Movatterモバイル変換

[0]ホーム
URL:

Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly

 Sign up
Appearance settings

[Security] Rewrite Security documentation#15503

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.

Already on GitHub?Sign in to your account

Merged
wouterj merged 4 commits intosymfony:5.3fromwouterj:security-53
Oct 12, 2021

Conversation

@wouterj
Copy link
Member

@wouterjwouterj commentedJul 11, 2021
edited
Loading

This is still very WIP, but I wanted to get it out here to receive the first set of global feedback (I haven't re-read anything, so no need to comment on typos, wrong sentences or grammar yet).

Of course, the main goal of this rewrite is to document the new authenticator system and remove anything about guards, authentication providers, etc. Besides that, I've focused on 3 other things:

  1. Give the user something that's working as quick as possible. This means using lots of makers and showing real code examples. I've discussed with Ryan and Jesse and we'll also extend the security makers to make even more docs redundant (I'm jealous at Laravel, which basically replaced all its authentication docs with "runjetstream:install").
  2. Move as much information to the main guide as possible (following our doc practices of the last years). This means e.g. documenting all user providers and authenticators in the main guide. The subguides should be clearly scoped and about advanced/reference documentation (most of the subguides are yet to be worked on)
  3. Focus on the built-in authenticators, rather than implementing your own authenticator. We've pushed writing your own guard in the docs way to much for my liking. E.g. for 90% of the use-cases, using the built-inform_login authenticator works perfectly. This will also be updated in the maker (wheremake:auth is not only going to suggest making a PHP authenticator) sometime in the future.

For the structure, I decided to follow the security config generated by the recipe/maker and explain section per section.

@carsonbotcarsonbot changed the title[WIP][Security] Rewrite Security documentation[Security] [WIP] Rewrite Security documentationJul 11, 2021
@wouterj
Copy link
MemberAuthor

I also started experimenting with a way to integrate code generated by the maker commands in the docs using aconfiguration-block:

..configuration-block::    ..code-block::terminal-maker        $ php bin/console make:...         ...    ..code-block::php        // ...

Let me know what you think about this (not sure if we need a custom label or justterminal btw).

Copy link
Member

@javiereguiluzjaviereguiluz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

This looks super promising 🤩 Thanks Wouter!

You said to not comment yet on typos, grammar, etc. so I won't make many comments for now. The overall structure looks nice. Good job!

wouterj reacted with heart emoji
Copy link
Member

@weaverryanweaverryan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I like this a lot. The flow of the security.rst feels smooth: you highlight the big 3 pieces at the top (based on the 3 main keys in security.yaml) and then go through each one. Some parts are long - like showing all the different authentication types - but it's important enough that I like it: it allows me to search easily through the page. I did spot some typos etc, that I didn't comment on yet - as I know this is WIP. Keep going with this direction!

wouterj reacted with heart emoji
.. caution::
This login form is currently not protected against CSRF attacks. Read
:ref:`form_login-csrf` on how to protect your login form.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

The fact that we have the user write so much code, and you still aren't protected against CSRF attacks makes me think that it's time to update MakerBundle so that you can generate a login form withform_login (and sure, we would probably also keep some "Custom Login Form Authenticator" option to generate the authenticator).

javiereguiluz reacted with thumbs up emoji
@fmonts
Copy link

Hello, any news on this? we're stuck with an EOL version (5.2) since we don't have docs for 5.3 :( (and a straight upgrade to 5.3 broke some features)

Copy link
Member

@javiereguiluzjaviereguiluz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Wouter, this is a truly impressive work. The new main Security article is fantastic and it explains, in a single place, all the basics you need to know to secure your application.

Even if side-articles such as passwords, etc. are TODO/WIP, I think this is mergeable ... and we should probably do that and iterate later to improve/finish things.

A big thank you from me 🙇

wouterj reacted with heart emoji
:class: screencast
Symfony provides many tools to secure your application. Some HTTP-related
security tools, like :doc:`secure session cookies </session>` and
:doc:`CSRF protection </security/csrf>` are provided by default. The
Copy link
Member

@javiereguiluzjaviereguiluzOct 7, 2021
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I don't understand this well --> "are provided by default"

All provided features are provided "by default". Do you mean that they are enabled by default? Or maybe that you can use them without installing any packages?

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

I've seen several support questions and issue discussions about FrameworkBundle vs SecurityBundle. Some people think that everything related to security (e.g. CSRF) are in the SecurityBundle, whereas they actually live in the FrameworkBundle.

So I wanted to somehow remove some confusion by shortly saying "if you don't need authentication/authorization, you don't need to install the SecurityBundle" (FrameworkBundle is what I call "by default").

If you have any suggestions on how to better word this, please share them :)

security.rst Outdated
2a) Create your User Class
--------------------------
/**
* A visual identifier that represents this user.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

A visual identifier that represents this user

-->

The public representation of the user (e.g. a username, an email, etc.)

wouterj reacted with thumbs up emoji
Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Updated, but left this unresolved as we should update this in MakerBundle also

@wouterjwouterjforce-pushed thesecurity-53 branch 2 times, most recently fromc2b03f0 tob81babfCompareOctober 7, 2021 17:21
@javiereguiluzjaviereguiluz mentioned this pull requestOct 8, 2021
21 tasks
@wouterjwouterj changed the title[Security] [WIP] Rewrite Security documentation[Security] Rewrite Security documentationOct 10, 2021
Copy link
Member

@weaverryanweaverryan left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Thank you for this Wouter! I think it's great - my comments were very minor - I enjoyed re-reading the security docs from scratch!

on special ``remember_me`` configuration. Read
:doc:`/security/remember_me` for more information.

:class:`Symfony\\Component\\Security\\Http\\Authenticator\\Passport\\Badge\\PasswordUpgradeBadge`
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Above, for the RememberMeBadge, we could also mention that, in 5.3, you can enforce the remember me system from being activated via the method on the badge.

Also, over inremember_me.rst, we should probably mention somewhere that, if you're using a custom authenticator, then you need to attach theRememberMeBadge.

Copy link
MemberAuthor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others.Learn more.

Yes, I've kept the remember me refactoring out of this PR. Let's do that in a follow up one (and rewriteremember_me.rst - which I haven't touched here)

Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment

Reviewers

@javiereguiluzjaviereguiluzjaviereguiluz approved these changes

@weaverryanweaverryanweaverryan left review comments

Assignees

No one assigned

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@wouterj@fmonts@javiereguiluz@weaverryan@carsonbot
[8]ページ先頭
©2009-2025 Movatter.jp