SessionAuthenticator

Author: tatevikg1

composer.json

@@ -50,6 +50,7 @@
         "phplist/core": "dev-main",
         "symfony/twig-bundle": "^6.4",
         "symfony/webpack-encore-bundle": "^2.2",
+        "symfony/security-bundle": "^6.4",
         "tatevikgr/rest-api-client": "dev-ISSUE-357"
     },
     "require-dev": {
@@ -107,7 +108,8 @@
         "symfony-tests-dir": "tests",
         "phplist/core": {
             "bundles": [
-                "PhpList\\WebFrontend\\PhpListFrontendBundle"
+                "PhpList\\WebFrontend\\PhpListFrontendBundle",
+                "Symfony\\Bundle\\SecurityBundle\\SecurityBundle"
             ],
             "routes": {
                 "rest-api": {

config/packages/framework.yaml

@@ -3,3 +3,8 @@ framework:
     http_method_override: false
     php_errors:
         log: true
+    session:
+        enabled: true
+        handler_id: null
+        cookie_secure: auto
+        cookie_samesite: lax

config/packages/security.yaml

@@ -0,0 +1,19 @@
+security:
+  enable_authenticator_manager: true
+
+  providers:
+    # Minimal provider; authenticator builds the user from the session token
+    in_memory: { memory: null }
+
+  firewalls:
+    main:
+      pattern: ^/
+      lazy: true
+      provider: in_memory
+      custom_authenticators:
+        - PhpList\WebFrontend\Security\SessionAuthenticator
+      entry_point: PhpList\WebFrontend\Security\SessionAuthenticator
+
+  access_control:
+    - { path: ^/login, roles: PUBLIC_ACCESS }
+    - { path: ^/, roles: ROLE_ADMIN }

src/Attribute/PublicRoute.php

@@ -7,7 +7,6 @@
 use Exception;
 use GuzzleHttp\Exception\GuzzleException;
 use PhpList\RestApiClient\Endpoint\AuthClient;
-use PhpList\WebFrontend\Attribute\PublicRoute;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -22,7 +21,6 @@ public function __construct(AuthClient $apiClient)
         $this->apiClient = $apiClient;
     }
 
-    #[PublicRoute]
     #[Route('/login', name: 'login', methods: ['GET', 'POST'])]
     public function login(Request $request): Response
     {
@@ -66,7 +64,6 @@ public function login(Request $request): Response
     }
 
     #[Route('/logout', name: 'logout')]
-    #[PublicRoute]
     public function logout(Request $request): Response
     {
         $request->getSession()->remove('auth_token');

src/Controller/AuthController.php

@@ -0,0 +1,74 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpList\WebFrontend\EventSubscriber;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpKernel\Event\RequestEvent;
+use Symfony\Component\HttpKernel\KernelEvents;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+
+/**
+ * Temporary auth gate until Symfony SecurityBundle is active at runtime.
+ *
+ * Redirects all anonymous requests to the login page, except explicitly public paths.
+ */
+class AuthGateSubscriber implements EventSubscriberInterface
+{
+    public function __construct(private readonly UrlGeneratorInterface $urlGenerator)
+    {
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        // Run early in the request, after routing is available is not required here
+        return [
+            KernelEvents::REQUEST => ['onKernelRequest', 8],
+        ];
+    }
+
+    public function onKernelRequest(RequestEvent $event): void
+    {
+        if (!$event->isMainRequest()) {
+            return;
+        }
+
+        $request = $event->getRequest();
+        if ($this->isPublicPath($request)) {
+            return;
+        }
+
+        $session = $request->getSession();
+        if (!$session || !$session->has('auth_token')) {
+            $loginUrl = $this->urlGenerator->generate('login');
+            $event->setResponse(new RedirectResponse($loginUrl));
+        }
+    }
+
+    private function isPublicPath(Request $request): bool
+    {
+        $path = $request->getPathInfo() ?? '/';
+
+        // Public login route
+        if ($path === '/login' || str_starts_with($path, '/login')) {
+            return true;
+        }
+
+        // Allow Symfony debug/profiler and WDT if present
+        if (str_starts_with($path, '/_profiler') || str_starts_with($path, '/_wdt')) {
+            return true;
+        }
+
+        // Allow static assets commonly served under these prefixes
+        foreach (['/build/', '/assets/', '/css/', '/js/', '/images/', '/img/', '/favicon', '/robots.txt'] as $prefix) {
+            if (str_starts_with($path, $prefix)) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+}

src/EventSubscriber/AuthGateSubscriber.php

@@ -0,0 +1,66 @@
+<?php
+
+declare(strict_types=1);
+
+namespace PhpList\WebFrontend\Security;
+
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Generator\UrlGeneratorInterface;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Http\Authenticator\AbstractAuthenticator;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+
+class SessionAuthenticator extends AbstractAuthenticator
+{
+    public function __construct(private readonly UrlGeneratorInterface $urlGenerator)
+    {
+    }
+
+    public function supports(Request $request): ?bool
+    {
+        $path = $request->getPathInfo();
+        if (str_starts_with($path, '/login')) {
+            return false;
+        }
+
+        return true;
+    }
+
+    public function authenticate(Request $request): Passport
+    {
+        $session = $request->getSession();
+
+        if ($session->has('auth_token')) {
+            // Build a simple user granted ROLE_ADMIN when a session token exists
+            $userBadge = new UserBadge('session-user', function (): InMemoryUser {
+                return new InMemoryUser('session-user', '', ['ROLE_ADMIN']);
+            });
+
+            return new SelfValidatingPassport($userBadge);
+        }
+
+        throw new AuthenticationException('No auth token in session');
+    }
+
+    public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
+    {
+        return null;
+    }
+
+    public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
+    {
+        return $this->start($request, $exception);
+    }
+
+    public function start(Request $request, AuthenticationException $authException = null): Response
+    {
+        $loginUrl = $this->urlGenerator->generate('login');
+        return new RedirectResponse($loginUrl);
+    }
+}