user->setRoles(['ROLE_USER']); // Set default role as 'ROLE_USER'
23
24        $this->entityManager->persist($user);
25        $this->entityManager->flush();
26
27        return $user;
28    }
29}

In the create method, we set a default role ROLE_USER using the setRoles method. This ensures every new user has the role required to access protected routes. By doing this, we control user permissions right from the moment a new user is created, making the application secure by default.

Before we dive into configuring our security settings, let's take a moment to understand how Symfony's security bundle works. This bundle is crucial for managing authentication (verifying who a user is) and authorization (determining what a user is allowed to do).

There are several key components within the security bundle:

1. Firewalls: Think of firewalls as gatekeepers that manage the login process and protect certain parts of your application. Firewalls decide whether a user can enter based on their credentials.
2. Providers: These retrieve user information, like usernames and passwords, from a data source, such as a database.
3. Encoders/Password Hashers: Tools that securely encode and check user passwords.
4. Access Control: Rules that define which users or roles have permission to access specific parts of your application.

All these components are configured in a special file called security.yaml. This file is located in the config/packages/ directory of your Symfony project. The security.yaml file is essentially the control center for handling how users log in and what they can do within your app. By setting up this file correctly, you ensure your application is secure and that users only access what they are supposed to.

Let's start by understanding how to configure the security settings in the security.yaml file:

YAML
Copy to clipboard
1security:
2    # Enables the new authenticator-based system
3    enable_authenticator_manager: true
4
5    password_hashers:
6        App\Entity\User:
7            # Automatically select the best hashing algorithm
8            algorithm: auto
9
10    providers:
11        app_user_provider:
12            entity:
13                # User entity class
14                class: App\Entity\User
15                # Unique property used to load the user
16                property: username

Here’s what each section does:

• enable_authenticator_manager: This enables Symfony’s new system for handling authentication.
• password_hashers: This part configures how passwords are hashed (encrypted) when users are interacting with our User entity.
• providers: This defines where Symfony should look for user data. We specify the User entity and the unique identifier (username) used to load the user.

Now we will set up the firewalls that control access to different parts of our application:

YAML
Copy to clipboard
1    firewalls:
2        dev:
3            # Matches paths for development tools and assets
4            pattern: ^/(_(profiler|wdt)|css|images|js)/
5            # Disable security for these paths
6            security: false
7
8        main:
9            # Lazy load the firewall
10            lazy: true
11            # Use the app_user_provider for user data
12            provider: app_user_provider
13
14            form_login:
15                # Path to the login page and login check route
16                login_path: user_auth
17                check_path: user_auth
18                # Default path after successful login
19                default_target_path: todo_list
20                # Always redirect to the default path after login
21                always_use_default_target_path: true

Here’s a breakdown:

• dev firewall: Disables security for development tools and assets like CSS and JavaScript files.
• main firewall: This is where the main application security is configured with form_login for handling user login:
  • login_path: The route for displaying the login form.
  • check_path: The same route used to check login credentials.
  • default_target_path: Where users are redirected after a successful login.
  • always_use_default_target_path: Always redirect users to the default path after login.

Even if you haven’t explicitly created a login route, Symfony manages this process using these settings. You simply specify where the login form should be shown and where to redirect after login.

Finally, we define access rules based on user roles:

YAML
Copy to clipboard
1    access_control:
2        # Require ROLE_USER for routes with /todos
3        - { path: ^/todos, roles: ROLE_USER }
4        # Allow public access to other routes
5        - { path: ^/, roles: PUBLIC_ACCESS }

Here’s how it works:

• ROLE_USER for /todos: Only users with the ROLE_USER can access routes starting with /todos.
• PUBLIC_ACCESS for other routes: Everyone can access other routes, including the authentication page, without needing to log in.

These rules ensure that only authorized users can access certain routes, while still allowing public access to other essential routes. This makes your application secure by default.

To complete the implementation, we need a user-friendly login interface. We'll create a simple login form using Twig:

HTML, XML
Copy to clipboard
1<!DOCTYPE html>
2<html>
3<head>
4    <title>User Authentication</title>
5</head>
6<body>
7    <h1>User Authentication</h1>
8
9    {% for message in app.flashes('success') %}
10        <div class="flash-success">
11            {{ message }}
12        </div>
13    {% endfor %}
14
15    {% for message in app.flashes('error') %}
16        <div class="flash-error">
17            {{ message }}
18        </div>
19    {% endfor %}
20
21    <form action="{{ path('user_auth') }}" method="post">
22        <label for="username">Username:</label>
23        <input type="text" id="username" name="_username" required><br><br>
24
25        <label for="password">Password:</label>
26        <input type="password" id="password" name="_password" required><br><br>
27
28        <button type="submit" formaction="{{ path('user_register') }}">Register</button>
29        <button type="submit">Login</button>
30    </form>
31</body>
32</html>

This HTML form provides fields for the username and password. The login_path is set to the user_auth route, defined in security.yaml. Here's how this works as a login system:

• Route Definition: The user_auth route refers to a controller action responsible for rendering this login template as well as handling the form submission.
• Form Submission: When a user submits the form, the credentials are sent via POST to the same user_auth route.
• Form Handling: Symfony automatically processes the login credentials, validates them against the user data from the provider, and checks the hashed passwords.
• Redirection: If the authentication is successful, the user is redirected to the default_target_path (todo_list), as set in security.yaml.

By defining the user_auth route and integrating it with Symfony's form login mechanism, we ensure the form serves both as a login page and a handler for the login process, making the system both efficient and secure.

Understanding the login process in Symfony is crucial for effectively securing your application. Here’s an overview of how the login process works:

1. User Submits Login Form: The user fills in their username and password and submits the login form. The form action directs the data to the user_auth route.

2. Symfony Handles Authentication: Symfony receives the login credentials and uses the security component to handle authentication. The form data (_username and _password) are processed by Symfony's security system.

3. Fetching User Data: The security component uses the specified provider (app_user_provider) to fetch the user data from the database based on the provided username.

4. Password Verification: The fetched user data includes the hashed password. Symfony uses the password hasher configured in security.yaml to verify the password by comparing the submitted password with the hashed one stored in the database.

5. Role Checking: Symfony checks the roles assigned to the user, ensuring they can access the requested resource. The roles are specified in the User entity and controlled through the access_control settings in security.yaml.

6. Setting the Session: If the authentication is successful, Symfony sets the user’s session, effectively logging them in.

7. Redirecting the User: Upon successful authentication, Symfony redirects the user to the default_target_path (e.g., todo_list), as specified in the security.yaml file. If authentication fails, the user is redirected back to the login page.

8. Access Control: On subsequent requests, Symfony uses the session data to verify the user's identity and roles, granting or denying access to different parts of the application based on the access_control settings.

This process ensures that only authenticated users can access protected routes, providing a secure way to manage user access in your Symfony application.

In this lesson, we covered:

• How to implement the UserInterface and PasswordAuthenticatedUserInterface in the User entity.
• Setting default roles in the UserService.
• Configuring the security.yaml for user login and route protection.
• Adapting the login template for a user-friendly experience.

These steps are crucial in ensuring that your Symfony application is secure and only accessible to authenticated users.

Next, you will have the opportunity to apply what you've learned through practice exercises. These exercises will help you reinforce the concepts and techniques covered in this lesson. Keep practicing to solidify your understanding and build a more secure Symfony application. Keep up the great work!