Update "User authentication" customization example (5.0)

[adriendupuis]

Question	Answer
JIRA Ticket	IBX-11465
Versions	5.0
Edition	All

Update for DXP 5.0 SF 7.3 since ibexa/core#411 and other big changes

Related RP: #3086

Checklist

• Text renders correctly
• Text has been checked with vale
• Description metadata is up to date
• Redirects cover removed/moved pages
• Code samples are working
• PHP code samples have been fixed with PHP CS fixer
• Added link to this PR in relevant JIRA ticket or code PR

[github-actions]

Preview of modified files

Preview of modified Markdown:

• docs/users/user_authentication.md

[adriendupuis]

I could use Ibexa\Core\MVC\Symfony\Security\User\UsernameProvider::loadUserByIdentifier() to get the repo user already wrapped:

Suggested change

	$ibexaUser = $this->userService->loadUserByLogin($userLogin);
	$event->getAuthenticationToken()->setUser(new User($ibexaUser));
	$ibexaUser = $this->userNameProvider->loadUserByIdentifier($userLogin);
	$event->getAuthenticationToken()->setUser($ibexaUser);

See #3088 for complete integration of this idea.

Pros:

• Relies on the user provider it replaces

Cons:

• Hides Ibexa\Core\MVC\Symfony\Security\User usage

it's still out of Contracts namespace.

[wizhippo]

Is the SecurityEvents::INTERACTIVE_LOGIN the correct event now? I believe this fires after https://github.com/ibexa/core/blob/main/src/lib/MVC/Symfony/Security/Authentication/EventSubscriber/OnAuthenticationTokenCreatedRepositoryUserSubscriber.php which sets the repository user.

Also I see no logic anymore that sets a UserWrapped for the InteractiveLogin event to use.

I have a working method for myself now. That is to listen for a "AuthenticationTokenCreatedEvent" of our own and create and set a wrapped user there. Also need to make sure that your custom userprovider refreshes as wrapped user properly considering both the apiUser and the customUser

Not sure if this helps you at all or not. Also note i included a switchuserlistenr here too as it is broken too by default and will not work with wrapped users otherwise.

I have removed some login from the below to post here so code may not run as is.

<?php

declare(strict_types=1);

namespace App\Security\EventSubscriber;

use App\Entity\AppUser;
use Ibexa\Contracts\Core\Repository\PermissionResolver;
use Ibexa\Contracts\Core\Repository\Repository;
use Ibexa\Contracts\Core\Repository\Values\User\User;
use Ibexa\Core\MVC\Symfony\Security\UserWrapped;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\Security\Http\Event\AuthenticationTokenCreatedEvent;

final readonly class AuthenticationTokenCreatedSubscriber implements EventSubscriberInterface
{
    public function __construct(
        private Repository $repository,
        private PermissionResolver $permissionResolver,
    ) {
    }

    public static function getSubscribedEvents(): array
    {
        return [
            AuthenticationTokenCreatedEvent::class => 'onAuthenticationTokenCreated',
        ];
    }

    public function onAuthenticationTokenCreated(AuthenticationTokenCreatedEvent $event): void
    {
        $user = $event->getAuthenticatedToken()->getUser();

        if (!$user instanceof AppUser) {
            return;
        }

        $apiUser = $user->getIbexaUserId() ? $this->repository->sudo(
            function (Repository $repository) use ($user) {
                try {
                    return $repository->getUserService()->loadUser($user->getIbexaUserId());
                } catch (\Exception) {
                    return null;
                }
            }
        ) : $this->repository->sudo(
            function (Repository $repository) use ($user) {
                try {
                    return $repository->getUserService()->loadUserByLogin($user->getUserIdentifier());
                } catch (\Exception) {
                    return null;
                }
            }
        );

        if ($apiUser instanceof User) {
            $this->permissionResolver->setCurrentUserReference($apiUser);
            $event->getAuthenticatedToken()->setUser(new UserWrapped($user, $apiUser));
        }
    }
}

In UserProvider

    public function refreshUser(UserInterface $user): UserInterface
    {
        if ($user instanceof UserWrapped && $user->getWrappedUser() instanceof AppUser) {
            $user = $this->loadUserByIdentifier($user->getWrappedUser()->getUserIdentifier());
        } else {
            $user = $this->loadUserByIdentifier($user->getUserIdentifier());
        }

        /** @var AppUser $user */
        $apiUser = $user->getIbexaUserId() ? $this->repository->sudo(
            fn (Repository $repository) => $repository->getUserService()->loadUser($user->getIbexaUserId())
        ) : $this->repository->sudo(
            fn (Repository $repository) => $repository->getUserService()->loadUserByLogin(
                $user->getUserIdentifier()
            )
        );

        return new UserWrapped($user, $apiUser);
    }

<?php

declare(strict_types=1);

namespace App\Security\EventSubscriber;

use App\Entity\AppUser;
use Doctrine\ORM\EntityManagerInterface;
use Ibexa\Contracts\Core\Repository\Repository;
use Ibexa\Core\MVC\Symfony\Security\UserWrapped;
use Symfony\Component\EventDispatcher\EventSubscriberInterface;
use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
use Symfony\Component\Security\Http\Event\SwitchUserEvent;
use Symfony\Component\Security\Http\SecurityEvents;

final readonly class SwitchUserEventSubscriber implements EventSubscriberInterface
{
    public function __construct(
        private Repository $repository,
    ) {
    }

    public static function getSubscribedEvents(): array
    {
        return [
            SecurityEvents::SWITCH_USER => ['onSwitchUser', 0],
        ];
    }

    public function onSwitchUser(SwitchUserEvent $event): void
    {
        $token = $event->getToken();

        if (
            $token instanceof SwitchUserToken
            && $token->getUser() instanceof AppUser
            && $token->getOriginalToken()->getUser() instanceof UserWrapped
            && $token->getOriginalToken()->getUser()->getWrappedUser() instanceof AppUser
        ) {
            $currentUsername = $token->getOriginalToken()->getUserIdentifier();
            $targetUsername = $token->getUserIdentifier();

