0

I'm currently developing a new set of Restfull APIs on Symfony2.1, and they are for the moment under no firewall in my security.yml

    api:
        pattern: ^/api
        security: false

I have a RequestListener that "protect" them by checking if users give an Auth token or use Basic Auth. After correct login, we populate the security context with the user. (Maybe we could even make a firewall of that using a Factory?)

This works perfectly for external devs / organisations who want to use our API in their apps.

Now, I'd like us to rely on these same APIs inside our project (controllers, ajax calls..) and I was wondering now if we have to implement ourselves the API get-token or Basic Auth process to populate the security context of the API or if they could, in a way or another, retrieve magically the current security context of the main firewall. (it would save me the embarrassment of geting a token, saving it somewhere and passing it through my Backbonejs ajax calls all the way in my views).

Thanks for your thoughts on that! :)

j0k
  • 22,600
  • 28
  • 79
  • 90
guillaumepotier
  • 7,369
  • 8
  • 45
  • 72

1 Answers1

1

First of all, for basic auth, you could rely on the http_basic authentication provider, provided by Symfony2. No need to use a request listener. If you want to use a token-based authentication, write a Token authentication provider.

Security contexts are separated, and you can't interact with another context. They are completely partitioned. However, you can add as many authentication provider as you want.

Using Backbone.js, you can keep the token-based strategy. For instance, pass the token to Backbone using a HTML attribute:

<body data-token="xxxx">
    ...
</body>

Then, just use it in your JavaScript app:

$.ajaxSetup({
    headers: {
        'token': $('body').data('token')
    }
});

See the $.ajaxSetup doc for more information.

William Durand
  • 5,439
  • 1
  • 26
  • 37
  • Thx for http_basic, I ignored that and re-implemented basic auth for my APIs.. Regarding the Token authentication provider, this is just a disguised listener, no? I though about something for my problem yesterday: couldn't I define two routes for each API action, one under the API firewall with its token, and the second one under my main Sf2 firewall. What are the risks, advantages, thoughts about that? – guillaumepotier Aug 16 '12 at 12:07
  • Duplicating configuration will lead in issues at some point. Having a "super" token for your main app is probably the safest solution. – William Durand Aug 16 '12 at 12:15
  • An authentication provider is part of the Security layer, a listener isn't. – William Durand Aug 16 '12 at 12:15
  • So, you recommend to have my user logged once under the main firewall in the Controllers / views and logged twice when my Backbone apps calls my API, even if they could maybe benefit from the same firewall? – guillaumepotier Aug 16 '12 at 17:02
  • Ok got it. So, you can authenticate the user through the Backbone app (with a form for instance), and then pass a token to the Backbone app through HTML. Then use the second part of my answer to send the token on each request. You will have to write a request listener to verify this token. The token is generated using the "form.csrf_provider" service (see CsrfProviderInterface). – William Durand Aug 16 '12 at 17:09
  • Seems that my question is a duplicate of this one: http://stackoverflow.com/questions/9075041/authenticate-multiple-symfony2-firewalls-with-one-login-form – guillaumepotier Aug 17 '12 at 19:56
  • That's quite useless. Just use one firewall. – William Durand Aug 17 '12 at 20:57
  • But would you recommend to use only the main firewall and add a layer of authentification with my Listener for the token of my stateless APIs? – guillaumepotier Aug 17 '12 at 20:59
  • Don't bother anymore, after some tests and reflexion, I'll definitely adopt your solution, keeping these two firewalls distinct and API fully stateless. Thanks – guillaumepotier Aug 18 '12 at 10:19