Closed danielrhodeswarp closed 1 year ago
It actually should say "your firewall has to be stateful". Thanks for pointing that out.
@danielrhodeswarp Hi, Daniel. Does your attached security config work well with LexikJWT ?
Hello @zeromodule
Yes, the security config in this issue thread is working well with LexikJWT. And, as Mr. Scheb points out - it's only the login firewall that needs stateless: false
@danielrhodeswarp do you use API Platform? I do, and I can't force it to send session cookie on login. stateless
: false
in the firewall and defaults -> stateless:false
in the config/packages/api_platform.yaml
don't help. I can't find any working example of combination of API platform and these two bundles (LexikJWT and Scheb2FA)...
So, I finally managed to solve it. The problem was that, in the API Platform distribution sessions are explicitly disabled in the framework.yaml
(the whole section is commented).
# session:
# handler_id: null
# cookie_secure: auto
# cookie_samesite: lax
# storage_factory_id: session.storage.factory.native
Description
OK, this is obviously not a bug, but there's something that troubles the pedantic side of me in the doc page for API integration:
https://symfony.com/bundles/SchebTwoFactorBundle/5.x/api.html
It says "your API has to be stateful (
stateless: false
) in the firewall configuration".This is correct, but - for me with my configuration - slightly unclear. I have both a 'login' firewall and the actual 'api' firewall. And my first factor way to sign in is using JWTs with Lexik bundle.
I only have to use
stateless: false
on my login firewall (see below) for Scheb 2FA to work.When I first read "your API has to be stateful (
stateless: false
) in the firewall configuration" I imagined I had to putstateless: false
on both firewalls.Maybe I am being dopey! But I just wanted to point out something that confused me.
(I can indeed set
stateless: false
on the api firewall too, and it still works but it sends an unwanted cookie that I'd rather not send.)Additional Context
SECURITY.YAML