after writing the issues title i think i guess this is part of the deal of the package still it got me confused until i dumped out $this->securityContext->getAuthenticationTokens();.
The problem i had is that the plugin Sitegeist.Archaeopteryx comes with certain backend routes like '/sitegeist/archaeopteryx/get-tree' which are not prefixed by '/neos' because naïvely though why should they be? https://github.com/sitegeist/Sitegeist.Archaeopteryx/blob/28f2c159de488e72c6b7bee8ae84bfed5616179f/Configuration/Policy.yaml#L14
They are backend routes because they are still configured to be authenticated via Neos.Neos:Backend.
Now this package restricts the Neos.Neos:Backend authentication provider to only affect paths like '/neos' (which already breaks when another backend endpoint is configured: https://github.com/jvm-tech/JvMTECH.NeosHardening)
|
requestPatterns: |
|
'Flowpack.Neos.FrontendLogin:NeosBackend': |
|
pattern: Flowpack\Neos\FrontendLogin\Security\NeosRequestPattern |
This is part of how this plugin works - just took me some time 😅. I guess the mentioned plugin needs a fix to use use a route starting with '/neos'. Its a little odd to have that hardcoded but ... maybe there should be a warning in the readme?
In case a protected route should be authenticated via the Neos.Neos:Backend provider but the following error is shown instead of a redirect to '/neos', youre attempting to protect a custom 'backend like' route which does not work unless prefixed with 'neos' as long as this package is installed:
Could not authenticate any token.
Might be missing or wrong credentials or no authentication provider matched.
Evaluated following 1 privilege target(s):
after writing the issues title i think i guess this is part of the deal of the package still it got me confused until i dumped out
$this->securityContext->getAuthenticationTokens();.The problem i had is that the plugin Sitegeist.Archaeopteryx comes with certain backend routes like '/sitegeist/archaeopteryx/get-tree' which are not prefixed by '/neos' because naïvely though why should they be? https://github.com/sitegeist/Sitegeist.Archaeopteryx/blob/28f2c159de488e72c6b7bee8ae84bfed5616179f/Configuration/Policy.yaml#L14
They are backend routes because they are still configured to be authenticated via
Neos.Neos:Backend.Now this package restricts the
Neos.Neos:Backendauthentication provider to only affect paths like '/neos' (which already breaks when another backend endpoint is configured: https://github.com/jvm-tech/JvMTECH.NeosHardening)Flowpack.Neos.FrontendLogin/Configuration/Settings.yaml
Lines 7 to 9 in 39d6e60
This is part of how this plugin works - just took me some time 😅. I guess the mentioned plugin needs a fix to use use a route starting with '/neos'. Its a little odd to have that hardcoded but ... maybe there should be a warning in the readme?
In case a protected route should be authenticated via the
Neos.Neos:Backendprovider but the following error is shown instead of a redirect to '/neos', youre attempting to protect a custom 'backend like' route which does not work unless prefixed with 'neos' as long as this package is installed: