IBX-8356: Reworked JWT GraphQL firewall configuration to comply with …

…Symfony-based authentication (#124)

* IBX-8356: Reworked JWT GraphQL firewall configuration to comply with Symfony-based authentication

* added missing lexik_jwt_authentication.yaml to OSS and Headless editions

* [tmp] set jwt gql to enabled

* specified user provider explicitly for all reworked firewalls

* Revert "[tmp] set jwt gql to enabled"

This reverts commit a4b2805.

---------

Co-authored-by: Michał Szołtysek <[email protected]>

ibexa/commerce/5.0/config/packages/security.yaml

@@ -90,6 +90,7 @@ security:
         # Uncomment the rules below to enable JSON Web Token (JWT) authentication for REST and/or GraphQL
         #ibexa_jwt_rest:
         #    request_matcher: Ibexa\Rest\Security\AuthorizationHeaderRESTRequestMatcher
+        #    provider: ibexa
         #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
         #    stateless: true
         #    json_login:
@@ -101,13 +102,9 @@ security:
 
         #ibexa_jwt_graphql:
         #    request_matcher: Ibexa\GraphQL\Security\NonAdminGraphQLRequestMatcher
-        #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
-        #    anonymous: ~
-        #    guard:
-        #        authenticators:
-        #            - lexik_jwt_authentication.jwt_token_authenticator
-        #        entry_point: lexik_jwt_authentication.jwt_token_authenticator
+        #    provider: ibexa
         #    stateless: true
+        #    jwt: ~
 
         # Uncomment ibexa_oauth2_connect, ibexa_oauth2_front rules and comment ibexa_front firewall
         # to enable OAuth2 authentication
@@ -133,13 +130,15 @@ security:
 
         ibexa_rest:
             pattern: ^/api/ibexa
+            provider: ibexa
             user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
             context: ibexa
             custom_authenticators:
                 - Ibexa\Rest\Security\Authenticator\RestAuthenticator
 
         ibexa_front:
             pattern: ^/
+            provider: ibexa
             user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
             context: ibexa
             form_login:

ibexa/experience/5.0/config/packages/security.yaml

@@ -78,6 +78,7 @@ security:
         # Uncomment the rules below to enable JSON Web Token (JWT) authentication for REST and/or GraphQL
         #ibexa_jwt_rest:
         #    request_matcher: Ibexa\Rest\Security\AuthorizationHeaderRESTRequestMatcher
+        #    provider: ibexa
         #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
         #    stateless: true
         #    json_login:
@@ -89,13 +90,9 @@ security:
 
         #ibexa_jwt_graphql:
         #    request_matcher: Ibexa\GraphQL\Security\NonAdminGraphQLRequestMatcher
-        #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
-        #    anonymous: ~
-        #    guard:
-        #        authenticators:
-        #            - lexik_jwt_authentication.jwt_token_authenticator
-        #        entry_point: lexik_jwt_authentication.jwt_token_authenticator
+        #    provider: ibexa
         #    stateless: true
+        #    jwt: ~
 
         # Uncomment ibexa_oauth2_connect, ibexa_oauth2_front rules and comment ibexa_front firewall
         # to enable OAuth2 authentication
@@ -121,13 +118,15 @@ security:
 
         ibexa_rest:
             pattern: ^/api/ibexa
+            provider: ibexa
             user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
             context: ibexa
             custom_authenticators:
                 - Ibexa\Rest\Security\Authenticator\RestAuthenticator
 
         ibexa_front:
             pattern: ^/
+            provider: ibexa
             user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
             context: ibexa
             form_login:

ibexa/headless/5.0/config/packages/lexik_jwt_authentication.yaml

@@ -0,0 +1,12 @@
+lexik_jwt_authentication:
+    secret_key: '%env(APP_SECRET)%'
+    encoder:
+        signature_algorithm: HS256
+    # Disabled by default, because Page builder use an custom extractor
+    token_extractors:
+        authorization_header:
+            enabled: false
+        cookie:
+            enabled: false
+        query_parameter:
+            enabled: false

ibexa/headless/5.0/config/packages/security.yaml

@@ -78,6 +78,7 @@ security:
         # Uncomment the rules below to enable JSON Web Token (JWT) authentication for REST and/or GraphQL
         #ibexa_jwt_rest:
         #    request_matcher: Ibexa\Rest\Security\AuthorizationHeaderRESTRequestMatcher
+        #    provider: ibexa
         #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
         #    stateless: true
         #    json_login:
@@ -89,13 +90,9 @@ security:
 
         #ibexa_jwt_graphql:
         #    request_matcher: Ibexa\GraphQL\Security\NonAdminGraphQLRequestMatcher
-        #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
-        #    anonymous: ~
-        #    guard:
-        #        authenticators:
-        #            - lexik_jwt_authentication.jwt_token_authenticator
-        #        entry_point: lexik_jwt_authentication.jwt_token_authenticator
+        #    provider: ibexa
         #    stateless: true
+        #    jwt: ~
 
         # Uncomment ibexa_oauth2_connect, ibexa_oauth2_front rules and comment ibexa_front firewall
         # to enable OAuth2 authentication
@@ -121,13 +118,15 @@ security:
 
         ibexa_rest:
             pattern: ^/api/ibexa
+            provider: ibexa
             user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
             context: ibexa
             custom_authenticators:
                 - Ibexa\Rest\Security\Authenticator\RestAuthenticator
 
         ibexa_front:
             pattern: ^/
+            provider: ibexa
             user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
             context: ibexa
             form_login:

ibexa/oss/5.0/config/packages/lexik_jwt_authentication.yaml

@@ -0,0 +1,12 @@
+lexik_jwt_authentication:
+    secret_key: '%env(APP_SECRET)%'
+    encoder:
+        signature_algorithm: HS256
+    # Disabled by default, because Page builder use an custom extractor
+    token_extractors:
+        authorization_header:
+            enabled: false
+        cookie:
+            enabled: false
+        query_parameter:
+            enabled: false

ibexa/oss/5.0/config/packages/security.yaml

@@ -56,6 +56,7 @@ security:
         # Uncomment the rules below to enable JSON Web Token (JWT) authentication for REST and/or GraphQL
         #ibexa_jwt_rest:
         #    request_matcher: Ibexa\Rest\Security\AuthorizationHeaderRESTRequestMatcher
+        #    provider: ibexa
         #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
         #    stateless: true
         #    json_login:
@@ -67,23 +68,21 @@ security:
 
         #ibexa_jwt_graphql:
         #    request_matcher: Ibexa\GraphQL\Security\NonAdminGraphQLRequestMatcher
-        #    user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
-        #    anonymous: ~
-        #    guard:
-        #        authenticators:
-        #            - lexik_jwt_authentication.jwt_token_authenticator
-        #        entry_point: lexik_jwt_authentication.jwt_token_authenticator
+        #    provider: ibexa
         #    stateless: true
+        #    jwt: ~
 
         ibexa_rest:
             pattern: ^/api/ibexa
+            provider: ibexa
             user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
             context: ibexa
             custom_authenticators:
                 - Ibexa\Rest\Security\Authenticator\RestAuthenticator
 
         ibexa_front:
             pattern: ^/
+            provider: ibexa
             user_checker: Ibexa\Core\MVC\Symfony\Security\UserChecker
             context: ibexa
             form_login: