security: # https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords password_hashers: App\Entity\User: 'auto' Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto' # https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider providers: app_user_provider: entity: class: App\Entity\User property: username firewalls: dev: # Ensure dev tools and static assets are always allowed pattern: ^/(_profiler|_wdt|assets|build)/ security: false login: pattern: ^/login_check stateless: true provider: app_user_provider json_login: check_path: /login_check username_path: username password_path: password success_handler: lexik_jwt_authentication.handler.authentication_success failure_handler: lexik_jwt_authentication.handler.authentication_failure api: pattern: ^/ stateless: true provider: app_user_provider jwt: ~ logout: path: /api/logout target: /login enable_csrf: false delete_cookies: BEARER: path: / # Activate different ways to authenticate: # https://symfony.com/doc/current/security.html#the-firewall # https://symfony.com/doc/current/security/impersonating_user.html # switch_user: true # Note: Only the *first* matching rule is applied access_control: # Login JWT - { path: ^/login_check, roles: PUBLIC_ACCESS } # Liste des users en lecture publique - { path: ^/api/users, roles: PUBLIC_ACCESS, methods: [GET] } # Doc API (swagger) en public - { path: ^/api/docs, roles: PUBLIC_ACCESS } # Tout le reste nécessite un JWT - { path: ^/, roles: IS_AUTHENTICATED_FULLY } when@test: security: password_hashers: # Password hashers are resource-intensive by design to ensure security. # In tests, it's safe to reduce their cost to improve performance. Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: algorithm: auto cost: 4 # Lowest possible value for bcrypt time_cost: 3 # Lowest possible value for argon memory_cost: 10 # Lowest possible value for argon