Skip to content

Poor documentation leads to obscure bug where JSON authentication leads to 404 errors in modern runtimes such as FrankenPHP #6831

New issue
New issue
Closed
Closed
Poor documentation leads to obscure bug where JSON authentication leads to 404 errors in modern runtimes such as FrankenPHP#6831
@dwgebler

Description

@dwgebler
dwgebler
opened on Nov 26, 2024

This issue is minimally reproducible by using the latest API Platform distribution template. You will need to run the production Docker config to use FrankenPHP in worker mode.

Add the Lexik JWT authentication bundle to a new project and configure an auth endpoint as per normal.

Add an API resource with some validation constraint on it.

Use the following configuration for packages/api_platform.yaml:

api_platform:
    formats:
        json: ['application/json']
        jsonld: ['application/ld+json']
        multipart: ['multipart/form-data']
    defaults:
        formats:
            json: ['application/json']
            jsonld: ['application/ld+json']
            multipart: ['multipart/form-data']
        extra_properties:
            rfc_7807_compliant_errors: true

Make a request to your auth endpoint and obtain a token, authenticate with this token against a request to your API resource to a POST endpoint, but in the request body, violate your validation constraint to return a 422 response.

Now immediately call your auth endpoint - you will get a 404 error, because Symfony will determine the authenticator doesn't support the request - and because the auth endpoint doesn't have a real controller, when the authenticator doesn't run, no controller will be resolved and the route won't be matched to anything. This is happening because in the long-running worker, the 422 response has returned application/problem+json and overwritten the request format mimetype mappings (which are static) in the HttpFoundation Request class probably by calling setFormat somewhere.

The fix is to use the corrected config like below:

api_platform:
    formats:
        json: ['application/json', 'application/problem+json']
        jsonproblem: [ 'application/json', 'application/problem+json' ]
        jsonld: ['application/ld+json']
        multipart: ['multipart/form-data']
    defaults:
        formats:
            json: ['application/json', 'application/problem+json']
            jsonproblem: [ 'application/json', 'application/problem+json' ]
            jsonld: ['application/ld+json']
            multipart: ['multipart/form-data']
        extra_properties:
            rfc_7807_compliant_errors: true

But the documentation for API Platform on content negotiation and error handling really isn't clear. This caused a bug for me in a production environment that took ages to track down and gave me a headache, so for the benefit of others in future, please address this somewhere. Thanks.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions
      pFad - Phonifier reborn

      Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

      Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


      Alternative Proxies:

      Alternative Proxy

      pFad Proxy

      pFad v3 Proxy

      pFad v4 Proxy