- πΊπΈUnited States smustgrave
#18 and #19 lead me to believe more work is to be done on this issue.
Making a valid request to a JSON:API route with invalid authentication can result in a html formatted response instead of api_json, if the Authentication Provider throws an exception.
Because the authentication_subscriber runs before the route_listener, the exception ends the propagation of the kernel.request event without correctly setting the format and route parameters (An example in simple_oauth π JSON:API can't handle exceptions thrown by the authentication provider Active ).
When JSON:API DefaultExceptionSubscriber
checks if the error should be formatted using JSON:API, neither the format nor the route parameters have been set and isJsonApiExceptionEvent
returns false.
protected function isJsonApiExceptionEvent(GetResponseForExceptionEvent $exception_event) {
$request = $exception_event->getRequest();
$parameters = $request->attributes->all();
return $request->getRequestFormat() === 'api_json' || (bool) Routes::getResourceTypeNameFromParameters($parameters);
}
The reasons why the Authentication Provider may throw an exception instead of just return NULL are here #2840205: Error messages/codes should be more helpful & match spec. β .
I've been wondering whether this issue needs to be fixed at the Authentication Providers or JSON:API. I think at least in the case of expired tokens makes more sense to return 401.
A possible solution would be to directly check on the request if 'application/vnd.api+json' is in the Accept header. See patch
Needs work
10.1 β¨
Last updated
Used to track the progress of issues reviewed by the Drupal Needs Review Queue Initiative.
Not all content is available!
It's likely this issue predates Contrib.social: some issue and comment data are missing.
#18 and #19 lead me to believe more work is to be done on this issue.