JSON:API can't handle exceptions thrown during authentication

Created on 5 December 2019, over 4 years ago
Updated 15 February 2023, over 1 year ago

Making a valid request to a JSON:API route with invalid authentication can result in a html formatted response instead of api_json, if the Authentication Provider throws an exception.

Because the authentication_subscriber runs before the route_listener, the exception ends the propagation of the kernel.request event without correctly setting the format and route parameters (An example in simple_oauth πŸ› JSON:API can't handle exceptions thrown by the authentication provider Active ).

When JSON:API DefaultExceptionSubscriber checks if the error should be formatted using JSON:API, neither the format nor the route parameters have been set and isJsonApiExceptionEvent returns false.

protected function isJsonApiExceptionEvent(GetResponseForExceptionEvent $exception_event) {
    $request = $exception_event->getRequest();
    $parameters = $request->attributes->all();
    return $request->getRequestFormat() === 'api_json' || (bool) Routes::getResourceTypeNameFromParameters($parameters);
  }

The reasons why the Authentication Provider may throw an exception instead of just return NULL are here #2840205: Error messages/codes should be more helpful & match spec. β†’ .

I've been wondering whether this issue needs to be fixed at the Authentication Providers or JSON:API. I think at least in the case of expired tokens makes more sense to return 401.

A possible solution would be to directly check on the request if 'application/vnd.api+json' is in the Accept header. See patch

πŸ› Bug report
Status

Needs work

Version

10.1 ✨

Component
JSON APIΒ  β†’

Last updated 1 day ago

Created by

πŸ‡ΊπŸ‡ΈUnited States sam711

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

Production build 0.69.0 2024