i'm learning Symfony and i'm building an app based on the Youtube API and the Google OAuth 2.0.
I'm using Annotation routes to make a simple user interface and logging system. Here are all my routes :
/
/auth (redirect to Google auth server)
/auth/response (Get the Google auth code)
/user (users settings, stored via Doctrine ORM)
/update (ajax call url to update users settings)
/insert (making some Youtube API requests, will be used in a Cron task)
So my problem is that I don't want users to access certain routes because they shouldn't know those routes exist, especially for the "/insert" path.
I already set conditions for the /update path like this :
/**
* #Route("/update", name="update", condition="request.isXmlHttpRequest()")
*/
The user get a 404 error and that's perfect.
Now, how can I make something similar for my others problematic routes ? Or maybe I'm absolutely doing it wrong, please tell me !
If you want to apply some restrictions policies, you need to use security config (firewalls section in your case)
Documentation here: https://symfony.com/doc/current/reference/configuration/security.html
And 404 is the wrong answer, the 401 would be right.
Related
I have 2 app engine services named default and WordPress and I dispatched routes. When I go to appspot.com/wordpress it is working but in the other links like appspot.com/category instead of appspot.com/wordpress/category
How can I configure WordPress source files or files of WordPress to solve my problem?
You should be able to achieve this by configuring your dispatch.yaml file.
As it is stated in the official documentation:
You can use wildcard mappings with services in App Engine by using the dispatch.yaml file to define request routing to specific services.
Here you can find a good example of wildcard usage for achieving your purpose. In case you have difficulties implementing it you can share your dispatch.yaml file and I will check it out.
EDIT:
In case you want to use more than 20 url routing rules there is already a feature request created for this. A way you can manage to do your routing without exceeding the limit, would be creating more backend services, rather than a monolithical application and directly route the requests to them using their full target address through your frontend default service. Spliting the architecture would be a good idea in case you need to "trick" somehow the 20 url quota.
I'm using form authentication in a Symfony full-stack application.
When a path is only accessible for registered users, the firewall will prompt for credentials and redirect to the originally requested URL afterwards (default behaviour).
In my application users can configure their preferred language in the profile. After login, the user should be redirected to the original URL, but in the preferred language. So ideally I'd like to modify the target path on authentication success to that the same route as the original request is used, but potentially in another language.
I already built an event listener listening on security.interactive_login, but there I can only build static paths as no route information is available.
Also it is not possible to save the original route when the firewall redirects to the login page, as the firewall is called before routing. So I think it's not possible to retrieve the route - or did I miss anything?
I can think of hacky solutions, but maybe someone can help with a better idea - thanks!
Let me explain a bit what I am trying to achieve. I want to send data from HTML form setup on wordpress which looks like that -> http://prntscr.com/mn87bl when the user enters correctly username/password it should login automatically on our Laravel APP which is on a different URL then the WP website.
I've tried to make an AJAX call to that link but i got a Cross-Origin Read Blocking error. I am not sure it will be possible to be done through cURL because the protocol is HTTPS.
I am lost and I am not sure what solution should i think of in order to make this work.. Anyone familiar with something like that?
Thanks in advance!!
I would avoid making a direct cross-origin request altogether. It is finicky to make it work. Rather, submit username/password to WP backend, then make an authentication request to Laravel site from WP backend (with CURL or similar). If login is successful, return authentication token to the user and redirect him to the Laravel site.
You may consider using Laravel passport to handle tokens https://laravel.com/docs/5.7/passport
I'm setting up FOSJsRoutingBundle on my app. When doing this I realized that the endpoint that returns all routes for the app, there was returning all routes for my internal app. I was digging in the source code, and they didn't apply any filters to the routes returned based on user roles. This is very insecure way of doing things, because for me I can't reveal all the internal routing configuration for my app, because it will lead a security breach, if someone used for example DevTools from chrome check for access to every route in my internal app. The question is, there is a way of accomplishing that, return only the routes accessible for the current user?
I have the following situation:
I'm running a Symfony 2 project on a server with the route www.homepage.de.
Every request to a random route on www.homepage.de will be routed to my Landing Page.
Now I want to integrate another project, an API build with Slim PHP and Swagger UI, into this Symfony 2 project. I cloned the project into the /web directory of the Symfony2 project to gurantee access to it.
But now every request I want to do to www.homepage.de/api fails because the Symfony 2 project wants to handle the request and can't find the route. Is there a possibility to tell Symfony2 to ignore every request that is send to the www.homepage.de/api route?
First of all don't add anything to web folder of your application. Just create two applications in different folders. If you want the API to be accessible through the same domain but just with /api you cen use either mod_alias or mod_rewrite to achieve this.
In your current solution it is not Symfony that is intercepting your requests. Take a look at your .htaccess. This is where the magic happens. You can always modify rewrite rules to intercept all /api requests and redirect them to your application but I would still suggest to keep those projects apart.