我正在尝试阻止用户登录,他的状态为非活动状态。我正在将LexikJWT捆绑包使用API平台。
我已经尝试通过扩展JWTTokenAuthenticator-> checkCredentials来建立JWTAuthentication防护,但是问题是,在用户已经登录后,该方法可以正常工作。
我想要实现的是向用户返回一条消息,他需要首先激活他的帐户,或者返回任何其他消息,最好是在任何自定义条件下的任何自定义消息。
我的安全Yaml看起来像这样:
security:
encoders:
App\Entity\User:
algorithm: bcrypt
providers:
app_user_provider:
entity:
class: App\Entity\User
property: email
firewalls:
dev:
pattern: ^/_(profiler|wdt)
security: false
api:
pattern: ^/api/
stateless: true
anonymous: true
provider: app_user_provider
json_login:
check_path: /api/authentication_token
username_path: email
password_path: password
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
guard:
authenticators:
- app.jwt_token_authenticator
main:
anonymous: true
access_control:
- { path: ^/api/authentication_token, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/graphql, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/public-api, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/, roles: [ROLE_MANAGER, ROLE_LEADER] }
- { path: ^/, roles: IS_AUTHENTICATED_ANONYMOUSLY }
服务:
services:
# default configuration for services in *this* file
_defaults:
autowire: true # Automatically injects dependencies in your services.
autoconfigure: true # Automatically registers your services as commands, event subscribers, etc.
# makes classes in src/ available to be used as services
# this creates a service per class whose id is the fully-qualified class name
App\:
resource: '../src/*'
exclude: '../src/{DependencyInjection,Entity,Migrations,Tests,Kernel.php}'
# controllers are imported separately to make sure services can be injected
# as action arguments even if you don't extend any base controller class
App\Controller\:
resource: '../src/Controller'
tags: ['controller.service_arguments']
# add more service definitions when explicit configuration is needed
# please note that last definitions always *replace* previous ones
gedmo.listener.softdeleteable:
class: Gedmo\SoftDeleteable\SoftDeleteableListener
tags:
- { name: doctrine.event_subscriber, connection: default }
calls:
- [ setAnnotationReader, [ '@annotation_reader' ] ]
acme_api.event.authentication_success_listener:
class: App\EventListener\AuthenticationSuccessListener
tags:
- { name: kernel.event_listener, event: lexik_jwt_authentication.on_authentication_success, method: onAuthenticationSuccessResponse }
app.jwt_token_authenticator:
autowire: false
autoconfigure: false
class: App\Security\Guard\JWTTokenAuthenticator
parent: lexik_jwt_authentication.security.guard.jwt_token_authenticator
'App\Serializer\ApiNormalizer':
decorates: 'api_platform.serializer.normalizer.item'
arguments: ['@App\Serializer\ApiNormalizer.inner', '@doctrine.orm.entity_manager']
'App\Serializer\HydraApiNormalizer':
decorates: 'api_platform.jsonld.normalizer.item'
arguments: ['@App\Serializer\ApiNormalizer.inner', '@doctrine.orm.entity_manager']
'App\Voter\ModifyUserVoter':
public: false
tags:
- { name: security.voter }
授权者保护
class JWTTokenAuthenticator extends BaseAuthenticator
{
/**
* {@inheritdoc}
*/
public function checkCredentials($credentials, UserInterface $user)
{
if (!$user->getRoles() || !in_array($user->getRoles()[0], ['ROLE_MANAGER', 'ROLE_LEADER'])) {
throw new UnauthorizedHttpException(rand(10000, 99999), 'Unauthorized');
}
if (!$user->getStatus() != "active") {
throw new UnauthorizedHttpException(rand(10000, 99999), 'Unauthorized');
}
return true;
}
}
[在解释解决方案时,请以我为symfony新手。
谢谢!
通过在用户实体上实现AdvancedUserInterface而不是UserInterface并向isEnabled()添加逻辑,我设法实现了所需的目标>