Chapters

39 Chapters | 4:45:13 |

01

Hello API Security + API Docs on Production?

8:55
02

API Auth 101: Session? Cookies? Tokens?

4:05
03

Login with json_login

6:27
04

Authentication Errors

5:55
05

Login Success & the Session

4:28
06

On Authentication Success

7:40
07

Logout & Passing API Data to JS on Page Load

8:49
08

SameSite Cookies & CSRF Attacks

8:06
09

ApiResource access_control

6:03
10

Bootstrapping a Test Suite

4:29
11

Backport the API Platform 2.5 Test Tools

5:01
12

Api Tests & Assertions

6:51
13

Logging in Inside the Test

6:57
14

Resetting the Database Between Tests

4:51
15

Base Test Class full of Goodies

8:30
16

ACL: Only Owners can PUT a CheeseListing

9:23
17

ACL & previousObject

8:04
18

Access Control & Voters

8:25
19

Adding the plainPassword Field

7:31
20

Data Persister: Encoding the Plain Password

8:03
21

Validation Groups

5:44
22

Conditional Field Setup

6:42
23

Testing, Updating Roles & Refreshing Data

9:22
24

Context Builder & Service Decoration

6:50
25

Context Builder: Dynamic Fields/Groups

7:47
26

Automatic Serialization Groups

5:59
27

Resource Metadata Factory: Dynamic ApiResource Options

8:45
28

Dynamic Groups without Caching

10:34
29

Custom Normalizer: Object-by-Object Dynamic Fields

9:30
30

Diving into the Normalizer Internals

4:49
31

A "Normalizer Aware" Normalizer

6:49
32

Normalizer & Completely Custom Fields

7:32
33

Locking down the CheeseListing.owner Field

8:16
34

Custom Validator

5:40
35

Security Logic in the Validator

6:46
36

Auto-set the Owner: Entity Listener

9:46
37

Query Extension: Auto-Filter a Collection

9:37
38

Automatic 404 on Unpublished Items

5:26
39

Filtering Related Collections

10:50

This tutorial has a new version, check it out!

> Symfony 5 > API Platform Part 2: Security

Buy Access to Course

08.

SameSite Cookies & CSRF Attacks

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Chapter

Next Chapter

With a Subscription, click any sentence in the script to jump to that part of the video!

Before we go further into API platform, we need to have a quick heart-to-heart about CSRF attacks. This is a complex topic... so I'll try to hit the highlights. If you're consuming your API from JavaScript, you have two basic options for authentication. First, you can use HttpOnly cookies, which is how sessions work. Or second, you could return some sort of "access token" on login and store that in JavaScript. Generally speaking, storing access tokens in JavaScript is a dangerous practice because it can be stolen if some bad JavaScript somehow runs on your page. If the access token have a short lifetime, that helps... but then they're less useful... because your user will need to constantly log in. Sheesh, this stuff is complex!

Anyways, that is the principle reason why I recommend using HttpOnly cookie-based authentication - like a session - for your JavaScript frontend. And, like I mentioned earlier, if you need this for your JavaScript front-end, it can also be used in other situations, like for authenticating a mobile app that you're building.

But... using an HttpOnly cookie - whether that's a session cookie or something clever like a JWT - is vulnerable to its own type of attack: a CSRF attack. Boo! The simplest example of a CSRF attack is this: an attacker puts an HTML form on their site but makes the action attribute submit to our site. Then, when someone who is logged into our site visits the bad site, the attacker tricks that user into filling out this form - making it look like they're ordering free ice cream, when in fact that endpoint on our site sends the attacker ice cream instead. The user has been tricked into taking some authenticated action on our site that they didn't intend.

Avoiding CSRF Attacks

This problem has traditionally been solved with a CSRF token - an extra field that must be sent on that form submit that proves that the request originated from the real site - not from somewhere else. Symfony's form component adds CSRF tokens automatically.

And if you Google for "dunglas csrf", you'll find a bundle called DunglasAngularCsrfBundle which helps generate and use CSRF tokens in your API. Yea, the name says "Angular", but it works with anything.

