Session based authentication in api-platform

1
votes

I am trying to setup session based authentication instead of JWT that I have currently in use, because I don´t want to store JWT token in local storage.

I have managed to authenticate myself using this guide https://symfony.com/doc/current/security/json_login_setup.html and get response data about the user.

But further requests to any endpoint I get 401 unauthorized.

This is my security yaml

security:
encoders:
    App\Entity\User:
        algorithm: bcrypt
providers:
    app_user_provider:
        entity:
            class: App\Entity\User
            property: email
firewalls:
    dev:
        pattern: ^/_(profiler|wdt)
        security: false
    api:
        pattern: ^/api/
        stateless: true
        anonymous: true
        provider: app_user_provider
        json_login:
            check_path: /api/login
            username_path: email
            password_path: password
            #success_handler: lexik_jwt_authentication.handler.authentication_success
            #failure_handler: lexik_jwt_authentication.handler.authentication_failure

        #guard:
        #   authenticators:
        #      - lexik_jwt_authentication.jwt_token_authenticator
    main:
        anonymous: true
access_control:
    - { path: ^/api/authentication_token,   roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/graphql,                roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/form/,                  roles: IS_AUTHENTICATED_ANONYMOUSLY }
    - { path: ^/api/,                       roles: IS_AUTHENTICATED_FULLY }
    - { path: ^/,                           roles: IS_AUTHENTICATED_ANONYMOUSLY }

On the official api-platform documentation there is no word of using session based login which I find odd.

Thank you

1
symfony4api-platform.com
The first question is why do you want to use sessions in API? Basically APIs are supposed to be stateless - every request is not related to another and authenticated separately. API-Platform is designed for building REST APIs thus it follows the rule. - Vokiel
So instead of keeping a token you came up with an idea to keep a session id instead? ;) Sounds familiar? - emix
@emix According to the internet sessions are somehow more durable to xss attacks, and storing jwt in local storage is not recommended. It´s safe until I don´t use third party script, but as soon there is third party script from remote source it becomes vulnerable. I am new to this topic, but from my research storing jwt in browser is considered as bad practice, if it would be some mobile/desktop/backend(java/php/..) app that requests data from the API with some secure storage it would be safe to use jwt. - Erik Kubica
JWT tokens should be refreshed once in a while. See this. Who steals tokens anyway? ;) it's all about phising these days. - emix
@ErikKubica you authorize user once, generate JWT, then user uses it multiple times without re-generating after every request. If you have a frontend application, then you can create JWT on login and invalidate it on logout. Also, to make it more secure and attack-proof you can embed user IP into the token so even in case of MITM attack it would be useless. Of course, having SSL/TLS is a must ;-) - Vokiel

1 Answers

2
votes

You need to remove stateless: true or change it to stateless: false

The stateless configuration parameter prevents Symfony from trying to store the authentication information in the session

All else looks good to me, however if this does not solve your issue can you add any message that is returned with the 401 response code to you queston?