I develop a REST API for a smartphone app. The authentication is made with a token given in the headers. I created an authenticator (which inherits AbstractGuardAuthenticator), added it to the list of guards in my security.yml, and everything works fine.
Now, I develop a web interface so that the user can reproduce some of the actions he/she can do from his/her smartphone directly inside a browser. I plan to just do simple AJAX requests. My problem is about the authentication.
On the website, the user can authenticate either with the default username/password form provided by Symfony, or with facebook (thanks to HWIOAuthBundle). In both case, the authentication relies on a PHPSESSID cookie and a Token that is created to authenticate the user.
My question is : how can I configure my app so that the access to the API is controlled either by my custom token guard or by the default symfony/HWIOauthBundle authenticator depending on the request ?
I know that the "cookie way" is not a RESTful practice, but I don't see why it would be a bad thing in this situation - it seems to be the most "natural" and easy way to proceed.
UPDATE 2016-12-29 : I removed my API firewall section in the security.yml, I now have only one main section. In this section, I have 3 "listeners": the form_login, the oauth (for facebook), and my guard. It works fine this way. The only issue I might see is that the parts of the website that were before only protected by the form_login/oauth are now also accessible by satisfying my guard, ie. add a valid token in the headers. I don't see what could go wrong, but it does not seem really rigorous. Does anyone have an idea about this?