-
Notifications
You must be signed in to change notification settings - Fork 5
Home
Most wanted are your opinions and ideas. . Please hit 'Edit Page' if you have something to say.
Help with the code and docs is welcome.
See the issues tab
These are open for discussion, not just about the how and priority but also the if at all and why. Please add your own ideas too.
-
Add user interfaces that give the site administrator insight into what is going on and what has happened so that he/she can explain to users that ask assistance because they are/where blocked
-
Add (example) Controllers and templates for sending e-mails with urls with release tokens and for processing the resulting release requests.
-
Adding more Guard classes for different types of Authentication Listener, or replacing it by other hooks into symfony's authentication (discussion)
-
Guarding more Paths
Applications implementing their own authentication systems should consider a threshold governor to prevent the over-use of the following paths:
- Account registration processes (if any)
- Primary authentication path
- Step up authentication (such as two factor tokens)
- Password change**
- Password resets** (**Low value systems only - Most medium and all high value systems should not be using passwords, and thus do not possess password reset capabilities)
The primary authentication path is already covered. A kernel request listener could be added for blocking other paths by ip address. Support for blocking by username could be usefull too, but some coustomization will be requiered as there is no generic way to obtain the username. A specialization of FOSUserBundle could be provided and could also serve as an example for custom Guards.
Quotations are from https://www.owasp.org/index.php/Guide_to_Authentication