fa0d02a9ac
This hardcodes the user, and has some other issues, so it is not yet complete. We follow mastodon's spec for automatic client registration, available at both `/api/v1/apps` and a more reasonable `/oauth/client`. This accepts a JSON POST with the client info and returns JSON with a `client_id` and a `client_secret`, to be used with `/oauth/authorize` and `/oauth/token`. It also, seemingly, requires returning an `id` with unclear purpose. The `/oauth/token` endpoint doesn't currently return a `me` field.
59 lines
2.0 KiB
YAML
59 lines
2.0 KiB
YAML
security:
|
|
enable_authenticator_manager: true
|
|
password_hashers:
|
|
App\Entity\LocalUser:
|
|
algorithm: auto
|
|
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
|
|
providers:
|
|
local_user:
|
|
chain:
|
|
providers: [local_user_by_nickname, local_user_by_email]
|
|
local_user_by_nickname:
|
|
entity:
|
|
class: 'App\Entity\LocalUser'
|
|
property: 'nickname'
|
|
local_user_by_email:
|
|
entity:
|
|
class: 'App\Entity\LocalUser'
|
|
property: 'outgoing_email'
|
|
firewalls:
|
|
dev:
|
|
pattern: ^/(_(profiler|wdt)|css|images|js)/
|
|
security: false
|
|
oauth:
|
|
pattern: ^/oauth
|
|
security: false
|
|
main:
|
|
entry_point: App\Security\Authenticator
|
|
guard:
|
|
authenticators:
|
|
- App\Security\Authenticator
|
|
provider: local_user
|
|
form_login:
|
|
login_path: security_login
|
|
check_path: security_login
|
|
enable_csrf: true
|
|
logout:
|
|
path: security_logout
|
|
# where to redirect after logout
|
|
target: root
|
|
|
|
remember_me:
|
|
secret: '%kernel.secret%'
|
|
secure: true
|
|
httponly: '%remember_me_httponly%'
|
|
samesite: '%remember_me_samesite%'
|
|
token_provider: 'Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider'
|
|
|
|
# activate different ways to authenticate
|
|
# https://symfony.com/doc/current/security.html#firewalls-authentication
|
|
|
|
# https://symfony.com/doc/current/security/impersonating_user.html
|
|
# switch_user: true
|
|
|
|
# Easy way to control access for large sections of your site
|
|
# Note: Only the *first* access control that matches will be used
|
|
access_control:
|
|
- { path: ^/admin, roles: ROLE_OPERATOR }
|
|
- { path: ^/settings, roles: ROLE_VISITOR }
|