The downside is that using CSRF tokens in an API is... annoying: you need to manage CSRF tokens and send that field manually from your JavaScript on every request. If you're using cookie-based authentication and need to 100% prevent a CSRF attack for an endpoint, this is the time-tested way to do that.

Hello SameSite Cookies

But... there is a new way to prevent CSRF attacks that is emerging... a solution that is implemented inside browsers themselves. It's called a "SameSite" cookie... which you can read all about on the Internet.

The basic reason that CSRF attacks are possible is that when a user submits the form that lives on the "bad" site, any cookies that our domain set are sent with that request to our app... even though the request isn't "originating" from our domain. For most cookies that... should probably not happen. Instead, we should be able to say:

Hey browsers! See this session cookie that my Symfony app is setting? I want you to only send that back to my app if the request originates from my domain.

That is now possible by setting a special "attribute" when you add a cookie called "SameSite".

So... because Symfony is responsible for creating the session cookie... how can we tell it to use this cool SameSite attribute? It already is. Open up config/packages/framework.yaml. If you've started a Symfony project any time recently - like we did for this tutorial - then you probably already have this key: framework.session.cookie_samesite set to lax. Yep, our session cookie is already setting SameSite to lax.

            
Copy Code

Show All Lines

                        18 lines
            |
            config/packages/framework.yaml
        
            framework:
        
Show Lines

                                                    // ... lines 2 - 8
                            
                session:
        
Show Lines

                                                    // ... lines 10 - 11
                            
                    cookie_samesite: lax
        
Show Lines

                                                    // ... lines 13 - 18

What does lax mean? Well, the other possible setting is strict. If SameSite is set to strict, then the cookie will never be sent when a third-party initiates a request to our site... even if they literally click a link to visit our site... meaning... they wouldn't be logged in when they arrive. The lax setting is different because the cookie will be sent for "top-level" GET requests... meaning GET requests where the address bar changes. That "more or less" means... when the user clicks a link to your site - though there are a few other, less visible ways that another site could covertly make a GET request to your site and have the cookie sent.

Caveats with SameSite

Anyways, lax is probably what you need and it should protect your API from CSRF attacks... as long as you're aware of two things. First, you need to make sure that your GET endpoints never do anything - they should just return data. If you, for example, allowed users to send ice cream via a GET request, then that endpoint is vulnerable to CSRF attacks. It's ok to return information on a GET request because, while third parties can initiate GET requests, they can't read the returned data, unless you go out of your way to make this possible.

And second... most... but not all browsers support SameSite cookies. If a user visits your site in a browser that does not support SameSite cookies, it will treat it like a normal cookie. That means your site will work fine, but that user would be vulnerable to a CSRF attack.

If that's a problem, you'll either need to implement CSRF tokens or block old browsers from using your site... since they're basically using a vulnerable browser. As you can see from caniuse, the browsers that don't support it include Opera Mini, Blackberry browser and a few other minor ones. IE 11 does support it on Windows 10.

I know... it's crazy! If you use API tokens in JavaScript, they can be stolen by other JavaScript. If you use the safer HttpOnly cookies, then you need to worry about CSRF protection... unless you use SameSite cookies... which protects almost every browser... or you could use CSRF tokens to be safest... but it complicates your life.

Oh... the world of API authentication. The typical recommendation is, regardless of what you choose to do, be aware of what you're protected against and what you're not.

Now it's time to turn to authorization, which answers questions like: how can we lock down certain resources or operations? How can we hide fields from some users or allow only some types of users to update specific fields? Ah... we're going to dream up every way of customizing access to our API.

4 Comments

Sort By

Sherif B. 3 years ago

hi I am involved in a covid project and I have to build an api, I followed this tutorial and you make everything very easy to understand, there is another lab that needs to use our api in a medical HIPAA environment, what do you recommend for security, I checked for tutorials on JWT but not sure yet, do you recommend json_login as you implement here for my situation or should I go with JWT route. Please let me know. thank you so much again for symfonycasts

| Reply |

weaverryan SFCASTS Sherif B. 3 years ago

Hey @sherif807!

