Feature: configure root app for usage of JWT access token for wopi

.env

@@ -3,18 +3,16 @@
 ## `$ composer symfony:dump-env prod`
 ##
 
-## Project environment
-# this should be set in docker-compose.yml file
-# APP_ENV=prod
-
-## Enable debug
-APP_DEBUG=false
-
 ## Locale
 LOCALE=fr
 
-## Framework secret
-APP_SECRET=ThisTokenIsNotSoSecretChangeIt
+###> symfony/framework-bundle ###
+# this should be set in docker-compose.yml file
+APP_ENV=prod
+APP_SECRET=ChangeItf2b58287ef7f9976409d3f6c72529e99ChangeIt
+TRUSTED_PROXIES=127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+TRUSTED_HOSTS='^(localhost|example\.com|nginx)$'
+###< symfony/framework-bundle ###
 
 ## Wopi server for editing documents online
 WOPI_SERVER=http://collabora:9980
@@ -22,13 +20,6 @@ WOPI_SERVER=http://collabora:9980
 # must be manually set in .env.local
 # ADMIN_PASSWORD=
 
-## Symfony/framework-bundle
-TRUSTED_HOSTS='^(localhost|127.0.0.1|test.localde)$'
-TRUSTED_PROXIES=~
-
-## Doctrine/doctrine-bundle
-DATABASE_URL=
-
 ## Symfony/swiftmailer
 ## Mailer
 ###> symfony/mailer ###
@@ -83,3 +74,16 @@ SHORT_MESSAGE_DSN=null://null
 # MESSENGER_TRANSPORT_DSN=redis://localhost:6379/messages
 MESSENGER_TRANSPORT_DSN=sync://
 ###< symfony/messenger ###
+
+###> doctrine/doctrine-bundle ###
+# Format described at https://www.doctrine-project.org/projects/doctrine-dbal/en/latest/reference/configuration.html#connecting-using-a-url
+# IMPORTANT: You MUST configure your server version, either here or in config/packages/doctrine.yaml
+#
+DATABASE_URL="postgresql://postgres:postgres@db:5432/postgres?serverVersion=14&charset=utf8"
+###< doctrine/doctrine-bundle ###
+
+###> lexik/jwt-authentication-bundle ###
+JWT_SECRET_KEY=%kernel.project_dir%/config/jwt/private.pem
+JWT_PUBLIC_KEY=%kernel.project_dir%/config/jwt/public.pem
+JWT_PASSPHRASE=2a30f6ba26521a2613821da35f28386e
+###< lexik/jwt-authentication-bundle ###

.gitignore

@@ -75,3 +75,7 @@ yarn-error.log
 
 docker-compose.override.yml
 docker-compose.override.yaml
+
+###> lexik/jwt-authentication-bundle ###
+/config/jwt/*.pem
+###< lexik/jwt-authentication-bundle ###

composer.json

@@ -15,7 +15,7 @@
     },
     "require": {
         "ext-redis": "*",
-        "chill-project/chill-bundles": "dev-master#bbd2599e7e6040c7090bfb11bc2f913b5a73d5e4",
+        "chill-project/chill-bundles": "dev-43-wopi-use-access-token@dev",
         "symfony/flex": "^1.9",
         "symfony/http-client": "^4.4 || ^5",
         "nelmio/alice": "^3.8",
@@ -23,7 +23,8 @@
         "phpstan/phpstan": "^1.0",
         "spomky-labs/base64url": "^2.0",
         "twig/string-extra": "^3.3",
-        "symfony/mailer": "^5.4"
+        "symfony/mailer": "^5.4",
+        "symfony/dependency-injection": "5.4.16"
     },
     "require-dev": {
         "fakerphp/faker": "^1.13",
@@ -58,7 +59,9 @@
         },
         "preferred-install": {
           "chill-project/chill-bundles": "source",
-          "champs-libres/async-uploader-bundle": "source"
+          "champs-libres/async-uploader-bundle": "source",
+          "champs-libres/wopi-bundle": "source",
+          "champs-libres/wopi-lib": "source"
         }
     }
 }

config/bundles.php

@@ -36,4 +36,5 @@ return [
     Misd\PhoneNumberBundle\MisdPhoneNumberBundle::class => ['all' => true],
     App\App::class => ['all' => true],
     KnpU\OAuth2ClientBundle\KnpUOAuth2ClientBundle::class => ['all' => true],
+    Lexik\Bundle\JWTAuthenticationBundle\LexikJWTAuthenticationBundle::class => ['all' => true],
 ];

config/packages/doctrine.yaml

@@ -1,3 +1,10 @@
+framework:
+    cache:
+        pools:
+            doctrine.system_cache_pool:
+                adapter: cache.adapter.redis
+
+
 doctrine:
     dbal:
         url: '%env(resolve:DATABASE_URL)%'
@@ -5,7 +12,7 @@ doctrine:
             geometry: string
         # IMPORTANT: You MUST configure your server version,
         # either here or in the DATABASE_URL env var (see .env file)
-        #server_version: '5.7'
+        #server_version: '14'
     orm:
         auto_generate_proxy_classes: true
         naming_strategy: doctrine.orm.naming_strategy.default

config/packages/lexik_jwt_authentication.yaml

@@ -0,0 +1,12 @@
+lexik_jwt_authentication:
+    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
+    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
+    pass_phrase: '%env(JWT_PASSPHRASE)%'
+
+    # required for wopi - recommended duration
+    token_ttl: 36000
+
+    token_extractors:
+        query_parameter:
+            enabled: true
+            name: access_token

config/packages/prod/doctrine.yaml

@@ -1,9 +1,6 @@
 doctrine:
     orm:
         auto_generate_proxy_classes: false
-        metadata_cache_driver:
-            type: pool
-            pool: doctrine.system_cache_pool
         query_cache_driver:
             type: pool
             pool: doctrine.system_cache_pool

config/packages/security.yaml

@@ -29,6 +29,14 @@ security:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
 
