Silex : The token storage contains no authentication token - silex

When trying to check whether the user is authenticated or not in layout
{% if is_granted('IS_AUTHENTICATED_FULLY') %}
<p>Username: {{ app.user.username }}</p>
{% endif %}
I am getting an error as
Twig_Error_Runtime in Template.php line 304:
An exception has been thrown during the rendering of a template ("The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL.") in "layout.html" at line 39.
This is the configuration of the security firewall. I need to only allow logged in users to access the website.
$app->register(new SecurityServiceProvider(), array(
'security.firewalls' => array(
'dev' => array(
'pattern' => '^/(_(profiler|wdt)|css|images|js)/',
'security' => false
),
'login' => array(
'pattern' => '^/login$',
),
'secured' => array(
'pattern' => '^.*$',
'form' => array('login_path' => '/login', 'check_path' => '/login_check'),
'logout' => array('logout_path' => '/logout'),
'users' => $app->share(function() use ($app) {
// Specific class App\User\UserProvider is described below
return new App\User\UserProvider($app['db']);
}),
),
'unsecured' => array(
'anonymous' => true,
)
),
'security.access_rules' => array(
// You can rename ROLE_USER as you wish
array('^/.+$', 'ROLE_USER'),
array('^/login$', 'SS'), // This url is available as anonymous user
)
));
Any ideas to fix this is welcome.
Thank you

Since the error message says that the error happens in layout.html, I'm guessing it is used on every page even the ones like /login that is not behind a firewall. The error is caused by calling is_granted when not behind a firewall.
So there are a few options:
Use a separate layout for login page that does not call is_granted
Check if there is an existing security token before calling is_granted
Option 1 should be obvious so not going into more detail with that.
With option 2, you can do something like this to check for existing security token:
{% if app.security.token is not null and is_granted('IS_AUTHENTICATED_FULLY') %}

Related

Check if the user is authenticated on not secured route

I'm trying to build a simple login using symofny/security package in Silex, but I have a small problem with authentication checking.
The structure:
/
/login
/admin
/login_check
/logout
In order to get to the /admin route user needs to be authenticated, if he's not, he gets redirected to /login form, which then, as recommended, is asking admin/login_check for authentication (that's all provided by symofny's security firewalls).
The firewalls configuration:
'security.firewalls' => array(
'login' => array(
'pattern' => '^/login$',
),
'admin' => array(
'pattern' => '^/admin',
'http' => true,
'form' => array(
'login_path' => '/login',
'check_path' => '/admin/login'
),
'logout' => array(
'logout_path' => '/admin/logout',
'invalidate_session' => true
),
'users' => ...
),
)
Everything works fine, but the user can enter the /login route even-though he's already authenticated, which is not that bad, but I'd like to avoid it. I tired to check the user authentication status, but I guess it does not work as I'm checking it on /login controller, which is not in "secured" area of the website.
Here's the code:
public function index(Request $request, Application $app)
{
if ($app['security.authorization_checker']->isGranted('ROLE_ADMIN')) {
return $app->redirect($app['url_generator']->generate('admin'));
}
return $app['twig']->render('login/index.twig', array(
'error' => $app['security.last_error']($request),
'last_username' => $app['session']->get('_security.last_username'),
));
}
That throws an error: The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL. So, the question, is there any way to do this using symfony/security natively (without any walk-arounds)? or is it somehow possible to create the /login route inside secured area with possibility to access it even-though the user is not logged in (e.g. make an exception for GET request) which would solve the problem?
UPDATE
I've also added the firewall configuration for /login page with an option anonymous: true, which resulted in not throwing an error anymore, but yet, when I'm logged in on the /admin route, method isGranted('ROLE_ADMIN') results in true, whereas on /login route it results in false (I'm still logged in there).
You can easily understand the behavior of the security component by dumping the current token.
public function index(Request $request, Application $app)
{
var_dump($application['security.token_storage']->getToken());
}
When you don't set anonymous option for login page (by default it is false):
null
When you set anonymous option for login page to true:
object(Symfony\Component\Security\Core\Authentication\Token\AnonymousToken)
private 'secret' => string 'login' (length=5)
private 'user' (Symfony\Component\Security\Core\Authentication\Token\AbstractToken) => string 'anon.' (length=5)
private 'roles' (Symfony\Component\Security\Core\Authentication\Token\AbstractToken) =>
array (size=0)
empty
private 'authenticated' (Symfony\Component\Security\Core\Authentication\Token\AbstractToken) => boolean true
private 'attributes' (Symfony\Component\Security\Core\Authentication\Token\AbstractToken) =>
array (size=0)
empty
Following example describes why you are getting error in your initial code example.
How to share security token?
To share security token between multiple firewalls you have to set the same Firewall Context.
SecurityServiceProvider registers context listener for protected firewall you have declared with pattern security.context_listener.<name>. In your example it is registered as security.context_listener.admin. Thus context you want to use is named admin.
Also a firewall context key is stored in session, so every firewall using it must set its stateless option to false.
What is more, to invoke authentication on login page the anonymous option must be set to true
'security.firewalls' => array(
'login' => array(
'context' => 'admin',
'stateless' => false,
'anonymous' => true,
'pattern' => '^/login$',
),
'admin' => array(
'context' => 'admin',
'stateless' => false,
'pattern' => '^/admin',
'http' => true,
'form' => array(
'login_path' => '/login',
'check_path' => '/admin/login'
),
'logout' => array(
'logout_path' => '/admin/logout',
'invalidate_session' => true
),
'users' => ...
),
)
After the change, if you are logged in on admin panel and login page you will get an instance of Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken as a token and
Symfony\Component\Security\Core\Authentication\Token\AnonymousToken if you are not logged in.
Because of that, you can safely check permission using $app['security.authorization_checker']->isGranted('ROLE_ADMIN') and get the same results on both firewalls.

