Implement traditional auth system in Symfony with less code than ever
Goran Hrženjak
Posted on September 6, 2021
PHP 8 introduced some new concepts and really helpful syntax features.
To significantly reduce the boilerplate code, whenever possible, we can use Constructor property promotion. Another thing I'll focus on in this guide is replacing annotations with PHP attributes. This will also reduce the number of lines of code in our classes every now and then.
As of version 2.9, Doctrine supports using PHP 8 Attributes as a new driver for mapping entities.
Not only will we need fewer lines of code than ever for this project, but also we will need to write less of that code ourselves than ever. I’m emphasizing this because we’ll heavily rely on the Maker bundle which will generate the majority of files and actual app logic for the project.
At the time of writing this post, Maker bundle still didn’t fully adopt all new PHP possibilities and some adjustments will be done manually.
The goal of the app is to provide a basic traditional authentication system with registration and login features and email verification.
App will have 3 sections: public section accessible by everyone, profile section available to all logged in users, and content section available only to verified users.
Account verification will be done by simply clicking a link in the verification email.
Create a new project:
composer create-project symfony/website-skeleton my_new_app
(or use Symfony CLI). I’m using Symfony 5.3.7.
Make sure to update required PHP version in composer.json
:
{
"require": {
- "php": ">=7.2.5",
+ "php": "^8.0",
}
}
Update Doctrine configuration - use attributes instead of annotations! Without this, generation migrations will not work.
config/packages/doctrine.yaml
doctrine:
orm:
mappings:
App:
- type: annotation
+ type: attribute
Now let's make initial User
entity:
php bin/console make:user
Answer [yes]
or select defaults for all questions in the wizard.
This should create src/Entity/User.php
and src/Repository/UserRepository.php
and update config/packages/security.yaml
files.
Symfony Maker bundle still doesn’t support attributes, but generated entities will still save us a lot of time. We can replace annotations with attributes ourselves.
Use attributes and property types to reduce the amount of code.
src/Entity/User.php
- /**
- * @ORM\Entity(repositoryClass=UserRepository::class)
- */
+ #[ORM\Entity(repositoryClass: UserRepository::class)]
class User implements UserInterface, PasswordAuthenticatedUserInterface
{
- /**
- * @ORM\Id
- * @ORM\GeneratedValue
- * @ORM\Column(type="integer")
- */
- private $id;
+ #[ORM\Id, ORM\GeneratedValue, ORM\Column]
+ private int $id;
- /**
- * @ORM\Column(type="string", length=180, unique=true)
- */
- private $email;
+ #[ORM\Column(length: 180, unique: true)]
+ private string $email;
- /**
- * @ORM\Column(type="json")
- */
+ #[ORM\Column(type: 'json)]
private $roles = [];
- /**
- * @var string The hashed password
- * @ORM\Column(type="string")
- */
- private $password;
+ #[ORM\Column]
+ private string $password;
}
Make migration and execute it.
php bin/console make:migration
php bin/console doctrine:migration:migrate
Generate simple controllers: PublicController
, ProfileController
, ContentController
. This will add routes /public
, /profile
and /content
. You can do this with Maker as well:
php bin/console make:controller
Rename route names for consistency by prefixing them with: app_
.
All 3 routes should be available to anyone at this stage.
Add role hierarchy and access rules to config/packages/security.yaml
to achieve what's explained above:
security:
+ role_hierarchy:
+ ROLE_VERIFIED_USER: [ ROLE_USER ]
access_control:
+ - { path: ^/content, roles: ROLE_VERIFIED_USER }
+ - { path: ^/profile, roles: ROLE_USER }
Now you should be getting 401 Unauthorized error if you try to access /profile
or /content
.
Make the login authentication:
php bin/console make:auth
Select [1] Login form authenticator
, call it LoginFormAuthenticator
, confirm the controller name: SecurityController
and accept adding the logout route.
This will update the config/packages/security.yaml
file by adding a logout route and create authenticator, controller and login form files.
First of all, in login form Twig template, replace deprecated user.username
with user.userIdentifier
.
- You are logged in as {{ app.user.username }}, <a href="{{ path('app_logout') }}">Logout</a>
+ You are logged in as {{ app.user.userIdentifier }}, <a href="{{ path('app_logout') }}">Logout</a>
In src/Controller/SecurityController.php
we can replace routes defined by annotations with those defined by attributes.
class SecurityController extends AbstractController
{
- /**
- * @Route("/login", name="app_login")
- */
+ #[Route('/login', name: 'app_login')]
public function login(AuthenticationUtils $authenticationUtils): Response
- /**
- * @Route("/logout", name="app_logout")
- */
+ #[Route('/logout', name: 'app_logout')]
public function logout()
}
Thanks to constructor property promotion in PHP 8, we can rewrite the constructor in src/Security/LoginFormAuthenticator.php
. While at it, add proper response in onAuthenticationSuccess
method:
after successful login, redirect to app_profile
route.
class LoginFormAuthenticator extends AbstractLoginFormAuthenticator
{
- private UrlGeneratorInterface $urlGenerator;
-
- public function __construct(UrlGeneratorInterface $urlGenerator)
- {
- $this->urlGenerator = $urlGenerator;
- }
+ public function __construct(private UrlGeneratorInterface $urlGenerator)
+ {
+ }
public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
{
- throw new \Exception('TODO: provide a valid redirect inside '.__FILE__);
+ return new RedirectResponse($this->urlGenerator->generate('app_profile'));
}
}
Note: If you're using a Symfony plugin in your code editor and it's complaining it can't find the route with the given name, make sure you've prefixed those routes in controllers as suggested above.
