Stateless authentication in Symfony 2

Everyone these days want’s an API. Mostly for some SPAs or for external applications. Common issue here is a security layer where you can’t use standard form and cookies. Other thing about state saved in cookies is f.ex. clickjacking. James Ward wrote about this some time ago.

So we have some requirements:

  • Authentication based on token
  • Token is send as part of each request to make API stateless
  • I want to be able to use Symfony Security layer as I do in “normal” applications
  • Bonus: I want authenticate each device with different token (when someone is using app on PC and phone in the same time)

So I went to Symfony Cookbook and I’ve found solution with my requirement in the title. And it wasn’t what I needed. OK, it’s about keys/tokens and probably I could make it working but I have a lot of free time during holidays so I can do better. So I went one article further to write my my own authentication provider. And there is of course article about it too.

Lets start with UserProvider. What I want is find User entity with given token and device identifier. Simple schema looks like this:

User and Identities

To find user I query by username when authenticating user by token and device on the beginning of each request and once in a while by username and password to create new Identity.

Interface like this is everything I need and it’s consistent with Liskov’s substitution principle (L in SOLID).

When I can find user all I need is follow Cookbook and everything is working great. SecureApiBundle is available on GitHub┬áso you can check how I’ve done this.

Update your composer.json file

enable it

and use secure-api in your security config:

I know it is possible to add paths for registration and session creation to config, but for now I don’t need this so I keep it simple :P Doctrine UserRepository is used here as User Provider with interface I mentioned earlier. Line 28 is marker that we are using our token solution for this firewall.


11 reasons why I’ve chosen Scala

As you probably know in the office I am a PHP developer. Last few month I was looking for second language which can give me fun and profit. It took time, but I think now I know that it is Scala.

A little history. Few moths ago I started to learn Ruby and Rails. It was fun, but I’ve started to feel lonely and afraid in code without interfaces, type hinting over interface/class and DI Container. It was also boring after some time – I was doing same thing typing same structures only words was different.

After that my thinking was shifted to Functional Programming. Quite hot topic on HackerNews and in community. After some research I tried Clojure and I knew Lisp syntax is not my thing ;) But after that I knew that FP is the choice.

So Scala it is.

  1. Scala can be functional as much as Object Oriented – so when learning new things I fees safe with good old objects
  2. It’s statically typed. I like this and I’m a bit sad I can’t do this in PHP ;)
  3. It takes a lot from Java so when doing Scala I learn a bit about another environment.
  4. It’s no yet another scripting language for web development …
  5. … but I can do Web
  6. I can finally get out of my thread and do something parallel ;)
  7. Play Framework
  8. Akka
  9. (Play) Non-blocking IO operations without JavaScript – IMHO real (and much better) alternative for NodeJS
  10. LinkedIn and Twitter are using Scala/Play on production
  11. Good community support and courses on Coursera 1, 2

Now I’m doing simple scripts, I’m watching presentations on YouTube and I’m working with “Programming with Scala” book. It’s fun and FP is really great to shift your thinking about programming to other level.