+        wopi:
+            pattern: ^/wopi
+            provider: chain_provider
+            stateless: true
+            guard:
+                authenticators:
+                    - lexik_jwt_authentication.jwt_token_authenticator
+
         default:
             anonymous: ~
             provider: chain_provider
@@ -54,7 +62,7 @@ security:
         - { path: ^/saml/metadata, roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/(login|logout), roles: IS_AUTHENTICATED_ANONYMOUSLY }
         - { path: ^/public, roles: IS_AUTHENTICATED_ANONYMOUSLY }
-        - { path: ^/wopi, roles: IS_AUTHENTICATED_ANONYMOUSLY }
+        - { path: ^/wopi, roles: IS_AUTHENTICATED_FULLY }
         # access for homepage, the homepage redirect admin to admin section
         - { path: ^/$, roles: [ IS_AUTHENTICATED_REMEMBERED ] }
         - { path: ^/homepage$, roles: [ IS_AUTHENTICATED_REMEMBERED ] }

config/packages/test/doctrine.yaml

@@ -0,0 +1,4 @@
+doctrine:
+    dbal:
+        # "TEST_TOKEN" is typically set by ParaTest
+        dbname: 'main_test%env(default::TEST_TOKEN)%'

config/preload.php

@@ -0,0 +1,9 @@
+<?php
+
+if (file_exists(dirname(__DIR__).'/var/cache/prod/srcApp_KernelProdContainer.preload.php')) {
+    require dirname(__DIR__).'/var/cache/prod/srcApp_KernelProdContainer.preload.php';
+}
+
+if (file_exists(dirname(__DIR__).'/var/cache/prod/App_KernelProdContainer.preload.php')) {
+    require dirname(__DIR__).'/var/cache/prod/App_KernelProdContainer.preload.php';
+}

config/routes/chill_wopi.yaml

@@ -1,3 +1,3 @@
 chill_wopi_bundle:
   resource: '@ChillWopiBundle/Resources/config/routes/routes.php'
-  prefix: /wopi
+  prefix: /chill/wopi

config/services.yaml

@@ -19,7 +19,6 @@ services:
             - '../src/DependencyInjection/'
             - '../src/Entity/'
             - '../src/Kernel.php'
-            - '../src/Tests/'
 
     # controllers are imported separately to make sure services can be injected
     # as action arguments even if you don't extend any base controller class
@@ -45,6 +44,3 @@ services:
         arguments:
             $cache: '@cache.user_data'
 
-    App\Service\Wopi\NullProofValidator:
-        decorates: ChampsLibres\WopiLib\Contract\Service\ProofValidatorInterface
-

public/index.php

@@ -13,7 +13,7 @@ if ($_SERVER['APP_DEBUG']) {
 }
 
 if ($trustedProxies = $_SERVER['TRUSTED_PROXIES'] ?? false) {
-    Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_ALL ^ Request::HEADER_X_FORWARDED_HOST);
+    Request::setTrustedProxies(explode(',', $trustedProxies), Request::HEADER_X_FORWARDED_FOR | Request::HEADER_X_FORWARDED_PORT | Request::HEADER_X_FORWARDED_PROTO);
 }
 
 if ($trustedHosts = $_SERVER['TRUSTED_HOSTS'] ?? false) {

symfony.lock

@@ -51,16 +51,17 @@
         "version": "v0.5.3"
     },
     "doctrine/doctrine-bundle": {
-        "version": "2.0",
+        "version": "2.7",
         "recipe": {
             "repo": "github.com/symfony/recipes",
-            "branch": "master",
-            "version": "2.0",
-            "ref": "a9f2463b9f73efe74482f831f03a204a41328555"
+            "branch": "main",
+            "version": "2.3",
+            "ref": "b8ddff356705ad8e704ea75b6872ce89a15d614d"
         },
         "files": [
             "config/packages/doctrine.yaml",
             "config/packages/prod/doctrine.yaml",
+            "config/packages/test/doctrine.yaml",
             "src/Entity/.gitignore",
             "src/Repository/.gitignore"
         ]
@@ -186,6 +187,18 @@
     "league/csv": {
         "version": "9.6.2"
     },
+    "lexik/jwt-authentication-bundle": {
+        "version": "2.16",
+        "recipe": {
+            "repo": "github.com/symfony/recipes",
+            "branch": "main",
+            "version": "2.5",
+            "ref": "5b2157bcd5778166a5696e42f552ad36529a07a6"
+        },
+        "files": [
+            "config/packages/lexik_jwt_authentication.yaml"
+        ]
+    },
     "loophp/psr-http-message-bridge-bundle": {
         "version": "1.0.0"
     },
@@ -542,15 +555,16 @@
         "version": "4.4",
         "recipe": {
             "repo": "github.com/symfony/recipes",
-            "branch": "master",
+            "branch": "main",
             "version": "4.4",
-            "ref": "af2e2efad553bc959a0c61d9185e33ca9eec5c99"
+            "ref": "24eb45d1355810154890460e6a05c0ca27318fe7"
         },
         "files": [
             "config/bootstrap.php",
             "config/packages/cache.yaml",
             "config/packages/framework.yaml",
             "config/packages/test/framework.yaml",
+            "config/preload.php",
             "config/routes/dev/framework.yaml",
             "config/services.yaml",
             "public/index.php",