security:
    encoders:
        FOS\UserBundle\Model\UserInterface:
            algorithm:        sha512
            encode_as_base64: false
            iterations:       1

    providers:
        packagist:
            id: packagist.user_provider

    firewalls:
        main:
            pattern:      .*
            form_login:
                provider:       packagist
                login_path:     /login
                use_forward:    false
                check_path:     /login_check
                failure_path:   null
            remember_me:
                secret: '%remember_me.secret%'
                user_providers: packagist
                name: pauth
                always_remember_me: true
                secure: '%force_ssl%'
                lifetime: 31104000 # 1y
            logout_on_user_change: true
            logout:       true
            anonymous:    true
            oauth:
                resource_owners:
                    github: '/login/check-github'
                login_path:        /login
                failure_path:      /login
                oauth_user_provider:
                    service: packagist.user_provider
            two_factor:
                auth_form_path: 2fa_login
                check_path: 2fa_login_check
                csrf_token_generator: security.csrf.token_manager
            switch_user:
                provider: packagist

    access_control:
        # The WDT has to be allowed to anonymous users to avoid requiring the login with the AJAX request
        - { path: ^/_wdt/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/_profiler/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # AsseticBundle paths used when using the controller for assets
        - { path: ^/js/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/css/, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # URL of FOSUserBundle which need to be available to anonymous users
        - { path: ^/login$, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/register, role: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/resetting, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # This makes the logout route available during two-factor authentication, allows the user to cancel
        - { path: ^/logout, role: IS_AUTHENTICATED_ANONYMOUSLY }
        # This ensures that the form can only be accessed when two-factor authentication is in progress
        - { path: ^/2fa, role: IS_AUTHENTICATED_2FA_IN_PROGRESS }
        # Secured part of the site
        # This config requires being logged for the whole site and having the admin role for the admin part.
        # Change these rules to adapt them to your needs
        - { path: ^/packages/submit$, role: ROLE_USER }
        - { path: ^/admin/, role: ROLE_ADMIN }

    role_hierarchy:
        ROLE_UPDATE_PACKAGES: ~
        ROLE_DELETE_PACKAGES: ~
        ROLE_EDIT_PACKAGES: ~
        ROLE_ANTISPAM: ~
        ROLE_SPAMMER: ~
        ROLE_DISABLE_2FA: ~

        ROLE_ADMIN:       [ ROLE_USER, ROLE_UPDATE_PACKAGES, ROLE_EDIT_PACKAGES, ROLE_DELETE_PACKAGES, ROLE_ANTISPAM, ROLE_DISABLE_2FA ]
        ROLE_SUPERADMIN:  [ ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH ]