api/config/packages/security.yaml
security:
encoders:
Symfony\Component\Security\Core\User\User:
algorithm: auto
App\App\Entity\App:
algorithm: auto
App\User\Entity\User:
algorithm: auto
# providers for authentication
providers:
# chain provider will try the other providers in sequence
# useful as many authentications systems exist : by app (frontend), by users (with mobile app), with a token...
chain_provider:
chain:
providers: [servers, users]
# providers: [jwt, servers, users]
# provider for apps authentication (eg. unlogged frontend)
servers:
entity:
class: 'App\App\Entity\App'
property: 'username'
# provider for users authentication (eg. logged frontend, mobile apps, admin)
users:
entity:
class: 'App\User\Entity\User'
property: 'email'
# provider for refresh token
refresh_token_user_provider:
id: App\User\Service\UserProvider
# provider for logged users or app (eg. with a valid token)
# /!\ this is the database-less provider, it avoids loading the user for each api call, so if you need the user information don't use this provider ! /!\
# /!\ the user is generally needed in every request because of permission management... /!\
# jwt:
# lexik_jwt: ~
# firewalls
firewalls:
# firewall for server to server authentication
login_server:
pattern: ^/auth
stateless: true
anonymous: true
provider: servers
json_login:
check_path: /auth
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
# firewall for users authentication with only validated token
login_user_token:
pattern: ^/login-token
provider: users
guard:
authenticators:
- App\Security\TokenAuthenticator
# firewall for users authentication with sso validated token
login_user_sso:
pattern: ^/login-sso
provider: users
guard:
authenticators:
- App\Security\SsoAuthenticator
# firewall for user to server delegated authentication
login_user_delegate:
pattern: ^/login-delegate
stateless: true
anonymous: true
provider: users
guard:
authenticators:
- App\Security\DelegateAuthenticator
# firewall for user to server authentication
login_user:
pattern: ^/login
stateless: true
anonymous: true
provider: users
json_login:
check_path: /login
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
# firewall for token refresh
refresh:
pattern: ^/token/refresh
stateless: true
anonymous: true
# firewall for documentation
doc:
pattern: ^/doc
stateless: true
anonymous: true
# firewall for R&D
rd:
pattern: ^/rd/
provider: chain_provider
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
# firewall for reverse geocoding
reverse:
pattern: ^/addresses/reverse
stateless: true
anonymous: true
# firewall for RDEX external requests
rdexExternalRequests:
pattern: ^/rdex/journeys
stateless: true
anonymous: true
# firewall for RDEX external requests of connections
rdexExternalRequestsConnections:
pattern: ^/rdex/connections
stateless: true
anonymous: true
# firewall for MangoPay external requests of payins
mangoPayInsHook:
pattern: ^/mango-payins
stateless: true
anonymous: true
# firewall for MangoPay external requests of KYC
mangoPayKycHook:
pattern: ^/mango-kyc
stateless: true
anonymous: true
# firewall for Campaign unsubscribe hook
campaignUnsubscribeHook:
pattern: ^/campaigns/unsubscribe
stateless: true
anonymous: true
# firewall for CarpoolStandard from external bookings
carpoolStandardFromExternalBooking:
pattern: ^/carpool_standard/from_external/bookings
stateless: true
anonymous: true
# firewall for RDEX external requests
monitorCheckProofs:
pattern: ^/monitor/check_proofs
stateless: true
anonymous: true
# firewall for dev (profiler)
dev:
pattern: ^/(_(profiler|wdt)|css|js)/
security: false
# firewall for any other route
main:
pattern: ^/
provider: chain_provider
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
# Easy way to control access for large sections of your site
# Note: Only the *first* access control that matches will be used
access_control:
- { path: ^/doc, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/docs.json, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rd/, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/addresses/reverse, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rdex/journeys, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/rdex/connections, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/token/refresh, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/mango-payins, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/mango-kyc, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/campaigns/unsubscribe, roles: IS_AUTHENTICATED_ANONYMOUSLY, methods: [POST] }
- { path: ^/carpool_standard/from_external/bookings, roles: IS_AUTHENTICATED_ANONYMOUSLY, methods: [POST, PUT] }
- { path: ^/monitor/check_proofs, roles: IS_AUTHENTICATED_ANONYMOUSLY, methods: [GET] }
- { path: ^/, roles: IS_AUTHENTICATED_FULLY }