security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email
        in_memory: { memory: ~ }
        entity_provider:
            entity:
                class: App\Entity\User
                property: username
        api_key_user_provider:
            id: App\Security\ApiKeyUserProvider
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        ## API WITH JWT AUTH (login/password)
        # login:
        #     pattern:  ^/api/login
        #     stateless: true
        #     anonymous: true
        #     provider: api_key_user_provider
        #     form_login:
        #         check_path:               /api/login_check
        #         success_handler:          lexik_jwt_authentication.handler.authentication_success
        #         failure_handler:          lexik_jwt_authentication.handler.authentication_failure
        #         require_previous_session: false
        # api:
        #     pattern:  ^/api/
        #     stateless: true
        #     anonymous: true
        #     provider: api_key_user_provider
        #     guard:
        #         authenticators:
        #             - lexik_jwt_authentication.jwt_token_authenticator
        api:
            pattern:  ^/api
            stateless: true
            # can be set to false to disabled API doc available for anonymous user !
            anonymous: true
            guard:
                authenticators:
                    - App\Security\ApiKeyAuthenticator
                provider: api_key_user_provider
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                login_path: fos_user_security_login
                check_path: fos_user_security_check
                csrf_token_generator: security.csrf.token_manager
                success_handler: redirect.after.login
            logout:
                path: fos_user_security_logout
                target: index
            anonymous: true
            guard:
                authenticators:
                    - App\Security\EmailTokenAuthenticator
                    - App\Security\LoginAuthenticator
                provider: fos_userbundle
                entry_point: App\Security\LoginAuthenticator
            remember_me:
                secret:         "%kernel.secret%"
                lifetime:       604800
                path:           /
                domain:         ~
                user_provider:  fos_userbundle
                always_remember_me: true
                name: KOHINOSREMEMBERME
                secure: true
                samesite: strict
            context: mlc_context
            switch_user:
                provider: fos_userbundle
            access_denied_handler: App\Security\AccessDeniedHandler
            user_checker: App\Security\UserChecker
       
    encoders:
        FOS\UserBundle\Model\UserInterface:
            # Use native password encoder
            # This value auto-selects the best possible hashing algorithm
            # (i.e. Sodium / Bcrypt when available).
            algorithm: auto

    role_hierarchy:
        ROLE_API:               ROLE_USER
        ROLE_ADHERENT:          ROLE_USER
        ROLE_PRESTATAIRE:       ROLE_USER
        ROLE_CAISSIER:          ROLE_USER
        ROLE_ADMIN_SIEGE:       [ROLE_USER, ROLE_ADMIN]
        ROLE_REDACTEUR:         [ROLE_USER, ROLE_ADMIN]
        ROLE_TRESORIER:         [ROLE_USER, ROLE_ADMIN]
        ROLE_CONTROLEUR:        [ROLE_USER, ROLE_ADMIN]
        ROLE_GESTION_GROUPE:    [ROLE_USER, ROLE_ADMIN]
        ROLE_COMPTOIR:          [ROLE_USER, ROLE_ADMIN]
        ROLE_CONTACT:           [ROLE_USER, ROLE_ADMIN]
        ROLE_ADMIN:             [ROLE_USER, ROLE_SONATA_ADMIN]
        # Comment ROLE_ALLOWED_TO_SWITCH to disable impersonating user in ADMIN
        ROLE_SUPER_ADMIN:       [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API]

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # 
        # @TODO : Improve access control !
        # 
        # Admin login page needs to be accessed without credential
        # - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/gdpr/, role: [ROLE_SUPER_ADMIN] }
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }
        # KOHINOS : deactivate register from FOSUserBundle !
        - { path: ^/register, role: ROLE_ADMIN, requires_channel: '%env(SECURE_SCHEME)%' }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }
        # Secured part of the site
        # This config requires being logged for the whole site and having the admin role for the admin part.
        # Change these rules to adapt them to your needs
        - { path: ^/admin/, role: [ROLE_ADMIN], requires_channel: '%env(SECURE_SCHEME)%' }
        # Bottom line can be uncommented to disabled API doc available for anonymous user !
        # - { path: '^/api', roles: ROLE_API }
        - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY, requires_channel: '%env(SECURE_SCHEME)%' }