Extranet Bundle Laravel Package

Getting Started

Minimal Setup

1. Installation

   composer require atoolo/extranet-bundle
   

   Add to config/bundles.php:

   return [
       // ...
       Atoolo\ExtranetBundle\AtooloExtranetBundle::class => ['all' => true],
   ];
   

2. Configuration Publish the default config:

   php bin/console config:dump-reference AtooloExtranetBundle
   

   Update config/packages/atoolo_extranet.yaml:

   atoolo_extranet:
       enabled: true
       graphql_access_control: true
       controller_access_control: true
   

3. First Use Case Secure a GraphQL endpoint by annotating your resolver:

   use Atoolo\ExtranetBundle\Annotation\Secure;
   
   #[Secure]
   class MyResolver {
       // ...
   }
   

Implementation Patterns

Workflows

1. GraphQL Security

   • Annotation-Based: Use @Secure on resolvers or fields to enforce access control.
   • Dynamic Rules: Extend via AtooloExtranetBundle\Event\AccessControlEvent listeners.
   • Example:

     #[Secure(roles: ['ROLE_CLIENT'])]
     public function resolveClientData() { ... }
     

2. Controller Security

   • Method-Level: Annotate controller methods:

     #[Secure]
     #[Route('/api/client-data', name: 'client_data')]
     public function getClientData(): Response { ... }
     

   • Class-Level: Apply to entire controllers:

     #[Secure]
     class ClientController { ... }
     

3. Integration with Symfony Security

   • Leverage existing ROLE_* roles or custom voter logic:

     # config/packages/security.yaml
     access_control:
         - { path: ^/api/client, roles: ROLE_CLIENT }
     

4. Custom Access Logic

   • Subscribe to extranet.access_control event:

     $eventDispatcher->addListener(
         AtooloExtranetBundle\Event\AccessControlEvent::class,
         fn(AccessControlEvent $event) => $event->allowIf(
             $event->getUser()->hasRole('CUSTOM_ROLE')
         )
     );
     

Gotchas and Tips

Pitfalls

1. Namespace Conflicts

   • Ensure Atoolo\ExtranetBundle\Annotation\Secure is imported correctly (not mixed with Symfony’s @Secure).

2. GraphQL Caching

   • Disable caching for secured endpoints if using @Secure with dynamic rules:

     # config/packages/graphql.yaml
     overblog_graphql:
         resolvers:
             MyResolver:
                 cache: false
     

3. Role Inheritance

   • Avoid circular role dependencies (e.g., ROLE_CLIENT requiring ROLE_ADMIN which requires ROLE_CLIENT).

4. Performance Overhead

   • Heavy access control logic in listeners may slow GraphQL queries. Optimize with:

     $event->allowIf($event->getUser()->isGranted('IS_AUTHENTICATED_FULLY'));
     

Debugging

• Enable Verbose Logging

  # config/packages/atoolo_extranet.yaml
  debug: true
  

  Logs access control decisions to var/log/dev.log.

• Check Event Dispatching Use Symfony’s profiler (/_profiler) to verify AccessControlEvent listeners fire.

Extension Points

1. Custom Annotations Extend Secure via traits or new annotations:

   #[Attribute]
   class CustomSecure extends Secure {
       public function __construct(public string $customRule) {}
   }
   

2. Database-Backed Rules Store rules in a extranet_rules table and hydrate them in a listener:

   $event->allowIf($this->ruleRepository->isAllowed($event->getUser(), $event->getPath()));
   

3. IP Whitelisting Combine with Symfony’s IpWhitelistVoter:

   security:
       access_control:
           - { path: ^/api/admin, roles: ROLE_ADMIN, ip: 192.168.1.0/24 }