gnu-social/config/packages/security.yaml
Hugo Sales fa0d02a9ac
[PLUGIN][OAuth2] Start adding OAuth2 support with client registration
This hardcodes the user, and has some other issues, so it is not yet
complete.

We follow mastodon's spec for automatic client registration, available
at both `/api/v1/apps` and a more reasonable `/oauth/client`. This
accepts a JSON POST with the client info and returns JSON with a
`client_id` and a `client_secret`, to be used with `/oauth/authorize`
and `/oauth/token`. It also, seemingly, requires returning an `id`
with unclear purpose.

The `/oauth/token` endpoint doesn't currently return a `me` field.
2022-01-25 13:35:44 +00:00

59 lines
2.0 KiB
YAML

security:
enable_authenticator_manager: true
password_hashers:
App\Entity\LocalUser:
algorithm: auto
# https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
providers:
local_user:
chain:
providers: [local_user_by_nickname, local_user_by_email]
local_user_by_nickname:
entity:
class: 'App\Entity\LocalUser'
property: 'nickname'
local_user_by_email:
entity:
class: 'App\Entity\LocalUser'
property: 'outgoing_email'
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
oauth:
pattern: ^/oauth
security: false
main:
entry_point: App\Security\Authenticator
guard:
authenticators:
- App\Security\Authenticator
provider: local_user
form_login:
login_path: security_login
check_path: security_login
enable_csrf: true
logout:
path: security_logout
# where to redirect after logout
target: root
remember_me:
secret: '%kernel.secret%'
secure: true
httponly: '%remember_me_httponly%'
samesite: '%remember_me_samesite%'
token_provider: 'Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider'
# activate different ways to authenticate
# https://symfony.com/doc/current/security.html#firewalls-authentication
# https://symfony.com/doc/current/security/impersonating_user.html
# switch_user: true
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/admin, roles: ROLE_OPERATOR }
- { path: ^/settings, roles: ROLE_VISITOR }