Menu
Let's say I have an invoice entity. Invoice belongs to some user (invoices.user_id).
If the user enters myapp.com/invoices/1 he needs to sign in to gain access to his invoice. That's pretty normal.
Sometimes invoices.user_id is null (invoice owner doesn't have an account in our system), but we have an invoices.phone_number column.
The goal is to create an authentication system based on SMS code verification for users that don't have the account in our system. If the user confirms that he indeed owns phone number related to the invoice (code verification) I want to grant him temporary access (15 min) to this invoice details page (and only this page).
My first idea was to use a JWT token stored in the session.
My second idea was to use a custom firewall.
Is there any better approach?
937
Scroll to the Security section in the Home pane, and then double-click Authentication. In the Authentication pane, select Anonymous Authentication, and then click Disable in the Actions pane.
Authentication and authorization are two vital information security processes that administrators use to protect systems and information. Authentication verifies the identity of a user or service, and authorization determines their access rights.
In simple terms, authentication is the process of verifying who a user is, while authorization is the process of verifying what they have access to. Comparing these processes to a real-world example, when you go through security in an airport, you show your ID to authenticate your identity.
Authentication is a process by which you provide proofs that you are who you claim to be. Authorization is granting you valid permissions.
Create a kernel.request listener. This way you can act, before anything is executed, and whole application is oblivious to the fact that the user can be logged out any minute.
Call a "service" which will validate the token. If the token is not valid, clear authentication status and override the request. For instance, redirect the user to a "you need to pay again" page.
This way you don't need to modify any code, execute any voters and so on, your whole application can be protected.
As for the authentication itself, go for a custom guard, where you can fully control how the authentication process will work.
145
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
