- Issue created by @pbonnefoi
- 🇫🇷France pbonnefoi
Indeed it was accessible to anonymous user. I changed it and it's kinda working but it's odd for me that the bearer is not checked prior to the content access permission and besides there is no logging that helps you really understand why it's not accessible.
I have the problem on another project where we have a custom rest route with permission only to authenticate users and it's not working. Maybe it's du to accessCheck on query not there (as now it's mandatory since D10). - 🇫🇷France pbonnefoi
Well, you might be right. I thought about it but didn't know how to proceed.
- 🇺🇸United States pwolanin
Seems like this is not a bug. You may be interested in this issue to be able to log some info about auth failures:
✨ Create a mechanism to log the decode exception in \Drupal\jwt\Authentication\Provider\JwtAuth::authenticate() Needs review - Status changed to Fixed
3 months ago 6:14pm 14 March 2024 @pwolanin Make sure to comment on the security issue about why, or the module may be marked unsupported.
Automatically closed - issue fixed for 2 weeks with no activity.