A beginner’s guide on JWT authentication Symfony 5 API based

So if you found a hard way creating your own JWT authentication Api on Symfony 5, I will be covering step by step how to create your own using the JWT bundle only as an external help

1-Initialize the project

First, we need to create our Symfony 5 project with help of Symfony commands

symfony new my_project_name
or
composer create-project symfony/skeleton my_project_name

This will create an API Based Symfony project that the structure looks similar to this:

bin: contains Symfony command console

config: contains all bundle configurations and a list of bundles in the bundle.php

public: provides access to the application via index.php

src: contains all controllers, models, and services

var: contains system logs and cache files

vendor: contains all installed external packages

2-Installing needed packages

In this section we will install all needed packages to reach our goal:

composer require symfony/orm-pack
composer require --dev symfony/maker-bundle
composer require symfony/security-bundle
composer require "lexik/jwt-authentication-bundle"

Now, we have to create a folder called JWT under the config folder that will contain our private and public keys

3-Coding part

Now the part that actually matters the most and what we can code to make what we want.

The object is to create two API one to register a user and the second to send user credentials and receive our JWT token in the process so we will start by creating a User entity first

<?php


namespace App\Entity;

use Doctrine\ORM\Mapping as ORM;
use Symfony\Component\Security\Core\User\UserInterface;

/**
*
@ORM\Table(name="user")
*
@ORM\Entity
*/
class User implements UserInterface
{
/**
*
@ORM\Column(type="integer")
*
@ORM\Id
* @ORM\GeneratedValue(strategy="AUTO")
*/
private $id;
/**
*
@ORM\Column(type="string", length=25, unique=true)
*/
private $username;
/**
*
@ORM\Column(type="string", length=255)
*/
private $password;

/**
*
@ORM\Column(type="string", length=45)
*/
private $email;

/**
* User constructor.
*
@param $username
*/
public function __construct($username)
{
$this->username = $username;
}

/**
*
@return int|null
*/
public function getId(): ?int
{
return $this->id;
}

/**
*
@return string
*/
public function getUsername(): string
{
return $this->username;
}

/**
*
@param mixed $username
*/
public function setUsername($username): void
{
$this->username = $username;
}

/**
*
@return string|null
*/
public function getSalt(): ?string
{
return null;
}

/**
*
@return string|null
*/
public function getPassword(): ?string
{
return $this->password;
}

/**
*
@param $password
*/
public function setPassword($password)
{
$this->password = $password;
}

/**
*
@return mixed
*/
public function getEmail()
{
return $this->email;
}

/**
*
@param mixed $email
*/
public function setEmail($email): void
{
$this->email = $email;
}

/**
*
@return array|string[]
*/
public function getRoles(): array
{
return array('ROLE_USER');
}

public function eraseCredentials()
{
}


}

Make sure to add in whatever fields you need but for the sake of this guide, I am gonna keep it short by creating just the basics.

For this step is up to you to add it or not but I find it a good way to up your coding level a bit by using a separate controller that handles your JSON response plus success/error code.

<?php

namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;

class ApiController extends AbstractController
{

/**
*
@var integer HTTP status code - 200 by default
*/
protected $statusCode = 200;

/**
* Gets the value of statusCode.
*
*
@return integer
*/
public function getStatusCode(): int
{
return $this->statusCode;
}

/**
* Sets the value of statusCode.
*
*
@param integer $statusCode the status code
*
*
@return self
*/
protected function setStatusCode(int $statusCode): ApiController
{
$this->statusCode = $statusCode;

return $this;
}

/**
* Returns a JSON response
*
*
@param array $data
*
@param array $headers
*
*
@return JsonResponse
*/
public function response(array $data, $headers = []): JsonResponse
{
return new JsonResponse($data, $this->getStatusCode(), $headers);
}

/**
* Sets an error message and returns a JSON response
*
*
@param string $errors
*
@param array $headers
*
@return JsonResponse
*/
public function respondWithErrors(string $errors, $headers = []): JsonResponse
{
$data = [
'status' => $this->getStatusCode(),
'errors' => $errors,
];

return new JsonResponse($data, $this->getStatusCode(), $headers);
}


/**
* Sets an error message and returns a JSON response
*
*
@param string $success
*
@param array $headers
*
@return JsonResponse
*/
public function respondWithSuccess(string $success, $headers = []): JsonResponse
{
$data = [
'status' => $this->getStatusCode(),
'success' => $success,
];

return new JsonResponse($data, $this->getStatusCode(), $headers);
}


/**
* Returns a 401 Unauthorized http response
*
*
@param string $message
*
*
@return JsonResponse
*/
public function respondUnauthorized($message = 'Not authorized!'): JsonResponse
{
return $this->setStatusCode(401)->respondWithErrors($message);
}

