Merge branch 'security'

Author: codedmonkey

config/packages/security.yaml

@@ -25,7 +25,7 @@ security:
             lazy: true
             provider: database_users
             form_login:
-                login_path: /?routeName=dashboard_login
+                login_path: dashboard_login
                 check_path: dashboard_login
             remember_me:
                 secret: '%kernel.secret%'

config/packages/validator.yaml

@@ -5,7 +5,13 @@ framework:
         #auto_mapping:
         #    App\Entity\: []
 
+        # Disable HTTP calls to check for compromised passwords.
+        # Dirigent should be secure, but it also needs to always work offline for now.
+        # todo add offline mode
+        # todo analyze if this is a good and secure way to check for compromised passwords
+        not_compromised_password: false
+
 when@test:
     framework:
         validation:
-            not_compromised_password: false
+            #not_compromised_password: false

migrations/Version20250703184453.php

@@ -0,0 +1,36 @@
+<?php
+
+declare(strict_types=1);
+
+namespace DoctrineMigrations;
+
+use Doctrine\DBAL\Schema\Schema;
+use Doctrine\Migrations\AbstractMigration;
+
+final class Version20250703184453 extends AbstractMigration
+{
+    public function getDescription(): string
+    {
+        return 'Change unique user field';
+    }
+
+    public function up(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            DROP INDEX uniq_8d93d649e7927c74
+        SQL);
+        $this->addSql(<<<'SQL'
+            CREATE UNIQUE INDEX UNIQ_8D93D649F85E0677 ON "user" (username)
+        SQL);
+    }
+
+    public function down(Schema $schema): void
+    {
+        $this->addSql(<<<'SQL'
+            DROP INDEX UNIQ_8D93D649F85E0677
+        SQL);
+        $this->addSql(<<<'SQL'
+            CREATE UNIQUE INDEX uniq_8d93d649e7927c74 ON "user" (email)
+        SQL);
+    }
+}

src/Controller/Dashboard/DashboardSecurityController.php

@@ -6,6 +6,7 @@
 use CodedMonkey\Dirigent\Doctrine\Repository\UserRepository;
 use CodedMonkey\Dirigent\Form\RegistrationFormType;
 use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
+use Symfony\Bundle\SecurityBundle\Security;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Routing\Attribute\Route;
@@ -21,9 +22,7 @@ public function __construct(
     #[Route('/login', name: 'dashboard_login')]
     public function login(AuthenticationUtils $authenticationUtils): Response
     {
-        $userCount = $this->userRepository->count([]);
-
-        if (0 === $userCount) {
+        if ($this->userRepository->noUsers()) {
             return $this->redirectToRoute('dashboard_register');
         }
 
@@ -38,12 +37,13 @@ public function login(AuthenticationUtils $authenticationUtils): Response
     }
 
     #[Route('/register', name: 'dashboard_register')]
-    public function register(Request $request): Response
+    public function register(Request $request, Security $security): Response
     {
         $registrationEnabled = $this->getParameter('dirigent.security.registration_enabled');
-        $userCount = $this->userRepository->count([]);
+        $noUsers = $this->userRepository->noUsers();
 
-        if (!$registrationEnabled && 0 !== $userCount) {
+        // Redirect to the homepage page if registration is disabled, but continue if there are no users yet
+        if (!$registrationEnabled && !$noUsers) {
             return $this->redirectToRoute('dashboard');
         }
 
@@ -54,13 +54,15 @@ public function register(Request $request): Response
         $form->handleRequest($request);
 
         if ($form->isSubmitted() && $form->isValid()) {
-            if (0 === $userCount) {
+            // The first user gets owner privileges
+            if ($noUsers) {
                 $user->setRoles(['ROLE_SUPER_ADMIN', 'ROLE_USER']);
             }
 
             $this->userRepository->save($user, true);
 
-            return $this->redirectToRoute('dashboard_login');
+            // Automatically authenticate the user after registration
+            return $security->login($user, 'security.authenticator.form_login.main', 'main');
         }
 
         return $this->render('dashboard/security/register.html.twig', [

src/Doctrine/Entity/User.php

@@ -8,25 +8,27 @@
 use Doctrine\ORM\Mapping\GeneratedValue;
 use Doctrine\ORM\Mapping\Id;
 use Doctrine\ORM\Mapping\Table;
+use Symfony\Bridge\Doctrine\Validator\Constraints\UniqueEntity;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 #[Entity(repositoryClass: UserRepository::class)]
 #[Table(name: '`user`')]
+#[UniqueEntity('username', message: 'This username is already taken')]
 class User implements UserInterface, PasswordAuthenticatedUserInterface
 {
     #[Column]
     #[GeneratedValue]
     #[Id]
     private ?int $id = null;
 
-    #[Column(length: 80)]
+    #[Column(length: 80, unique: true)]
     private ?string $username = null;
 
     #[Column(length: 180, nullable: true)]
     private ?string $name = null;
 
-    #[Column(length: 180, unique: true, nullable: true)]
+    #[Column(length: 180, nullable: true)]
     private ?string $email = null;
 
     #[Column]

src/Doctrine/Repository/UserRepository.php

@@ -25,6 +25,14 @@ public function __construct(ManagerRegistry $registry)
         parent::__construct($registry, User::class);
     }
 
+    /**
+     * Checks if at least one user exists in the database. Used to allow registration for the first user.
+     */
+    public function noUsers(): bool
+    {
+        return null === $this->findOneBy([]);
+    }
+
     public function save(User $entity, bool $flush = false): void
     {
         $this->getEntityManager()->persist($entity);

tests/FunctionalTests/Controller/Dashboard/DashboardSecurityControllerTest.php

@@ -0,0 +1,27 @@
+<?php
+
+namespace CodedMonkey\Dirigent\Tests\FunctionalTests\Controller\Dashboard;
+
+use CodedMonkey\Dirigent\Tests\Helper\WebTestCaseTrait;
+use Symfony\Bundle\FrameworkBundle\Test\WebTestCase;
+use Symfony\Component\HttpFoundation\Response;
+
+class DashboardSecurityControllerTest extends WebTestCase
+{
+    use WebTestCaseTrait;
+
+    /**
+     * Verify the homepage redirects to the login page when the application is not publicly accessible.
+     */
+    public function testLoginRedirect(): void
+    {
+        $client = static::createClient();
+        $client->request('GET', '/');
+
+        $this->assertResponseStatusCodeSame(Response::HTTP_FOUND);
+
+        $client->followRedirect();
+
+        self::assertSame('/login', $client->getRequest()->getRequestUri());
+    }
+}

translations/validators.en.yaml

@@ -3,3 +3,5 @@ Enter an email address: Enter an email address
 Please enter a password: Please enter a password
 The password fields must match: The password fields must match
 Your password should be at least {{ limit }} characters: Your password should be at least {{ limit }} characters
+
+This username is already taken: This username is already taken