mirror of
https://github.com/kevinpapst/kimai2.git
synced 2025-05-09 03:20:14 +00:00
95f15e6c88
* deactivate deprecation logging in prod for now * fix several deprecations * enable CSRF for logout * allow more twig methods and functions in InvoiceSecurity policy
110 lines
3.4 KiB
YAML
110 lines
3.4 KiB
YAML
security:
|
|
password_hashers:
|
|
App\Entity\User: auto
|
|
|
|
providers:
|
|
chain_provider:
|
|
chain:
|
|
providers: [kimai_internal,kimai_ldap]
|
|
kimai_internal:
|
|
entity:
|
|
class: App\Entity\User
|
|
kimai_ldap:
|
|
id: App\Ldap\LdapUserProvider
|
|
|
|
firewalls:
|
|
dev:
|
|
pattern: ^/(_(profiler|wdt)|css|images|js)/
|
|
security: false
|
|
|
|
api:
|
|
request_matcher: App\API\Authentication\ApiRequestMatcher
|
|
user_checker: App\Security\UserChecker
|
|
stateless: true
|
|
remember_me: false
|
|
provider: chain_provider
|
|
custom_authenticators:
|
|
- App\API\Authentication\TokenAuthenticator
|
|
|
|
secured_area:
|
|
kimai_ldap: ~
|
|
pattern: ^/
|
|
user_checker: App\Security\UserChecker
|
|
stateless: false
|
|
|
|
entry_point: form_login
|
|
|
|
custom_authenticators:
|
|
- App\API\Authentication\SessionAuthenticator
|
|
- App\Saml\SamlAuthenticator
|
|
|
|
remember_me:
|
|
secret: '%kernel.secret%'
|
|
lifetime: 604800
|
|
path: /
|
|
always_remember_me: true
|
|
|
|
# activate all configured user provider
|
|
provider: chain_provider
|
|
|
|
form_login:
|
|
check_path: security_check
|
|
login_path: login
|
|
enable_csrf: true
|
|
|
|
two_factor:
|
|
auth_form_path: 2fa_login
|
|
check_path: 2fa_login_check
|
|
remember_me_sets_trusted: true
|
|
|
|
logout:
|
|
path: logout
|
|
target: homepage
|
|
enable_csrf: true
|
|
|
|
login_throttling:
|
|
max_attempts: 5
|
|
interval: '5 minutes'
|
|
|
|
login_link:
|
|
check_route: link_login_check
|
|
signature_properties: ['id']
|
|
lifetime: 300
|
|
max_uses: 1
|
|
|
|
access_decision_manager:
|
|
strategy: unanimous
|
|
allow_if_all_abstain: false
|
|
|
|
role_hierarchy:
|
|
ROLE_USER: ~
|
|
ROLE_TEAMLEAD: ROLE_USER
|
|
ROLE_ADMIN: ROLE_TEAMLEAD
|
|
ROLE_SUPER_ADMIN: ROLE_ADMIN
|
|
|
|
access_control:
|
|
- { path: '^/auth/2fa', role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
|
|
- { path: '^/auth', roles: PUBLIC_ACCESS }
|
|
- { path: '^/(%app_locales%)$', role: PUBLIC_ACCESS }
|
|
- { path: '^/(%app_locales%)/auth', role: PUBLIC_ACCESS }
|
|
- { path: '^/(%app_locales%)/login', role: PUBLIC_ACCESS }
|
|
- { path: '^/(%app_locales%)/register', role: PUBLIC_ACCESS }
|
|
- { path: '^/(%app_locales%)/resetting', role: PUBLIC_ACCESS }
|
|
- { path: '^/(%app_locales%)/', roles: ROLE_USER }
|
|
- { path: '^/api', roles: IS_AUTHENTICATED_REMEMBERED }
|
|
|
|
when@test:
|
|
# this configuration simplifies testing URLs protected by the security mechanism
|
|
# See https://symfony.com/doc/current/cookbook/testing/http_authentication.html
|
|
security:
|
|
password_hashers:
|
|
App\Entity\User:
|
|
algorithm: auto
|
|
# see https://github.com/symfony/recipes/pull/1026
|
|
cost: 4 # Lowest possible value for bcrypt
|
|
time_cost: 3 # Lowest possible value for argon
|
|
memory_cost: 10 # Lowest possible value for argon
|
|
|
|
firewalls:
|
|
secured_area:
|
|
http_basic: ~
|