Symfony 6 登录不运行身份验证

Question

I'm trying to make a small application in symfony 6 to practice but I can't get the login to work.

I have used the commands make:user , make:crud user , make:auth , and I have let the application build the login for me.

The thing is that I manage to register the user correctly (hashing the password) but when I try to login it only redirects me to the same page, it doesn't even show me an error message.

I have noticed that when logging in the application does not send the form to App\Security\UserAuthenticator . In previous versions of symfony the application configured all this directly for me as it should be.

This is my SecurityController :

 class SecurityController extends AbstractController { #[Route(path: '/login', name: 'app_login')] public function login(AuthenticationUtils $authenticationUtils): Response { if ($this->getUser()) { return $this->redirectToRoute('app_home'); } // get the login error if there is one $error = $authenticationUtils->getLastAuthenticationError(); // last username entered by the user $lastUsername = $authenticationUtils->getLastUsername(); return $this->render('security/login.html.twig', ['last_username' => $lastUsername, 'error' => $error]); } #[Route(path: '/logout', name: 'app_logout')] public function logout(): void { throw new \LogicException('This method can be blank - it will be intercepted by the logout key on your firewall.'); } }

login.html.twig :

 {% extends 'base.html.twig' %} {% block title %}Log in.{% endblock %} {% block body %} <form method="post"> {% if error %} <div class="alert alert-danger">{{ error.messageKey|trans(error,messageData. 'security') }}</div> {% endif %} {% if app.user %} <div class="mb-3"> You are logged in as {{ app.user,userIdentifier }}, <a href="{{ path('app_logout') }}">Logout</a> </div> {% endif %} <h1 class="h3 mb-3 font-weight-normal">Please sign in</h1> <label for="inputUsername">Username</label> <input type="text" value="{{ last_username }}" name="username" id="inputUsername" class="form-control" autocomplete="username" required autofocus> <label for="inputPassword">Password</label> <input type="password" name="password" id="inputPassword" class="form-control" autocomplete="current-password" required> <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}" > <button class="btn btn-lg btn-primary" type="submit"> Sign in </button> </form> {% endblock %}

UserAuthenticator :

 class UserAuthenticator extends AbstractLoginFormAuthenticator { use TargetPathTrait; public const LOGIN_ROUTE = 'app_login'; private UrlGeneratorInterface $urlGenerator; public function __construct(UrlGeneratorInterface $urlGenerator) { $this->urlGenerator = $urlGenerator; } public function authenticate(Request $request): Passport { $username = $request->request->get('username', ''); $request->getSession()->set(Security::LAST_USERNAME, $username); return new Passport( new UserBadge($username), new PasswordCredentials($request->request->get('password', '')), [ new CsrfTokenBadge('authenticate', $request->request->get('_csrf_token')), ] ); } public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response { if ($targetPath = $this->getTargetPath($request->getSession(), $firewallName)) { return new RedirectResponse($targetPath); } // For example: return new RedirectResponse($this->urlGenerator->generate('app_home')); } protected function getLoginUrl(Request $request): string { return $this->urlGenerator->generate(self::LOGIN_ROUTE); } }

security.yaml :

 security: # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords password_hashers: Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto' # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider providers: # used to reload user from session & other features (eg switch_user) app_user_provider: entity: class: App\Entity\User property: username firewalls: dev: pattern: ^/(_(profiler|wdt)|css|images|js)/ security: false main: lazy: true provider: app_user_provider custom_authenticator: App\Security\UserAuthenticator logout: path: app_logout # where to redirect after logout # target: app_any_route # activate different ways to authenticate # https://symfony.com/doc/current/security.html#the-firewall # https://symfony.com/doc/current/security/impersonating_user.html # switch_user: true # Easy way to control access for large sections of your site # Note: Only the *first* access control that matches will be used access_control: # - { path: ^/admin, roles: ROLE_ADMIN } # - { path: ^/profile, roles: ROLE_USER } when@test: security: password_hashers: # By default, password hashers are resource intensive and take time. This is # important to generate secure password hashes. In tests however, secure hashes # are not important, waste resources and increase test times. The following # reduces the work factor to the lowest possible values. Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: algorithm: auto cost: 4 # Lowest possible value for bcrypt time_cost: 3 # Lowest possible value for argon memory_cost: 10 # Lowest possible value for argon

I hope you can give me a hand, I don't understand what is happening and some things that I have read while googling have not helped me. Thanks.

