gnu-social/config/packages/security.yaml

security:
    # https://symfony.com/doc/current/security.html#where-do-users-come-from-user-providers
    providers:
        local_user:
            chain:
                providers: [local_user_by_nickname, local_user_by_email]
        local_user_by_nickname:
            entity:
                class: 'App\Entity\LocalUser'
                property: 'nickname'
        local_user_by_email:
            entity:
                class: 'App\Entity\LocalUser'
                property: 'email'
    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        main:
            anonymous: true
            lazy: true
            provider: local_user
            guard:
                authenticators:
                    - App\Security\Authenticator
            logout:
                path: security_logout
                # where to redirect after logout
                target: main_all

            remember_me:
                secret: '%kernel.secret%'
                secure: true
                httponly: '%remember_me_httponly%'
                samesite: '%remember_me_samesite%'
                token_provider: 'Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider'

            # activate different ways to authenticate
            # https://symfony.com/doc/current/security.html#firewalls-authentication

            # https://symfony.com/doc/current/security/impersonating_user.html
            # switch_user: true

    # Easy way to control access for large sections of your site
    # Note: Only the *first* access control that matches will be used
    access_control:
        - { path: ^/admin, roles: ROLE_ADMIN }
        - { path: ^/settings, roles: ROLE_USER }