I'm setting up FOSJsRoutingBundle on my app. When doing this I realized that the endpoint that returns all routes for the app, there was returning all routes for my internal app. I was digging in the source code, and they didn't apply any filters to the routes returned based on user roles. This is very insecure way of doing things, because for me I can't reveal all the internal routing configuration for my app, because it will lead a security breach, if someone used for example DevTools from chrome check for access to every route in my internal app. The question is, there is a way of accomplishing that, return only the routes accessible for the current user?
Related
i'm learning Symfony and i'm building an app based on the Youtube API and the Google OAuth 2.0.
I'm using Annotation routes to make a simple user interface and logging system. Here are all my routes :
/
/auth (redirect to Google auth server)
/auth/response (Get the Google auth code)
/user (users settings, stored via Doctrine ORM)
/update (ajax call url to update users settings)
/insert (making some Youtube API requests, will be used in a Cron task)
So my problem is that I don't want users to access certain routes because they shouldn't know those routes exist, especially for the "/insert" path.
I already set conditions for the /update path like this :
/**
* #Route("/update", name="update", condition="request.isXmlHttpRequest()")
*/
The user get a 404 error and that's perfect.
Now, how can I make something similar for my others problematic routes ? Or maybe I'm absolutely doing it wrong, please tell me !
If you want to apply some restrictions policies, you need to use security config (firewalls section in your case)
Documentation here: https://symfony.com/doc/current/reference/configuration/security.html
And 404 is the wrong answer, the 401 would be right.
I'm using form authentication in a Symfony full-stack application.
When a path is only accessible for registered users, the firewall will prompt for credentials and redirect to the originally requested URL afterwards (default behaviour).
In my application users can configure their preferred language in the profile. After login, the user should be redirected to the original URL, but in the preferred language. So ideally I'd like to modify the target path on authentication success to that the same route as the original request is used, but potentially in another language.
I already built an event listener listening on security.interactive_login, but there I can only build static paths as no route information is available.
Also it is not possible to save the original route when the firewall redirects to the login page, as the firewall is called before routing. So I think it's not possible to retrieve the route - or did I miss anything?
I can think of hacky solutions, but maybe someone can help with a better idea - thanks!
I have a domain and subdomain based app (all in one Laravel project). I have set up CORS and CSRF so that communication works. I've also replaced the cookie domain under session.php and now the session is shared across domain and subdomain.
I have an issue when logging in however. When I log in (either from domain or subdomain) user gets logged in. I can check that by dumping Auth::user() under my web.php. However when I try to dump it from middleware I get null.
How is that possible?
I tried clearing caches on both app and browser
You should probably check the database, I had those same problems a long time ago.
I think Laravel saves the session in the database, or in some other configuration.
Check "config/session.php"
Hope be helpfull
I found the issue.
I was calling my middleware before the session middleware under Kernel.php
NOTE
Global middleware is called before web middleware
I know about guards and I am using them.
However, guards are client side code which the user could manipulate so they could access the guarded route anyway, thus bypass the guard.
My entire Angular2 application has a PHP backend so I'm thinking of using that with AJAX somehow but I can't figure out a solution where they can't modify the AJAX response and access the guarded route.
No, you cannot prevent the user from accessing a part of the UI, nor from requesting or submitting data from/to arbitrary URLs on your server, nor inspecting the network traffic in detail.
Client side routing guards and permissions checks are basically a UX concern, to only provide the user with the UI elements for the functionality they are allowed to perform.
It is the server application's job to "really" implement data security and deny access to perform sensitive functions and access sensitive data, using authentication tokens, roles and permissions, and the like.
The result is that if a user accesses the guarded route by bug or by trickery, this route's component will request the secure data from the server (this data must not be included in the angular2 component), or attempt to perform a restricted action, but the request will fail because the user's security token has insufficient permissions.
You can't hide ajax calls being made in a browser. All popular browsers let you inspect network traffic.
As far as I know, you can't modify the response of an Ajax call unless you have a middle man between the browser and the server. However, you can't stop the user from modifying ajax requests.
They can make the same requests (made by the browser) through curl, wget, Postman, etc. So, if you want to have restrictions on a private route, make them login and check credentials on the server side.
Sorry if you are upset that this is not a very specific question but I researched online and couldn't find out what PHP middleware refers to?
I have seen this term used in the Slim microframework and laravel framework and I really need an explanation.
Thanks a lot
I'm no tremendous expert but i can try to explain it. Basically middleware in l5 and up replaces filters that were in place on older laravel versions. It adds verification to either a route/controller or the whole site. It will run whatever logic you have in a middleware before rendering a specific page to the user. For instance, laravel comes with an auth and csrf middleware upon installation. The auth middleware will check if the user is authenticated BEFORE showing a page and csrf verifies on everything and makes sure your current token matches what is present on the db.
To create a middleware you need to php artisan make:middleware NameofMiddleware.
A middleware can either be per each route or for the whole application.