Files
TijdVoorDeTest/config/packages/security.yaml
T
Marijn 89e7dd09ba Add rate limiting to login and season-code entry points
Neither /login nor the public season-code guess form (POST /) had
any throttling, making both an unlimited brute-force/enumeration
oracle. Adds symfony/rate-limiter and enables login_throttling on
the main firewall, plus a dedicated per-IP rate limiter on the
season-code form.
2026-07-13 09:56:39 +02:00

52 lines
1.9 KiB
YAML

security:
# https://symfony.com/doc/current/security.html#registering-the-user-hashing-passwords
password_hashers:
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface: 'auto'
# https://symfony.com/doc/current/security.html#loading-the-user-the-user-provider
providers:
tvdt_user_provider:
entity:
class: Tvdt\Entity\User
property: email
firewalls:
dev:
# Ensure dev tools and static assets are always allowed
pattern: ^/(_profiler|_wdt|assets|build)/
security: false
main:
lazy: true
provider: tvdt_user_provider
form_login:
login_path: tvdt_login_login
check_path: tvdt_login_login
enable_csrf: true
default_target_path: tvdt_backoffice_index
logout:
path: tvdt_login_logout
remember_me:
secret: '%kernel.secret%'
lifetime: 604800 # 1 week in seconds
login_throttling:
max_attempts: 5
access_control:
- { path: ^/admin, roles: ROLE_ADMIN }
- { path: ^/backoffice/releases$, roles: PUBLIC_ACCESS }
- { path: ^/backoffice, roles: IS_AUTHENTICATED }
when@test:
security:
password_hashers:
# Password hashers are resource-intensive by design to ensure security.
# In tests, it's safe to reduce their cost to improve performance.
Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface:
algorithm: auto
cost: 4 # Lowest possible value for bcrypt
time_cost: 3 # Lowest possible value for argon
memory_cost: 10 # Lowest possible value for argon
firewalls:
main:
login_throttling:
max_attempts: 2