            $user = $token->getUser();

            $apiUser = $user->getIbexaUserId() ? $this->repository->sudo(
                function (Repository $repository) use ($user) {
                    try {
                        return $repository->getUserService()->loadUser($user->getIbexaUserId());
                    } catch (\Exception) {
                        return null;
                    }
                }
            ) : $this->repository->sudo(
                function (Repository $repository) use ($user) {
                    try {
                        return $repository->getUserService()->loadUserByLogin($user->getUserIdentifier());
                    } catch (\Exception) {
                        return null;
                    }
                }
            );

            $wrappedUser = new UserWrapped($user, $apiUser);
            $token->setUser($wrappedUser);
        }

        $event->getRequest()->getSession()->migrate();
    }
}

[github-actions]

code_samples/ change report

Before (on target branch)	After (in current PR)
code_samples/user_management/in_memory/config/packages/security.yaml	code_samples/user_management/in_memory/config/packages/security.yaml
	docs/users/user_authentication.md@42:``` yaml docs/users/user_authentication.md@43:[[= include_file('code_samples/user_management/in_memory/config/packages/security.yaml') =]] docs/users/user_authentication.md@44:``` 001⫶security: 002⫶ password_hashers: 003⫶ # The in-memory provider requires an encoder 004⫶ Symfony\Component\Security\Core\User\InMemoryUser: plaintext 005⫶ Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto' 006⫶ 007⫶ # https://symfony.com/doc/current/security.html#b-configuring-how-users-are-loaded 008⫶ providers: 009⫶ in_memory: 010⫶ memory: 011⫶ users: 012⫶ from_memory_user: { password: from_memory_pass, roles: [ 'ROLE_USER' ] } 013⫶ from_memory_admin: { password: from_memory_publish, roles: [ 'ROLE_USER' ] } 014⫶ ibexa: 015⫶ id: ibexa.security.user_provider 016⫶ # Chaining in_memory and ibexa user providers 017⫶ chained: 018⫶ chain: 019⫶ providers: [ in_memory, ibexa ] 020⫶ 021⫶ firewalls: 022⫶ # … 023⫶ ibexa_front: 024⫶ pattern: ^/ 025⫶ provider: chained 026⫶ user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker 027⫶ context: ibexa 028⫶ form_login: 029⫶ enable_csrf: true 030⫶ login_path: login 031⫶ check_path: login_check 032⫶ custom_authenticators: 033⫶ - Ibexa\PageBuilder\Security\EditorialMode\FragmentAuthenticator 034⫶ entry_point: form_login 035⫶ logout: 036⫶ path: logout
code_samples/user_management/in_memory/config/services.yaml	code_samples/user_management/in_memory/config/services.yaml
	docs/users/user_authentication.md@49:``` yaml docs/users/user_authentication.md@50:[[= include_file('code_samples/user_management/in_memory/config/services.yaml') =]] docs/users/user_authentication.md@51:``` 001⫶services: 002⫶ App\EventSubscriber\InteractiveLoginSubscriber: 003⫶ arguments: 004⫶ $userMap: 005⫶ from_memory_user: customer 006⫶ from_memory_admin: admin
code_samples/user_management/in_memory/src/EventSubscriber/InteractiveLoginSubscriber.php	code_samples/user_management/in_memory/src/EventSubscriber/InteractiveLoginSubscriber.php
	docs/users/user_authentication.md@32:``` php docs/users/user_authentication.md@33:[[= include_file('code_samples/user_management/in_memory/src/EventSubscriber/InteractiveLoginSubscriber.php') =]] docs/users/user_authentication.md@34:``` 001⫶<?php declare(strict_types=1); 002⫶ 003⫶namespace App\EventSubscriber; 004⫶ 005⫶use Ibexa\Contracts\Core\Repository\UserService; 006⫶use Ibexa\Core\MVC\Symfony\Security\User; 007⫶use Symfony\Component\EventDispatcher\EventSubscriberInterface; 008⫶use Symfony\Component\Security\Core\User\InMemoryUser; 009⫶use Symfony\Component\Security\Http\Event\InteractiveLoginEvent; 010⫶use Symfony\Component\Security\Http\SecurityEvents; 011⫶ 012⫶class InteractiveLoginSubscriber implements EventSubscriberInterface 013⫶{ 014⫶ /** @param array<string, string> $userMap */ 015⫶ public function __construct( 016⫶ private readonly UserService $userService, 017⫶ private readonly array $userMap = [], 018⫶ ) { 019⫶ } 020⫶ 021⫶ public static function getSubscribedEvents(): array 022⫶ { 023⫶ return [ 024⫶ SecurityEvents::INTERACTIVE_LOGIN => 'onInteractiveLogin', 025⫶ ]; 026⫶ } 027⫶ 028⫶ public function onInteractiveLogin(InteractiveLoginEvent $event): void 029⫶ { 030⫶ $tokenUser = $event->getAuthenticationToken()->getUser(); 031⫶ if ($tokenUser instanceof InMemoryUser) { 032⫶ $userLogin = $this->userMap[$event->getAuthenticationToken()->getUserIdentifier()] ?? 'anonymous'; 033⫶ $ibexaUser = $this->userService->loadUserByLogin($userLogin); 034⫶ $event->getAuthenticationToken()->setUser(new User($ibexaUser)); 035⫶ } 036⫶ } 037⫶}

Download colorized diff

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud