#110 Change auth to session.

config/authorization.yaml

@@ -13,5 +13,6 @@ services:
     tags: [ 'controller.service_arguments' ]
 
 
-  Pimcore\Bundle\StudioBackendBundle\Authorization\Service\TokenServiceInterface:
-    class: Pimcore\Bundle\StudioBackendBundle\Authorization\Service\TokenService
+  Pimcore\Bundle\StudioBackendBundle\Authorization\EventListener\LogoutListener:
+    tags:
+      - { name: 'kernel.event_subscriber', dispatcher: 'security.event_dispatcher.pimcore_studio' }

config/pimcore/config.yaml

@@ -1,3 +1,7 @@
+imports:
+    - { resource: security.yaml }
+    - { resource: firewall.yaml }
+
 pimcore:
     translations:
         domains:

config/pimcore/firewall.yaml

@@ -0,0 +1,14 @@
+pimcore_studio_backend:
+  security_firewall:
+    pattern: ^/studio/api(/.*)?$
+    user_checker: Pimcore\Security\User\UserChecker
+    context: pimcore_admin
+    provider: pimcore_studio_backend
+    stateless: false
+    login_throttling:
+      max_attempts: 3
+      interval: '5 minutes'
+    logout:
+      path: /studio/api/logout
+    json_login:
+      check_path: /studio/api/login

config/pimcore/security.yaml

@@ -0,0 +1,4 @@
+security:
+  providers:
+    pimcore_studio_backend:
+      id: Pimcore\Security\User\UserProvider

doc/01_Installation.md

@@ -37,4 +37,18 @@ bin/console pimcore:bundle:install PimcoreStudioBackendBundle
 ## Setting up generic data index
 Pimcore Studio Backend also requires the installation and setup of the generic data index. 
 The bundle is required by default and also automatically enabled in the bundles.
-To install the generic data index refer to [Generic-Data-Index](https://github.com/pimcore/generic-data-index-bundle?tab=readme-ov-file)
+To install the generic data index refer to [Generic-Data-Index](https://github.com/pimcore/generic-data-index-bundle?tab=readme-ov-file)
+
+## Enable Firewall settings
+
+To enable the firewall settings, add the following configuration to your `config/packages/security.yaml` file:
+
+```yaml
+security:
+    firewalls: 
+        pimcore_studio: '%pimcore_studio_backend.firewall_settings%'
+    access_control:
+        - { path: ^/studio/api/docs$, roles: PUBLIC_ACCESS }
+        - { path: ^/studio/api/docs.json$, roles: PUBLIC_ACCESS }
+        - { path: ^/studio, roles: ROLE_PIMCORE_USER }
+```

src/Asset/Controller/CollectionController.php

@@ -73,7 +73,6 @@ public function __construct(
         operationId: 'getAssets',
         description: 'Get paginated assets',
         summary: 'Get all assets',
-        security: self::SECURITY_SCHEME,
         tags: [Tags::Assets->name]
     )]
     #[PageParameter]

src/Asset/Controller/CustomSettingsController.php

@@ -55,7 +55,6 @@ public function __construct(
         operationId: 'getAssetCustomSettingsById',
         description: 'Get custom settings of an asset by its id by path parameter',
         summary: 'Get custom settings of an asset by id',
-        security: self::SECURITY_SCHEME,
         tags: [Tags::Assets->name]
     )]
     #[IdParameter(type: 'asset')]

src/Asset/Controller/Data/TextController.php

@@ -58,7 +58,6 @@ public function __construct(
         path: self::API_PATH . '/assets/{id}/text',
         operationId: 'getAssetDataTextById',
         summary: 'Get asset data in text UTF8 representation by id',
-        security: self::SECURITY_SCHEME,
         tags: [Tags::Assets->name]
     )]
     #[IdParameter(type: 'asset')]

src/Asset/Controller/GetController.php

@@ -54,7 +54,6 @@ public function __construct(
         operationId: 'getAssetById',
         description: 'Get assets by id by path parameter',
         summary: 'Get assets by id',
-        security: self::SECURITY_SCHEME,
         tags: [Tags::Assets->name]
     )]
     #[IdParameter(type: 'asset')]

src/Asset/Controller/UpdateController.php

@@ -54,7 +54,6 @@ public function __construct(
         operationId: 'updateAssetById',
         description: 'Update assets by id',
         summary: 'Update asset',
-        security: self::SECURITY_SCHEME,
         tags: [Tags::Assets->name]
     )]
     #[IdParameter(type: 'asset')]

src/Authorization/Attributes/Request/TokenRequestBody.php → src/Authorization/Attributes/Response/InvalidCredentials.php

@@ -14,21 +14,22 @@
  *  @license    http://www.pimcore.org/license     GPLv3 and PCL
  */
 
