It's my first time doing security stuff.
I followed the Lexik Auntication Bundle Installation chapter and the Lexik Authentication Sandbox Readme file.
And it's confusing me. I think one page is telling me to encode in SHA-2, while the other one is using bcrypt and I've set it at bcrypt encoding at the moment.
I have the following security settings:
security:
encoders:
App\Security\User\WebserviceUser: bcrypt
role_hierarchy:
ROLE_ADMIN: ROLE_USER
ROLE_SUPER_ADMIN: ROLE_ADMIN
providers:
webservice:
id: App\Security\User\WebserviceUserProvider
jwt:
lexik_jwt:
class: App\Security\User\WebserviceUser
firewalls:
dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
login:
pattern: ^/login
stateless: true
anonymous: true
provider: webservice
json_login:
check_path: /login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure
client_list:
pattern: ^/api/client/active
stateless: true
anonymous: true
secured_area:
pattern: ^/api/
provider: webservice
stateless: true
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator
access_control:
- { path: ^/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
- { path: ^/api/client/active, roles: IS_AUTHENTICATED_ANONYMOUSLY }
And I created the following keys:
$ openssl genrsa -out config/jwt/private.pem -aes256 4096
Enter pass phrase for config/jwt/private.pem:
Verifying - Enter pass phrase for config/jwt/private.pem:
$ openssl rsa -pubout -in config/jwt/private.pem -out config/jwt/public.pem
Enter pass phrase for config/jwt/private.pem:
writing RSA key
When I want to do a login check it however fails:
$ curl -X POST -H "Content-Type: application/json" http://localhost:8000/login_check -d '{"username":"Pete","password":"password"}'
{"code":401,"message":"Bad credentials"}
I've checked the username and password. They are both correct and have tried others.
I've tried plaintext encoders and created keys as such:
openssl genpkey -algorithm RSA -out config/jwt/private.pem -pkeyopt rsa_keygen_bits:4096
openssl rsa -pubout -in config/jwt/private.pem -out /config/jwt/public.pem
This does work.
But plaintext does not sound safe.
What am I doing wrong?