Problem:
We have been using the FOSUserBundle for Symfony2, and all works fine, including the "remember me".
We recently introduced FOSFacebookBundle. Since then the "remember me" for "normal" login is broken.
For example:
When we use ONLY FosUSer if a user logs in via the login-form, and stays, for exemple 5 hours without activity, after clicking any link all continues to work, with the user logined and identified.
When we activate the FosFacebook, the same user also logs in via the login-form (not from facebook) and stays a time without activity. After clicking any link, he is redirected to the login form and after having entered its password again, the is redirected again to the target URL.
If we deactivate the FosFacebook from the config, the "remember me" for the FosUser works again correctly.
Question:
Is it normal that FosFacebook breaks the FosUser "natural" remember me for users not using FB?
If should work properly... can anyone see if we've done mistakes in our config files?
Config Files:
config.yml
# FOS User
fos_user:
db_driver: %database_method% # other valid values are 'mongodb', 'couchdb'
firewall_name: main
user_class: Common\ODMBundle\Document\User
from_email:
address: %fos_email_address%
sender_name: %fos_sender_name%
profile:
form:
type: fos_user_profile
handler: fos_user.profile.form.handler.default
name: fos_user_profile_form
validation_groups: [Profile]
change_password:
form:
type: fos_user_change_password
handler: fos_user.change_password.form.handler.default
name: fos_user_change_password_form
validation_groups: [ChangePassword]
registration:
confirmation:
enabled: true
template: FOSUserBundle:Registration:email.txt.twig
form:
type: fos_user_registration
handler: fos_user.registration.form.handler.default
name: fos_user_registration_form
validation_groups: [Registration]
resetting:
token_ttl: 600
email:
template: FOSUserBundle:Resetting:email.txt.twig
form:
type: fos_user_resetting
handler: fos_user.resetting.form.handler.default
name: fos_user_resetting_form
validation_groups: [ResetPassword]
# FOS facebook
fos_facebook:
file: %kernel.root_dir%/../vendor/facebook/src/base_facebook.php
alias: facebook
app_id: xxxxxxxxxxxxxxx
secret: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
cookie: true
permissions: [email, user_birthday]
security.yml
security:
providers:
fos_userbundle:
id: fos_user.user_manager
my_fos_facebook_provider:
id: my.facebook.user
factories:
- "%kernel.root_dir%/../vendor/bundles/FOS/FacebookBundle/Resources/config/security_factories.xml"
firewalls:
main:
pattern: ^/
fos_facebook:
check_path: /login_checkFB
default_target_path: /user/
provider: my_fos_facebook_provider
form_login:
provider: fos_userbundle
default_target_path: /user/
logout: true
anonymous: true
switch_user: true
remember_me:
key: aSecretKey
lifetime: 604800
path: /
domain: ~
access_control:
#- { path: ^/.*$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/private/, role: ROLE_USER }
- { path: ^/user/, role: ROLE_USER }
- { path: ^/admin/, role: ROLE_ADMIN }
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
After adding the facebooklogin, your remember me starts using the Facebookprovider to check the logincredentials. You can add a user_provider to the remember me config like this:
remember_me:
key: aSecretKey
lifetime: 604800
path: /
domain: ~
user_provider: fos_userbundle
Adding this will fix your problem.
Related
I am new to envoyproxy and I am getting 'jwt is missing' error while trying to access the endpoint without providing Authorization header.
How can I access the public api without auth header
i.e
http://hostaddress/v1/fares/locations/location?searchTerm=ABC
Below code shows existing clusters already added that uses Jwt auth.
http_filters:
- name: envoy.filters.http.grpc_http1_bridge
typed_config: {}
- name: envoy.filters.http.cors
typed_config: {}
- name: envoy.filters.http.jwt_authn
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.jwt_authn.v3.JwtAuthentication
providers:
identity_api:
issuer: 'null'
audiences:
- apigw
forward: true
remote_jwks:
http_uri:
uri: http://abc.identity.api/.well-known/openid-configuration/jwks
cluster: identity_api
timeout: 1s
cache_duration:
seconds: 30
from_headers:
- name: Authorization
value_prefix: "Bearer "
rules:
- match: { prefix: /v1/newhubs/ }
- match: { prefix: / }
requires:
provider_name: identity_api
- name: envoy.filters.http.ext_authz
typed_config:
"#type": type.googleapis.com/envoy.extensions.filters.http.ext_authz.v3.ExtAuthz
transport_api_version: V3
grpc_service:
envoy_grpc:
cluster_name: permissions_api_grpc
timeout: 3s
with_request_body:
max_request_bytes: 819200
allow_partial_message: true
- name: envoy.filters.http.router
typed_config: {}
Your jwt_authn matches to all paths via the root path: match: { prefix: / }.