-namespace Pimcore\Bundle\StudioBackendBundle\Authorization\Attributes\Request;
+namespace Pimcore\Bundle\StudioBackendBundle\Authorization\Attributes\Response;
 
 use Attribute;
-use OpenApi\Attributes\JsonContent;
-use OpenApi\Attributes\RequestBody;
-use Pimcore\Bundle\StudioBackendBundle\Authorization\Schema\Refresh;
+use OpenApi\Attributes\Response;
 
+/**
+ * @internal
+ */
 #[Attribute(Attribute::TARGET_METHOD)]
-final class TokenRequestBody extends RequestBody
+final class InvalidCredentials extends Response
 {
     public function __construct()
     {
         parent::__construct(
-            required: true,
-            content: new JsonContent(ref: Refresh::class)
+            response: 401,
+            description: 'Invalid credentials Response',
         );
     }
 }

src/Authorization/Controller/LoginController.php

@@ -0,0 +1,57 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\Authorization\Controller;
+
+use OpenApi\Attributes\JsonContent;
+use OpenApi\Attributes\Post;
+use Pimcore\Bundle\StudioBackendBundle\Authorization\Attributes\Request\CredentialsRequestBody;
+use Pimcore\Bundle\StudioBackendBundle\Authorization\Attributes\Response\InvalidCredentials;
+use Pimcore\Bundle\StudioBackendBundle\Authorization\Schema\LoginSuccess;
+use Pimcore\Bundle\StudioBackendBundle\Controller\AbstractApiController;
+use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attributes\Response\SuccessResponse;
+use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags;
+use Pimcore\Security\User\User;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\Routing\Attribute\Route;
+use Symfony\Component\Security\Http\Attribute\CurrentUser;
+
+/**
+ * @internal
+ */
+final class LoginController extends AbstractApiController
+{
+    #[Route('/login', name: 'pimcore_studio_api_login', methods: ['POST'])]
+    #[Post(
+        path: self::API_PATH . '/login',
+        operationId: 'login',
+        summary: 'Login with user credentials and get access token',
+        tags: [Tags::Authorization->name]
+    )]
+    #[CredentialsRequestBody]
+    #[SuccessResponse(
+        description: 'Login successful',
+        content: new JsonContent(ref: LoginSuccess::class)
+    )]
+    #[InvalidCredentials]
+    public function login(#[CurrentUser] User $user): JsonResponse
+    {
+        return $this->jsonResponse([
+            'username' => $user->getUserIdentifier(),
+            'roles' => $user->getRoles(),
+        ]);
+    }
+}

src/Authorization/Controller/LogoutController.php

@@ -0,0 +1,45 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\Authorization\Controller;
+
+use OpenApi\Attributes\Post;
+use Pimcore\Bundle\StudioBackendBundle\Controller\AbstractApiController;
+use Pimcore\Bundle\StudioBackendBundle\Exception\UnreachableException;
+use Pimcore\Bundle\StudioBackendBundle\OpenApi\Attributes\Response\SuccessResponse;
+use Pimcore\Bundle\StudioBackendBundle\OpenApi\Config\Tags;
+use Symfony\Component\Routing\Attribute\Route;
+
+/**
+ * @internal
+ */
+final class LogoutController extends AbstractApiController
+{
+    #[Route('/logout', name: 'pimcore_studio_api_logout', methods: ['POST'])]
+    #[Post(
+        path: self::API_PATH . '/logout',
+        operationId: 'logout',
+        summary: 'Logout and invalidate current session for active user',
+        tags: [Tags::Authorization->name]
+    )]
+    #[SuccessResponse(
+        description: 'Logout successful',
+    )]
+    public function logout(): void
+    {
+        throw new UnreachableException('Should not be called. Handled by symfony.');
+    }
+}

src/Authorization/EventListener/LogoutListener.php

@@ -0,0 +1,39 @@
+<?php
+declare(strict_types=1);
+
+/**
+ * Pimcore
+ *
+ * This source file is available under two different licenses:
+ * - GNU General Public License version 3 (GPLv3)
+ * - Pimcore Commercial License (PCL)
+ * Full copyright and license information is available in
+ * LICENSE.md which is distributed with this source code.
+ *
+ *  @copyright  Copyright (c) Pimcore GmbH (http://www.pimcore.org)
+ *  @license    http://www.pimcore.org/license     GPLv3 and PCL
+ */
+
+namespace Pimcore\Bundle\StudioBackendBundle\Authorization\EventListener;
+
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\HttpFoundation\JsonResponse;
+use Symfony\Component\Security\Http\Event\LogoutEvent;
+
+/**
+ * @internal
+ */
+final class LogoutListener implements EventSubscriberInterface
+{
+    public static function getSubscribedEvents(): array
+    {
+        return [
+            LogoutEvent::class => 'onLogout',
+        ];
+    }
+
+    public function onLogout(LogoutEvent $event): void
+    {
+        $event->setResponse(new JsonResponse([]));
+    }
+}