security.yaml

# security:
#     # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
#     providers:
#         in_memory: { memory: ~ }
#     firewalls:
#         dev:
#             pattern: ^/(_(profiler|wdt)|css|images|js)/
#             security: false
#         main:
#             anonymous: true

#             # activate different ways to authenticate

#             # http_basic: true
#             # https://symfony.com/doc/current/security.html#a-configuring-how-your-users-will-authenticate

#             # form_login: true
#             # https://symfony.com/doc/current/security/form_login_setup.html

#     # Easy way to control access for large sections of your site
#     # Note: Only the *first* access control that matches will be used
#     access_control:
#         # - { path: ^/admin, roles: ROLE_ADMIN }
#         # - { path: ^/profile, roles: ROLE_USER }

security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        fos_userbundle:
            id: fos_user.user_provider.username_email
        in_memory: { memory: ~ }
        entity_provider:
            entity:
                class: App\Entity\User
                property: username
        api_key_user_provider:
            id: App\Security\ApiKeyUserProvider
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        # -> custom firewall for the admin area of the URL
        # admin:
        #     pattern:            /admin(.*)
        #     form_login:
        #         provider:       fos_userbundle
        #         login_path:     fos_user_security_login
        #         check_path:     /admin/login_check
        #         use_forward:    false
        #         failure_path:   null
        #         success_handler: redirect.after.login
        #     logout:
        #         path:           /admin/logout
        #         target:         /admin/login
        #     anonymous:          true
        #     switch_user:
        #         provider: fos_userbundle
        #     context: mlc_context
            # access_denied_handler: App\Security\AccessDeniedHandler
         # -> end custom configuration
        
        # login:
        #     pattern:  ^/api/login
        #     stateless: true
        #     anonymous: true
        #     provider: api_key_user_provider
        #     form_login:
        #         check_path:               /api/login_check
        #         success_handler:          lexik_jwt_authentication.handler.authentication_success
        #         failure_handler:          lexik_jwt_authentication.handler.authentication_failure
        #         require_previous_session: false
        # api:
        #     pattern:  ^/api/
        #     stateless: true
        #     anonymous: true
        #     provider: api_key_user_provider
        #     guard:
        #         authenticators:
        #             - lexik_jwt_authentication.jwt_token_authenticator
        api:
            pattern:  ^/api
            stateless: true
            # can be set to false to disabled API doc available for anonymous user !
            anonymous: true
            guard:
                authenticators:
                    - App\Security\ApiKeyAuthenticator
                provider: api_key_user_provider
        main:
            pattern: ^/
            form_login:
                provider: fos_userbundle
                login_path: fos_user_security_login
                check_path: fos_user_security_check
                csrf_token_generator: security.csrf.token_manager
                success_handler: redirect.after.login
            logout:
                path: fos_user_security_logout
                target: index
            anonymous: true
            guard:
                authenticators:
                    - App\Security\EmailTokenAuthenticator
                provider: fos_userbundle
            remember_me:
                secret:         "%kernel.secret%"
                lifetime:       31536000
                path:           /
                domain:         ~
                user_provider:  fos_userbundle
                always_remember_me: true
            context: mlc_context
            switch_user:
                provider: fos_userbundle
            # access_denied_handler: App\Security\AccessDeniedHandler
       
    encoders:
        # FOS\UserBundle\Model\UserInterface: bcrypt
        FOS\UserBundle\Model\UserInterface:
            # Use native password encoder
            # This value auto-selects the best possible hashing algorithm
            # (i.e. Sodium when available).
            algorithm: auto

    role_hierarchy:
        ROLE_API:               ROLE_USER
        ROLE_ADHERENT:          ROLE_USER
        ROLE_PRESTATAIRE:       ROLE_USER
        ROLE_ADMIN_SIEGE:       [ROLE_USER, ROLE_ADMIN]
        ROLE_REDACTEUR:         [ROLE_USER, ROLE_ADMIN]
        ROLE_TRESORIER:         [ROLE_USER, ROLE_ADMIN]
        ROLE_CONTROLEUR:        [ROLE_USER, ROLE_ADMIN]
        ROLE_GESTION_GROUPE:    [ROLE_USER, ROLE_ADMIN]
        ROLE_COMPTOIR:          [ROLE_USER, ROLE_ADMIN]
        ROLE_CONTACT:           [ROLE_USER, ROLE_ADMIN]
        ROLE_ADMIN:             [ROLE_USER, ROLE_SONATA_ADMIN]
        ROLE_SUPER_ADMIN:       [ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH, ROLE_API]

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        # 
        # @TODO : better access control !
        # 
        # Admin login page needs to be accessed without credential
        # - { path: ^/admin/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/logout$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/login_check$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # - { path: ^/admin/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # Secured part of the site
        # This config requires being logged for the whole site and having the admin role for the admin part.
        # Change these rules to adapt them to your needs
        # - { path: ^/admin/, role: [ROLE_SUPER_ADMIN, ROLE_SONATA_ADMIN, ROLE_ADMIN_SIEGE, ROLE_REDACTEUR, ROLE_TRESORIER, ROLE_CONTROLEUR, ROLE_GESTION_GROUPE, ROLE_COMPTOIR, ROLE_CONTACT] }
        - { path: ^/admin/, role: [ROLE_ADMIN] }
        # Bottom line can be uncommented to disabled API doc available for anonymous user !
        # - { path: '^/api', roles: ROLE_API }
        - { path: ^/.*, role: IS_AUTHENTICATED_ANONYMOUSLY }