Remove the match: { prefix: / } entry to only have your jwt_authn filter match for /v1/newhubs/
I'm able to create a Cognito User Pool with Serverless Framework. Unfortunately, the email verification after a new user registers is being sent using Cognito's email delivery system which is quite limited. I know I can go into the console and change the option to use Amazon's SES instead but how do I do this in Serverless Framework?
service: cognito
provider:
name: aws
runtime: nodejs12.x
region: us-west-2
stage: prod
memorySize: 128
timeout: 5
endpointType: regional
Resources:
# Creates a role that allows Cognito to send SNS messages
SNSRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Service:
- "cognito-idp.amazonaws.com"
Action:
- "sts:AssumeRole"
Policies:
- PolicyName: "CognitoSNSPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action: "sns:publish"
Resource: "*"
# Creates a user pool in cognito for your app to auth against
UserPool:
Type: AWS::Cognito::UserPool
DeletionPolicy: Retain
Properties:
UserPoolName: MyUserPool
AutoVerifiedAttributes:
- email
Policies:
PasswordPolicy:
MinimumLength: 8
RequireLowercase: true
RequireNumbers: true
RequireSymbols: false
RequireUppercase: true
UsernameAttributes:
- email
# Creates a User Pool Client to be used by the identity pool
UserPoolClient:
Type: "AWS::Cognito::UserPoolClient"
Properties:
ClientName: !Sub ${AuthName}-client
GenerateSecret: false
UserPoolId: !Ref UserPool
# Creates a federeated Identity pool
IdentityPool:
Type: "AWS::Cognito::IdentityPool"
Properties:
IdentityPoolName: !Sub ${AuthName}Identity
AllowUnauthenticatedIdentities: true
CognitoIdentityProviders:
- ClientId: !Ref UserPoolClient
ProviderName: !GetAtt UserPool.ProviderName
# Create a role for unauthorized acces to AWS resources. Very limited access. Only allows users in the previously created Identity Pool
CognitoUnAuthorizedRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": unauthenticated
Policies:
- PolicyName: "CognitoUnauthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "mobileanalytics:PutEvents"
- "cognito-sync:*"
Resource: "*"
# Create a role for authorized acces to AWS resources. Control what your user can access. This example only allows Lambda invokation
# Only allows users in the previously created Identity Pool
CognitoAuthorizedRole:
Type: "AWS::IAM::Role"
Properties:
AssumeRolePolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Principal:
Federated: "cognito-identity.amazonaws.com"
Action:
- "sts:AssumeRoleWithWebIdentity"
Condition:
StringEquals:
"cognito-identity.amazonaws.com:aud": !Ref IdentityPool
"ForAnyValue:StringLike":
"cognito-identity.amazonaws.com:amr": authenticated
Policies:
- PolicyName: "CognitoAuthorizedPolicy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "mobileanalytics:PutEvents"
- "cognito-sync:*"
- "cognito-identity:*"
Resource: "*"
- Effect: "Allow"
Action:
- "lambda:InvokeFunction"
Resource: "*"
# Assigns the roles to the Identity Pool
IdentityPoolRoleMapping:
Type: "AWS::Cognito::IdentityPoolRoleAttachment"
Properties:
IdentityPoolId: !Ref IdentityPool
Roles:
authenticated: !GetAtt CognitoAuthorizedRole.Arn
unauthenticated: !GetAtt CognitoUnAuthorizedRole.Arn
Outputs:
UserPoolId:
Value: !Ref UserPool
Export:
Name: "UserPool::Id"
UserPoolClientId:
Value: !Ref UserPoolClient
Export:
Name: "UserPoolClient::Id"
IdentityPoolId:
Value: !Ref IdentityPool
Export:
Name: "IdentityPool::Id"
Use the EmailConfiguration property in your user pool.
UserPool:
Type: AWS::Cognito::UserPool
DeletionPolicy: Retain
Properties:
...
EmailConfiguration:
EmailSendingAccount: DEVELOPER
ReplyToEmailAddress: # email address
SourceArn: # sourceARN to verified email address in SES
See the CloudFormation AWS::Cognito::UserPool documentation for more details.
I'm using Symfony 3.4 with FOSUSERBundle, my facebook button was working and then suddenly nothing. Just "No oauth code in the request" message.
Can someone tell me where my config is incorrect, or share a config that will work?
/config.yml
hwi_oauth:
firewall_names: ["main"]
fosub:
username_iterations: 30
properties:
facebook: facebook_id
resource_owners:
facebook:
type: facebook
client_id: "1xxxxxxxxxxxxxxx3"
client_secret: "exxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx6"
scope: email
infos_url: "https://graph.facebook.com/me?fields=id,email,gender,last_name,first_name,birthday,picture.type(square)"
options:
csrf: true
/routing.yml
hwi_oauth_redirect:
resource: "#HWIOAuthBundle/Resources/config/routing/redirect.xml"
prefix: /connect
hwi_oauth_connect:
resource: "#HWIOAuthBundle/Resources/config/routing/connect.xml"
prefix: /connect
hwi_oauth_login:
resource: "#FOSUserBundle/Resources/config/routing/security.xml"
prefix: /
facebook_login:
path: /connect/check-facebook
/security.yml
security:
#...
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
#...
#HWIOAuthBundle
oauth:
login_path: /login
failure_path: /login
resource_owners:
facebook: "/connect/check-facebook"
/services.yml
services:
app.fos_user.oauth_provider:
# Change the class according to the location of the FOSUBUserProvider class
class: EC\UserBundle\Entity\FOSUBUserProvider
arguments: ['#fos_user.user_manager',{facebook: facebook_id}]
I'm working in a project in Symfony2 and i need to use facebook users to login in my application so i installed HwiOAuthBundle and when i run my app i get this error: You have requested a non-existent service "hwi_oauth.account.connector"
this is my configuration for the bundle:
config.yml:
hwi_oauth:
firewall_name: main_hwi
http_client:
verify_peer: false
connect:
confirmation: true
resource_owners:
facebook:
type: facebook
client_id: "%oauth.facebook.id%"
client_secret: "%oauth.facebook.secret%"
security.yml
security:
encoders:
Symfony\Component\Security\Core\User\User: plaintext
OC\UserBundle\Entity\User: sha512
role_hierarchy:
ROLE_ADMIN: [ROLE_AUTEUR, ROLE_MODERATEUR]
ROLE_SUPER_ADMIN: [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
hwi:
id: oc.oauth.user_provider
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main_hwi:
context: user
pattern: /.*
oauth:
resource_owners:
facebook: /login/check-facebook
login_path: /connect
failure_path: /connect
oauth_user_provider:
service: oc.oauth.user_provider
logout: true
anonymous: true
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: https }
routing.yml
hwi_oauth_connect:
resource: "#HWIOAuthBundle/Resources/config/routing/connect.xml"
prefix: /connect
hwi_oauth_redirect:
resource: "#HWIOAuthBundle/Resources/config/routing/redirect.xml"
prefix: /connect
hwi_oauth_login:
resource: "#HWIOAuthBundle/Resources/config/routing/login.xml"
prefix: /login
facebook_login:
pattern: /login/check-facebook
oc_platform:
resource: "#OCPlatformBundle/Resources/config/routing.yml"
prefix: /platform
UserProvider.php
<?php
namespace OC\PlatformBundle\OAuth;
use HWI\Bundle\OAuthBundle\Security\Core\User\OAuthUserProvider as BaseOAuthUserProvider;
class UserProvider extends BaseOAuthUserProvider {
}
i finally found 2 useful tutorials that solve this problem. here are the links
Symfony2 with HwiOAuthBundle Without FOSUserBundle
Symfony2 with HwiOAuthBundle With FOSUserBundle
I use FOSUserBundle and FOSFacebookBundle together. I set them abiding by official documentation:
FOSUserBundle and
FOSFacebookBundle
When I log in using the facebook button I see:
Unable to find the controller for path "/login_check". Maybe you forgot to add the matching route in your routing configuration?<br />
404 Not Found - NotFoundHttpException</p>
app/config/aonfig.cfg
imports:
- { resource: parameters.yml }
- { resource: security.yml }
framework:
#esi: ~
translator: { fallback: "%locale%" }
secret: "%secret%"
router:
resource: "%kernel.root_dir%/config/routing.yml"
strict_requirements: ~
form: ~
csrf_protection: ~
validation: { enable_annotations: true }
templating:
engines: ['twig']
#assets_version: SomeVersionScheme
