From dc19006738288b908efc5cd5afc4943efd481c17 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Julien=20Fastr=C3=A9?= <julien.fastre@champs-libres.coop>
Date: Mon, 9 Jan 2023 20:50:11 +0100
Subject: [PATCH] Feature: configure root app for usage of JWT access token for
 wopi

---
 config/packages/lexik_jwt_authentication.yaml |  8 ++++++++
 config/packages/security.yaml                 | 10 +++++++++-
 config/routes/chill_wopi.yaml                 |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/config/packages/lexik_jwt_authentication.yaml b/config/packages/lexik_jwt_authentication.yaml
index edfb69d..93041d0 100644
--- a/config/packages/lexik_jwt_authentication.yaml
+++ b/config/packages/lexik_jwt_authentication.yaml
@@ -2,3 +2,11 @@ lexik_jwt_authentication:
     secret_key: '%env(resolve:JWT_SECRET_KEY)%'
     public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
     pass_phrase: '%env(JWT_PASSPHRASE)%'
+
+    # required for wopi - recommended duration
+    token_ttl: 36000
+
+    token_extractors:
+        query_parameter:
+            enabled: true
+            name: access_token
diff --git a/config/packages/security.yaml b/config/packages/security.yaml
index b49a05b..65b3f2f 100644
--- a/config/packages/security.yaml
+++ b/config/packages/security.yaml
@@ -29,6 +29,14 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
 
+        wopi:
+            pattern: ^/wopi
+            provider: chain_provider
+            stateless: true
+            guard:
+                authenticators:
+                    - lexik_jwt_authentication.jwt_token_authenticator
+
         default:
             anonymous: ~
             provider: chain_provider
@@ -54,7 +62,7 @@ security:
         - { path: ^/saml/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/(login|logout), roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/public, roles: IS_AUTHENTICATED_ANONYMOUSLY }
-        - { path: ^/wopi, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/wopi, roles: IS_AUTHENTICATED_FULLY }
         # access for homepage, the homepage redirect admin to admin section
         - { path: ^/$, roles: [ IS_AUTHENTICATED_REMEMBERED ] }
         - { path: ^/homepage$, roles: [ IS_AUTHENTICATED_REMEMBERED ] }
diff --git a/config/routes/chill_wopi.yaml b/config/routes/chill_wopi.yaml
index 337f020..b94e5d6 100644
--- a/config/routes/chill_wopi.yaml
+++ b/config/routes/chill_wopi.yaml
@@ -1,3 +1,3 @@
 chill_wopi_bundle:
   resource: '@ChillWopiBundle/Resources/config/routes/routes.php'
-  prefix: /wopi
+  prefix: /chill/wopi