Symfony: Hooking into login process to check for additional conditions

Question

I implemented the advanced user interface of Symfony in my project. It works to register and login users.

Now I have additional conditions I want to check when the user logs in. Like if the user has confirmed his or her email already and/or other conditions. Those conditions are fields in the database/properties of the user entity so it's easy to check them.

Imagine I want to add a isEmailConfirmed() function to the user class which is called like the isEnabled() function from the advanced user interface. If it returns true the user is able to login. If it returns false I want to restrict access and show a message that addresses the problem.

--> Is it correct, to add such a function to the checkPreAuth() function in Symfony\Component\Security\Core\User\UserChecker? I am thinking of hooking in here with a function like checkCustomConditions()?

Answer 1

In the authentication process, when trying to authenticate a user, first the provider takes the credentials and retrieves the user from the storage (db, active directory). Then the Symfony\Component\Security\Core\User\UserChecker::preAuth() method is called before actually creating a token for the user. Here exceptions are thrown specifically for each of the cases you mention above. You can catch them in your loginAction and interpret them.

I guess the least intrusive way to add your own preAuth logic would be to try an overwrite the definition of the provider (if you are using a default one) to use your own UserChecker.