Answer 1

I had the same problem as you. I followed the tutorial https://symfony.com/doc/current/security.html but my connection was not working.

I then did a $symfony make:auth

Choose [1]Login form authenticator

My config/packages/security.yaml

security:
    # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
    password_hashers:
        Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
    # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
    providers:
        # used to reload user from session & other features (e.g. switch_user)
        app_user_provider:
            entity:
                class: App\Entity\User
                property: email
    firewalls:
        secured_area:
            # form_login:
                # enable_csrf: true
            custom_authenticator: App\Security\UserAuthenticator
            logout:
                path: app_logout
                # where to redirect after logout
                # target: app_any_route
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            lazy: true
            provider: app_user_provider
            form_login:
                login_path: login
                check_path: login
                default_target_path: home
            logout:
                path: app_logout

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#the-firewall

            # https://symfony.com/doc/current/security/impersonating_user.html
            # switch_user: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # - { path: ^/admin, roles: ROLE_ADMIN }
        # - { path: ^/profile, roles: ROLE_USER }

when@test:
    security:
        password_hashers:
            # By default, password hashers are resource intensive and take time. This is
            # important to generate secure password hashes. In tests however, secure hashes
            # are not important, waste resources and increase test times. The following
            # reduces the work factor to the lowest possible values.
            Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
                algorithm: auto
                cost: 4 # Lowest possible value for bcrypt
                time_cost: 3 # Lowest possible value for argon
                memory_cost: 10 # Lowest possible value for argon

I have change /login to /connexion in my SecurityController:

#[Route(path: '/connexion', name: 'app_login')]
    public function login(AuthenticationUtils $authenticationUtils): Response
    {

Now it works for me.

Answer 2

 main:
            pattern: ^/
            user_checker: App\Security\UserChecker
            lazy: true
            form_login:
                # "login" is the name of the route created previously
                login_path: app_login
                check_path: app_login

Answer 3

here the full procedure to create users and login:

Symfony 6.1

$ php bin/console make:user
$ php bin/console make:migration
$ php bin/console doctrine:migrations:migrate

Create a temp user to test (crypted password is 'test')

INSERT INTO `user` (`id`, `email`, `roles`, `password`) VALUES (1, 'johndoe@site.com', '["ROLE_ADMIN"]', '$2y$13$zMYKGkggUiUdAGedrgpXF.jlArzta9k3UgBCKEvoF1ILsbbSxx8by');

Create the Login Form

$ php bin/console make:controller Login

Security Config

# config/packages/security.yaml
security:
# ...

    firewalls:
        main:
            # ...
            form_login:
                # "app_login" is the name of the route created previously
                login_path: app_login
                check_path: app_login
                
            logout:
                path: app_logout

Logout route

# api/config/routes.yaml
# ...
app_logout:
    path: /logout
    methods: GET
# ...

CSFR Protection

# config/packages/security.yaml
security:
    # ...

    firewalls:
        secured_area:
            # ...
            form_login:
                # ...
                enable_csrf: true

# config/packages/framework.yaml
framework:
    # ...
    csrf_protection: ~

LoginController

// src/Controller/LoginController.php
namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Http\Authentication\AuthenticationUtils;

class LoginController extends AbstractController
{
    #[Route('/login', name: 'app_login')]
    public function index(AuthenticationUtils $authenticationUtils): Response
    {
      // get the login error if there is one
      $error = $authenticationUtils->getLastAuthenticationError();
      
      // last username entered by the user
      $lastUsername = $authenticationUtils->getLastUsername();
      
      return $this->render('login/index.html.twig', [
          'controller_name' => 'LoginController',
          'last_username' => $lastUsername,
          'error'         => $error
      ]);
    }
}

Login Template

{# templates/login/index.html.twig #}
{% extends 'base.html.twig' %}

{# ... #}

{% block body %}
    {% if error %}
        <div>{{ error.messageKey|trans(error.messageData, 'security') }}</div>
    {% endif %}

    <form action="{{ path('app_login') }}" method="post">
        <label for="username">Email:</label>
        <input type="text" id="username" name="_username" value="{{ last_username }}"/>

        <label for="password">Password:</label>
        <input type="password" id="password" name="_password"/>

        {# If you want to control the URL the user is redirected to on success
        <input type="hidden" name="_target_path" value="/api"/> #}
        <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">
        
        <button type="submit">login</button>
    </form>
{% endblock %}