Contrib.social

PathValidator won't work on POST-only requests

Open on Drupal.org →
Created on 26 October 2025, 16 days ago
Updated 27 October 2025, 15 days ago

Problem/Motivation

The SimpleOauthAuthenticationProvider in simple_oauth module uses Drupal's PathValidator::getUrlIfValidWithoutAccessCheck() to determine if a route has opted out of OAuth authentication via the _oauth_skip_auth option. However, this creates a bug for POST-only routes that require OAuth authentication.

The issue occurs because:

  1. PathValidator::getUrl() (line 123) creates an internal test request using Request::create('/' . $path)
  2. Request::create() without a method parameter defaults to GET requests
  3. The router's match() method (line 167) throws MethodNotAllowedException for POST-only routes when matched with GET
  4. This exception is caught (line 178) and returns FALSE, causing the authentication provider to skip the route option check
  5. As a result, POST-only OAuth-authenticated endpoints cannot be validated properly during the authentication phase

This affects any POST-only route that requires OAuth authentication, such as the RFC 7662 Token Introspection endpoint (/oauth/introspect), which must only accept POST requests per the specification.

Steps to reproduce

  1. Create a route that accepts only POST requests with OAuth authentication:
    example.endpoint:
  path: '/oauth/example'
  defaults:
    _controller: '\Drupal\example\Controller\ExampleController::handle'
  methods: [POST]
  requirements:
    _access: 'TRUE'
  options:
    _auth: ['oauth2']
  2. Attempt to make a POST request to the endpoint with a valid Bearer token
  3. Observe that SimpleOauthAuthenticationProvider::applies() at line 143 calls getUrlIfValidWithoutAccessCheck()
  4. The method internally creates a GET request, which fails to match the POST-only route
  5. The route option check is skipped, causing potential authentication issues

Proposed resolution

Modify SimpleOauthAuthenticationProvider::applies() to pass the current request's HTTP method to the PathValidator. This requires either:

Option 1: Extend PathValidatorInterface to accept an optional Request parameter:

public function getUrlIfValidWithoutAccessCheck($path, Request $request = NULL);

Remaining tasks

  • Determine preferred solution approach (Option 1, or 2)
  • Implement the chosen solution
  • Add test coverage for POST-only OAuth-authenticated routes
  • Update documentation if API changes are introduced
  • Verify backward compatibility with existing OAuth routes

User interface changes

None.

API changes

Depends on chosen solution:

  • Option 1: PathValidatorInterface::getUrlIfValidWithoutAccessCheck() would accept optional Request parameter (backward compatible)
  • Option 2: No API changes (convention change only) but it may be backwards incompatible.

Data model changes

None.

🐛 Bug report
Status

Needs review

Version

6.0

Component

Code

Created by

e0ipso Can Picafort

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Merge Requests

Comments & Activities

Not all content is available!

It's likely this issue predates Contrib.social: some issue and comment data are missing.

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024