Add JWT token auth (for the api calls)

4 years ago · c880d50952
parent 90f4b42ca8
commit c880d50952
8 changed files with 91 additions and 17 deletions
--- a/.env
+++ b/.env
@ -39,3 +39,9 @@ MAILER_DSN=sendmail://localhost
 ###> nelmio/cors-bundle ###
 CORS_ALLOW_ORIGIN=^https?://(localhost|127\.0\.0\.1)(:[0-9]+)?$
 ###< nelmio/cors-bundle ###
+
+###> lexik/jwt-authentication-bundle ###
+JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
+JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
+JWT_PASSPHRASE=your_secret_passphrase
+###< lexik/jwt-authentication-bundle ###
--- a/README.md
+++ b/README.md
@ -105,6 +105,31 @@ Libraries
 * PHPMailer replaced with Swift Mailer
 * bower replaced by [yarn](https://yarnpkg.com)

+## JWT Authentication
+
+* php bin/console lexik:jwt:generate-keypair
+* In Apache setup Bearer with:
+
+`SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1`
+
+Get the token:
+
+`curl -k -X POST -H "Content-Type: application/json" https://example.com/api/authentication_token -d '{"username":"admin","password":"admin"}'`
+
+The result should be the something like:
+
+{"token":"MyTokenABC"}
+
+Go to:
+
+https://example.com/api
+
+Click in "Authorize" and write
+
+Bearer MyTokenABC
+
+Then you can make queries using the JWT token.
+
 ## Todo

 See https://github.com/chamilo/chamilo-lms/projects/3
--- a/composer.json
+++ b/composer.json
@ -87,6 +87,7 @@
        "laminas/laminas-permissions-acl": "~2.8",
        "league/csv": "^9.1",
        "league/glide-symfony": "dev-master",
+        "lexik/jwt-authentication-bundle": "^2.11",
        "maennchen/zipstream-php": "^2.0",
        "masterminds/html5": "^2.0",
        "michelf/php-markdown": "~1.8",
--- a/config/bundles.php
+++ b/config/bundles.php
@ -34,4 +34,5 @@ return [
    FOS\CKEditorBundle\FOSCKEditorBundle::class => ['all' => true],
    Stof\DoctrineExtensionsBundle\StofDoctrineExtensionsBundle::class => ['all' => true],
    Knp\DoctrineBehaviors\DoctrineBehaviorsBundle::class => ['all' => true],
+    Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle::class => ['all' => true],
 ];
--- a/config/packages/api_platform.yaml
+++ b/config/packages/api_platform.yaml
@ -7,6 +7,10 @@ api_platform:
        json: ['application/merge-patch+json']
    swagger:
        versions: [3]
+        api_keys:
+            apiKey:
+                name: Authorization
+                type: header
    formats:
        jsonld:
            mime_types: ['application/ld+json']
@ -19,7 +23,18 @@ api_platform:
    collection:
        pagination:
            items_per_page_parameter_name: itemsPerPage # Default value
+    http_cache:
+        invalidation:
+            enabled: true
+    enable_docs: true
+    enable_entrypoint: true
+    show_webby: false
    defaults:
        pagination_client_items_per_page: true
+        cache_headers:
+            # Automatically generate etags for API responses.
+            etag: true
+            # Default value for the response max age.
+            max_age: 0
 #    mercure:
 #        hub_url: '%env(MERCURE_SUBSCRIBE_URL)%'
--- a/config/packages/lexik_jwt_authentication.yaml
+++ b/config/packages/lexik_jwt_authentication.yaml
@ -0,0 +1,5 @@
+lexik_jwt_authentication:
+    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
+    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
+    pass_phrase: '%env(JWT_PASSPHRASE)%'
+    token_ttl: 3600
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@ -8,17 +8,10 @@ security:

    # http://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
    providers:
-        users:
+        app_user_provider:
            entity:
                class: Chamilo\CoreBundle\Entity\User
                property: 'username'
-
-    access_control:
-        - {path: ^/administrator, role: ROLE_ADMIN}
-        - {path: ^/efconnect, role: ROLE_USER}
-        - {path: ^/elfinder, role: ROLE_USER}
-        - {path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY}
-
    role_hierarchy:
        ROLE_ADMIN:
            - ROLE_SUPER_ADMIN
@ -54,23 +47,38 @@ security:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
            anonymous: true
+        # Use to connect via a JWT token
+        api:
+            pattern: ^/api
+            stateless: true
+            anonymous: true
+            provider: app_user_provider
+            json_login:
+                check_path: /api/authentication_token
+                #                username_path: email
+                #                password_path: password
+                success_handler: lexik_jwt_authentication.handler.authentication_success
+                failure_handler: lexik_jwt_authentication.handler.authentication_failure
+            guard:
+                authenticators:
+                    - lexik_jwt_authentication.jwt_token_authenticator
+        # Default login via json
        admin:
            pattern: ^/
            context: admin
            anonymous: true
-            form_login:
-                csrf_token_generator: security.csrf.token_manager
-                login_path: /login
-                use_forward: false
-                check_path: /login
-                failure_path: null
+#            form_login:
+#                csrf_token_generator: security.csrf.token_manager
+#                login_path: /login
+#                use_forward: false
+#                check_path: /login
+#                failure_path: null
            guard:
                authenticators:
                    - Chamilo\CoreBundle\Security\LoginFormAuthenticator
                    - Chamilo\CoreBundle\Security\TokenAuthenticator

            entry_point: Chamilo\CoreBundle\Security\AuthenticationEntryPoint
-
            remember_me:
                secret: '%secret%'
                lifetime: 604800 # 1 week in seconds
@ -82,5 +90,14 @@ security:
 #            access_denied_handler: Chamilo\CoreBundle\Security\AccessDeniedHandler
            json_login:
                check_path: /login_json
-#                username_path: security.credentials.login
-#                password_path: security.credentials.password
+                # username_path: security.credentials.login
+                # password_path: security.credentials.password
+
+
+
+    access_control:
+        #        - {path: ^/administrator, role: ROLE_ADMIN}
+        #        - {path: ^/efconnect, role: ROLE_USER}
+        #        - {path: ^/elfinder, role: ROLE_USER}
+        - {path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY}
+        - {path: ^/api/authentication_token, roles: IS_AUTHENTICATED_ANONYMOUSLY}
--- a/config/routes.yaml
+++ b/config/routes.yaml
@ -4,6 +4,10 @@ login_check:
 logout:
    path: /logout

+authentication_token:
+    path: /api/authentication_token
+    methods: ['POST']
+
 legacy_main:
    path: /main/{name}
    defaults: {_controller: 'ChamiloCoreBundle:Legacy:classic'}