ZF2 Home Url maps to 0.0.0

Hi i came here since I have some troubles with my routing. This is what troubles me:
$this>url('home') maps the url to 0.0.0, since zf is generating relative paths for most of the time, so I expected it to be something like / or the complete namen taken from the $_SERVERarray
my home config entry:
'home' => array(
'type' => 'Segment',
'options' => array(
'route' => '/[/:page][/]',
'defaults' => array(
'controller' => 'MyModule\Controller\Index',
'action' => 'index',
'page' => 1,
),
'constraints' => array(
'page' => '[0-9]+',
),
),
),
this is where I "found out" since my paginator is spitting out urls like http://0.0.0/2
anybody knows how to resolve that issue?
Running on my localhost from domain "test.com" I guess it somehow comes from that, but it's still bothersome
changed 'route' => '/[/:page][/]', to 'route' => '/[:page][/]', now it's working like a charm, i should go to bed -_-
It's a bit late adding this but i encountered another "bug" from this. As you see there is an optional page parameter and an optional trailing /, since the route which is basically mysite.com/1/ maps to // (default for page is 1) i had to remove the trailing /

SessionManager Timeout/Logout

I'm currently using the examples found here http://zf2.readthedocs.org/en/latest/modules/zend.session.manager.html
In my autoload/global.php file I have the following:
'session' => array(
'config' => array(
'class' => 'Zend\Session\Config\SessionConfig',
'options' => array(
'name' => 'otwebsoft',
'save_path' => __DIR__ . '/../../data/session',
'use_cookies' => true,
'cookie_lifetime' => 3600,
'cookie_httponly' => true,
'cookie_secure' => false,
'remember_me_seconds' => 1800
)
),
'storage' => 'Zend\Session\Storage\SessionArrayStorage',
'validators' => array(
array(
'Zend\Session\Validator\RemoteAddr',
'Zend\Session\Validator\HttpUserAgent'
)
)
)
I like how that the session expires after X amount of time and if the user was logged in, upon a page refresh the user is then automagically logged out and they must login again. However, I would like it so that if the user continues to surf the site, after X amount of time the session isn't killed off but perhaps just regenerated or something so that they are not forced to log back in again.
I am just not certain how or if this is possible to do both scenarios. If this is not possible, I could just raise the X time for session lifetime and live with that.
Does anyone have any ideas I could try?
Set cookie lifetime to 0:
'cookie_lifetime' => 0
it will tell the browser to kill the cookie only after the browser is closed.
And define the server session storage lifetime:
'gc_maxlifetime' => 3600
So after 1 hour of inactivity the session storage will be cleaned up.

Zend Framework 2, route with query fails only if route has child routes

Since 2.1.4 the Query route is deprecated, I'm routing to my blog like this:
'cro-blog' => array(
'type' => 'Literal',
'options' => array(
'route' => '/blog',
'defaults' => array(
'controller' => 'CroBlog\BlogController',
'action' => 'index',
),
),
),
And link to pages like /blog?p=x where x is the page number. This works perfectly until I add a child route. Linking to /blog still works but linking to pages give a 404 (more specific 'The requested URL could not be matched by routing.'). This is my current setup:
'cro-blog' => array(
'type' => 'Literal',
'options' => array(
'route' => '/blog',
'defaults' => array(
'controller' => 'CroBlog\BlogController',
'action' => 'index',
),
),
'may_terminate' => true,
'child_routes' => array(
'post' => array(
'type' => 'Segment',
'options' => array(
'route' => '/:slug',
'constraints' => array(
'slug' => '[a-zA-Z][a-zA-Z0-9_-]*',
),
'defaults' => array(
'action' => 'post',
),
),
),
),
),
I'm using a Segment child route but the same problem exists with a Literal child route.
Any way to keep the page query and the child routes?
This is solved. If anyone experiences the same issues, this is what worked for me.
Clear all cache (EdpSuperluminal, APC etc.)
Remove Zend library
Run your application without Zend library (giving loads of errors of course, but this seemed crucial to me to make it work)
Re-install Zend library
Run your application again
I installed 2.1.5dev and it fixed the issue. Wanted to make sure whether it was a bug or not so tried again with 2.1.4 and the issue was still fixed. So this is my conclusion. Cache can be a weird thing.
Edit Jumped to (the wrong) conclusions too soon. Fired up Zend Studio 10 and now it bugs again. I think Zend Studio 10 is reverting some files (not all since Query route did got marked as deprecated). Still, consider this solved, just need to find a way to tell Zend Studio 10 to use 2.1.4. Thanks!

404 HTTP errors not being rendered in JSON using Zend framework 2

I'm creating a simple restful api using zend framework2 and I've references Rob Allen's notes on the subject as well as this excellent tutorial by http://hounddog.github.com/blog/getting-started-with-rest-and-zend-framework-2/
below is my module_config.php. You'll see that I have routes and the JSON view strategy configured. My understanding is that when you set up the JSON strategy in this fashion it accommodates all modules. The issue is that when an invalid route is entered the 404 response is sent back in html even though the Accept header is requesting Application/json.
I've been struggling with this for a 2 days now any advice or help would be appreciated
This curl call to the api generates the expected 404 error.
curl -i -H "Accept: application/json" http://myapi-dev.local/xxx/1
Module_config.php
return array(
'controllers' => array(
'invokables' => array(
'Dips\Controller\Roles' => 'Dips\Controller\RolesController', //maps controller alias to a physical controller
),
),
'router' => array(
'routes' => array(
'dips' => array(
'type' => 'segment',
'options' => array(
'route' => '/dips/roles/:apikey/:uname/:appname',
'constraints' => array(
'apikey' => '[a-zA-Z0-9]+',
'uname' => '[a-zA-Z]+',
'appname' => '[a-zA-Z][a-zA-Z0-9_-]*',
),
'defaults' => array(
'controller' => 'Dips/Controller/Roles',
),
),
),
),
),
'view_manager' => array(
'strategies' => array(
'ViewJsonStrategy',
),
),
);
You would need to implement an additional rendering strategy and put it in the stack above the default 404 rendering strategy. Alternatively, you could extend the existing ViewJsonStrategy to include error handling.
The default 404 Strategy is Zend/Mvc/View/Http/RouteNotFoundStrategy. If you look at it's detectNotFoundError method, you can see when it gets triggered.

Resources