Notice how slim this authenticator became in comparison to what it used to look in older versions of Symfony.
Let’s implement registration logic.
Should we write all of this ourselves? Nope. Maker bundle to the rescue again.
First of all, let’s require another bundle, one for handling email verification logic:
composer require symfonycasts/verify-email-bundle
After that, use:
php bin/console make:registration-form
Select defaults except the one for including user ID in the link - answer yes
on that prompt; and select app_profile
as a route to redirect to after registration.
It's possible that Maker will warn you no Guard authenticators were found and users won't be automatically authenticated after registering. Ignore this for now, we'll implement a solution for this at the end.
The command will change User
entity and create confirmation email and registration form Twig templates as well as create a RegistrationController
, RegistrationFormType
and EmailVerifier
helper.
Update src/Entity/User.php
first:
- /**
- * @UniqueEntity(fields={"email"}, message="There is already an account with this email")
- */
+ #[UniqueEntity(fields: ['email'], message: 'There is already an account with this email')]
class User implements UserInterface, PasswordAuthenticatedUserInterface
{
- /**
- * @ORM\Column(type="boolean")
- */
- private $isVerified = false;
+ #[ORM\Column(options: ['default' => false])]
+ private bool $isVerified = false;
}
Generate a migration for adding this new flag and execute it.
php bin/console make:migration
php bin/console doctrine:migration:migrate
Symfony recommends putting as little logic as possible in controllers. That’s why complex forms will be moved to dedicated classes instead of defining them in controller actions. Maker did that for us.
There are few things to change in RegistrationController
- use constructor property promotion and replace deprecated UserPasswordEncoderInterface
with UserPasswordHasherInterface
.
At the end of the verification process, redirect to the content page.
+ use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
- use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
class RegistrationController extends AbstractController
{
- private $emailVerifier;
-
- public function __construct(EmailVerifier $emailVerifier)
- {
- $this->emailVerifier = $emailVerifier;
- }
+ public function __construct(private EmailVerifier $emailVerifier)
+ {
+ }
- public function register(Request $request, UserPasswordEncoderInterface $passwordEncoder): Response
+ public function register(Request $request, UserPasswordHasherInterface $passwordHasher): Response
{
$user->setPassword(
- $passwordEncoder->encodePassword(
- $user,
- $form->get('plainPassword')->getData()
- )
+ $passwordHasher->hashPassword($user, $form->get('plainPassword')->getData())
);
}
public function verifyUserEmail(Request $request, UserRepository $userRepository): Response
{
- return $this->redirectToRoute('app_register');
+ return $this->redirectToRoute('app_content');
}
}
We want to shorten that constructor in the EmailVerifier class and also add proper user roles after email verification:
class EmailVerifier
{
- private $verifyEmailHelper;
- private $mailer;
- private $entityManager;
-
- public function __construct(VerifyEmailHelperInterface $helper, MailerInterface $mailer, EntityManagerInterface $manager)
- {
- $this->verifyEmailHelper = $helper;
- $this->mailer = $mailer;
- $this->entityManager = $manager;
- }
+ public function __construct(
+ private VerifyEmailHelperInterface $verifyEmailHelper,
+ private MailerInterface $mailer,
+ private EntityManagerInterface $entityManager
+ ) {
+ }
public function handleEmailConfirmation(Request $request, UserInterface $user): void
{
$user->setIsVerified(true);
+ $user->setRoles(['ROLE_VERIFIED_USER']);
}
}
In later versions of Maker bundle where dependency to Guards will be dropped, this might be resolved, but for now we have to implement logging user in after registration manually.
Not a huge deal really. Just inject the UserAuthenticatorInterface
and our authenticator in the register
method and authenticate the user before returning the redirect response.
+ use App\Security\LoginFormAuthenticator;
+ use Symfony\Component\Security\Http\Authentication\UserAuthenticatorInterface;
class RegistrationController extends AbstractController
{
- public function register(Request $request, UserPasswordHasherInterface $passwordHasher): Response
- {
+ public function register(
+ Request $request,
+ UserPasswordHasherInterface $passwordHasher,
+ UserAuthenticatorInterface $authenticator,
+ LoginFormAuthenticator $formAuthenticator
+ ): Response {
if ($form->isSubmitted() && $form->isValid()) {
// ...
+ $authenticator->authenticateUser($user, $formAuthenticator, $request);
return $this->redirectToRoute('app_profile');
}
}
That's basically it for the scope of this guide 🤓
Try accessing /profile
or /content
route. You should be redirected to the login page. If you still haven't, it's time to register as a new user.
Go to /register
and enter the desired email and password. You should be logged in automatically and redirected to /profile
. Accessing /content
is still not possible.
You should have received a verification email. For this to work out of the box, you only need to set up the MAILER_DSN
environmental variable according to your mailing server.
After clicking the confirmation link, flag is_verified
will be set, user role ROLE_VERIFIED_USER
added and you'll be able to access /content
.
You can render flash messages or add password reset feature (by including another great bundle: symfonycasts/reset-password-bundle
) or maybe implement social logins as the next step.
Let me know in the comments if code snippets with diffs weren't clear enough or if you have any other questions.
Posted on September 6, 2021
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
September 6, 2021