default_locale: "%locale%"
trusted_hosts: ~
trusted_proxies: ~
session:
# handler_id set to null will use default session handler from php.ini
handler_id: ~
fragments: ~
http_method_override: true
# Twig Configuration
twig:
debug: "%kernel.debug%"
strict_variables: "%kernel.debug%"
# Assetic Configuration
assetic:
debug: "%kernel.debug%"
use_controller: false
bundles: [ ]
#java: /usr/bin/java
filters:
cssrewrite: ~
#closure:
# jar: "%kernel.root_dir%/Resources/java/compiler.jar"
#yui_css:
# jar: "%kernel.root_dir%/Resources/java/yuicompressor-2.4.7.jar"
# Doctrine Configuration
doctrine:
dbal:
driver: "%database_driver%"
host: "%database_host%"
port: "%database_port%"
dbname: "%database_name%"
user: "%database_user%"
password: "%database_password%"
charset: UTF8
# if using pdo_sqlite as your database driver, add the path in parameters.yml
# e.g. database_path: "%kernel.root_dir%/data/data.db3"
# path: "%database_path%"
orm:
auto_generate_proxy_classes: "%kernel.debug%"
auto_mapping: true
# Swiftmailer Configuration
swiftmailer:
transport: "%mailer_transport%"
host: "%mailer_host%"
username: "%mailer_user%"
password: "%mailer_password%"
spool: { type: memory }
services:
my.facebook.user:
class: ISS\BlogBundle\Security\User\Provider\FacebookProvider
arguments:
facebook: "#fos_facebook.api"
userManager: "#fos_user.user_manager"
validator: "#validator"
# FOSUserBundle Configuration
fos_user:
db_driver: orm
firewall_name: main
user_class: ISS\BlogBundle\Entity\User
# FOSFacebookBundle Configuration
fos_facebook:
alias: facebook
app_id: *myId*
secret: *mySecret*
cookie: true
permissions: [email, user_birthday, user_location]
/app/config/security.yml
security:
encoders:
FOS\UserBundle\Model\UserInterface: sha512
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]
providers:
chain_provider:
chain:
providers: [fos_userbundle, my_fos_facebook_provider]
fos_userbundle:
id: fos_user.user_provider.username
my_fos_facebook_provider:
id: my.facebook.user
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:`enter code here`
pattern: ^/
switch_user: true
form_login:
provider: fos_userbundle
csrf_provider: form.csrf_provider
logout: true
anonymous: true
public:
pattern: ^/.*
fos_facebook:
app_url: "http://apps.facebook.com/669439826427579/"
server_url: "http://issart-company.loc/"
login_path: /login
check_path: /login_check
default_target_path: /
provider: my_fos_facebook_provider
anonymous: true
access_control:
- { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/admin/, roles: ROLE_ADMIN }
- { path: ^/secured/.*, role: [IS_AUTHENTICATED_FULLY] } # This is the route secured with fos_facebook
- { path: ^/.*, role: [IS_AUTHENTICATED_ANONYMOUSLY] }
- { path: ^/facebook/, role: [ROLE_FACEBOOK] }
app/config/routing
iss_blog:
resource: "#ISSBlogBundle/Resources/config/routing.yml"
prefix: /
_security_check:
pattern: /login_check
_security_logout:
pattern: /logout
fos_facebook_channel:
resource: "#FOSFacebookBundle/Resources/config/routing.xml"
fos_user_security:
resource: "#FOSUserBundle/Resources/config/routing/security.xml"
fos_user_profile:
resource: "#FOSUserBundle/Resources/config/routing/profile.xml"
prefix: /profile
fos_user_register:
resource: "#FOSUserBundle/Resources/config/routing/registration.xml"
prefix: /register
fos_user_resetting:
resource: "#FOSUserBundle/Resources/config/routing/resetting.xml"
prefix: /resetting
fos_user_change_password:
resource: "#FOSUserBundle/Resources/config/routing/change_password.xml"
prefix: /profile
_facebook_secured:
pattern: /secured/
defaults: { _controller: ISSBlogBundle:Post:index }
In your app/config/routing you have the /login_check without a controller assigned. You have to configure a controller like this:
_security_check:
pattern: /login_check
defaults: { _controller: ACMEBundle:Controller:action }
You can find more information at http://symfony.com/doc/current/book/routing.html
Now The routing system finds first instead the one configured in "#FOSUserBundle/Resources/config/routing/security.xml". If you want that FOSUserBundle handles the login process you have to delete the _security_check and _security_logout routes.