TL;DR question: How to make an user online right after registration and mark his credentials expired so he has to provide password on a next login?
I’m creating a registration system with least hassle possible in my Symfony2 (2.7) website:
- User enters email address and fills captcha
- User is registered in the system
- A temporary password is dispatched to the user’s email address right away
- I do not require the user to enter any confirmation code or anything - I don’t want to force users to log in to their email say on a public machine. So the first login after registration is “password-free, confirmation-free
- While this user is not validated in any way, I will allow only some functions of the website, ie. his post will not be visible until he gets eventually verified. This does not prevent the user from using the website
- When the user wants to get verified, he has to set his password. He can set the password only through entering the original password, which has been sent to his email address.
This is the key point of the whole idea: If the user is able to provide original password which he did not previously know and which has been sent to his email, we can be sure he has access to the specified email address.
So my trouble is that I want to make the user online right after registration AND I need to set his credentials expired so he either enters the temporary password during the first session or is forced to enter it when attempting to login for the second time.
The thing is that if I set credentials as expired before logging in, it of course fails. So I wanted to set credentials as expired right after I set the UsernamePasswordToken to security.token_storage, but it failed too. Any idea what do I do wrong?
I resulted into setting the credentials expired at the “thank you” page which works, but is not really a good solution.
AccountController with all the necessary actions: http://pastebin.com/GZspAzMr
I'm stuck in an infinite loop trying to get me to the login screen and the log gets populated with
[2015-09-11 09:28:14] security.INFO: An AuthenticationException was thrown; redirecting to authentication entry point. {"exception":"[object] (Symfony\\Component\\Security\\Core\\Exception\\ProviderNotFoundException(code: 0): No Authentication Provider found for token of class \"Symfony\\Component\\Security\\Core\\Authentication\\Token\\UsernamePasswordToken\". at /var/www/project/app/cache/dev/classes.php:2679)"} []
My security settings allow unrestricted access to the Account controller: http://pastebin.com/7GAV4TGc