/**
* Returns a 422 Unprocessable Entity
*
*
@param string $message
*
*
@return JsonResponse
*/
public function respondValidationError($message = 'Validation errors'): JsonResponse
{
return $this->setStatusCode(422)->respondWithErrors($message);
}

/**
* Returns a 404 Not Found
*
*
@param string $message
*
*
@return JsonResponse
*/
public function respondNotFound($message = 'Not found!'): JsonResponse
{
return $this->setStatusCode(404)->respondWithErrors($message);
}

/**
* Returns a 201 Created
*
*
@param array $data
*
*
@return JsonResponse
*/
public function respondCreated($data = []): JsonResponse
{
return $this->setStatusCode(201)->response($data);
}


protected function transformJsonBody(Request $request): Request
{
$data = json_decode($request->getContent(), true);

if ($data === null) {
return $request;
}

$request->request->replace($data);

return $request;
}


}

This controller basically contains useful methods for your custom controllers that you will be creating along with your project.

For the actual Controller that will be handling our register method and our login check

<?php


namespace App\Controller;


use App\Entity\User;
use Doctrine\ORM\EntityManagerInterface;
use Lexik\Bundle\JWTAuthenticationBundle\Services\JWTTokenManagerInterface;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\Security\Core\Encoder\UserPasswordEncoderInterface;
use Symfony\Component\Security\Core\User\UserInterface;

class AuthController extends ApiController
{
private $em;

public function __construct(EntityManagerInterface $em)
{
$this->em = $em;
}

/**
*
@Route("/api/register", name="register", methods={"POST"})
*
@param Request $request
*
@param UserPasswordEncoderInterface $encoder
*
@return JsonResponse
*/
public function register(Request $request, UserPasswordEncoderInterface $encoder): JsonResponse
{
$request = $this->transformJsonBody($request);
$username = $request->get('username');
$password = $request->get('password');
$email = $request->get('email');

if (empty($username) || empty($password) || empty($email)) {
return $this->respondValidationError("Invalid Username or Password or Email");
}


$user = new User($username);
$user->setPassword($encoder->encodePassword($user, $password));
$user->setEmail($email);
$user->setUsername($username);
$this->em->persist($user);
$this->em-> flush();
return $this->respondWithSuccess(sprintf('User %s successfully created', $user->getUsername()));
}

/**
*
@Route("/api/login_check", name="login-check", methods={"POST"})
*
@param UserInterface $user
*
@param JWTTokenManagerInterface $JWTManager
*
@return JsonResponse
*/
public function getTokenUser(UserInterface $user, JWTTokenManagerInterface $JWTManager): JsonResponse
{
return new JsonResponse(['token' => $JWTManager->create($user)]);
}

}
  • getTokenUSer: This is the method that will be responsible for checking and returning your JWT token if the user exists in your database and all the credentials are correct
  • register: This method will allow you to add in users by providing a username, email, and password in the JSON body of that request

4-Configuration

The last step before it’s all working is to fill in the configuration part in each file with the right lines

First is the security file

security:
encoders:
App\Entity\User:
algorithm: bcrypt

providers:
app_user_provider:
entity:
class: App\Entity\User
property: username
firewalls:
register:
pattern: ^/api/register
stateless: true
anonymous: true
login:
pattern: ^/api/login
stateless: true
anonymous: true
json_login:
check_path: /api/login_check
success_handler: lexik_jwt_authentication.handler.authentication_success
failure_handler: lexik_jwt_authentication.handler.authentication_failure

api:
pattern: ^/api
stateless: true
provider: app_user_provider
guard:
authenticators:
- lexik_jwt_authentication.jwt_token_authenticator

dev:
pattern: ^/(_(profiler|wdt)|css|images|js)/
security: false
main:
anonymous: true


access_control:
- { path: ^/api/register, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
- { path: ^/api, roles: IS_AUTHENTICATED_FULLY }
  • providers: This will contain our provider for login mechanism, which will be our User entity + which property to use. I chose username but feel free to change to an email for example
  • firewalls: This is where will be having our two routes register and login_check make sure to keep them on top of the main or else Symfony main firewall will block their access without proving JWT token
  • access_control: is where you restrict/give access based on the user role

With all of this in place, it’s good to go for testing!!

  • Register case test
  • Login successful case
  • Login unsuccessful case

To your keyboards and happy coding for you all!

You can find all of this in this link

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store