Oh boy, covid & hippa - that's a big deal :). I might recommend using OAuth2 specifically with the "client credentials" grant type, which is built for this. Part of the reason I'm choosing this is that OAuth2 (while it can be complex and is often overkill) is a well-known standard, and since you are building something for a sensitive environment, there is value in using something standard. I would try implementing it with this bundle https://github.com/trikoder... - you could actually disable all the other grant types.

The important thing to understand with this is that ultimately, the other application will be able to use their credentials to fetch a temporary access token from your API. And then it can use that on future requests. I would probably not use JWT, just for added security because JWT's cannot (natively) be "revoked" - they are valid until they expire. In the unlikely event something crazy happens, if you have a database of access tokens (not JWT), then you could quickly revoke all of them and instantly deny access.

Let me know what you think and what doubts you might have!

Cheers and keep up the good work!

| Reply |

Cameron 3 years ago

This theory is really good to have, however it would be good to understand what CORS is as I've heard that term a bit but don't really understand it. Maybe it's in a later tutorial...

| Reply |

Victor SFCASTS Cameron 3 years ago

Hey Cameron,

We explain CORS a bit in this screencast: https://symfonycasts.com/sc... - let us know if it was helpful for you.

Cheers!

1 | Reply |

This tutorial works great for Symfony 5 and API Platform 2.5/2.6.

Symfony 4 API Platform 2.4

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": "^7.1.3, <8.0",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^2.1", // v2.4.5
        "composer/package-versions-deprecated": "^1.11", // 1.11.99
        "doctrine/annotations": "^1.0", // 1.13.2
        "doctrine/doctrine-bundle": "^1.6", // 1.11.2
        "doctrine/doctrine-migrations-bundle": "^2.0", // v2.0.0
        "doctrine/orm": "^2.4.5", // v2.7.2
        "nelmio/cors-bundle": "^1.5", // 1.5.6
        "nesbot/carbon": "^2.17", // 2.21.3
        "phpdocumentor/reflection-docblock": "^3.0 || ^4.0", // 4.3.1
        "symfony/asset": "4.3.*", // v4.3.2
        "symfony/console": "4.3.*", // v4.3.2
        "symfony/dotenv": "4.3.*", // v4.3.2
        "symfony/expression-language": "4.3.*", // v4.3.2
        "symfony/flex": "^1.1", // v1.21.6
        "symfony/framework-bundle": "4.3.*", // v4.3.2
        "symfony/http-client": "4.3.*", // v4.3.3
        "symfony/monolog-bundle": "^3.4", // v3.4.0
        "symfony/security-bundle": "4.3.*", // v4.3.2
        "symfony/twig-bundle": "4.3.*", // v4.3.2
        "symfony/validator": "4.3.*", // v4.3.2
        "symfony/webpack-encore-bundle": "^1.6", // v1.6.2
        "symfony/yaml": "4.3.*" // v4.3.2
    },
    "require-dev": {
        "hautelook/alice-bundle": "^2.5", // 2.7.3
        "symfony/browser-kit": "4.3.*", // v4.3.3
        "symfony/css-selector": "4.3.*", // v4.3.3
        "symfony/maker-bundle": "^1.11", // v1.12.0
        "symfony/phpunit-bridge": "^4.3", // v4.3.3
        "symfony/stopwatch": "4.3.*", // v4.3.2
        "symfony/web-profiler-bundle": "4.3.*" // v4.3.2
    }
}

Previous Chapter

Next Chapter

SameSite Cookies & CSRF Attacks

Share this awesome video!

Keep on Learning!

Avoiding CSRF Attacks

Hello SameSite Cookies

Caveats with SameSite

4 Comments

Delete comment?

What PHP libraries does this tutorial use?

	framework:
Show Lines	// ... lines 2 - 8
	session:
Show Lines	// ... lines 10 - 11
	cookie_samesite: lax
Show Lines	// ... lines 13 - 18