[security] /api behind a firewall trigger an AccessDeniedException that is then transformed into a InsufficientAuthenticationException

[Rebolon]

I'm trying to secure the api and i configured the security.yaml like this:

security:
    encoders:
        # @todo should use password encoding, more info here: https://symfony.com/doc/current/security.html#c-encoding-the-user-s-password
        Symfony\Component\Security\Core\User\User: plaintext
    # https://symfony.com/doc/current/book/security.html#where-do-users-come-from-user-providers
    providers:
        in_memory:
            memory:
                users:
                    test:
                        password:           test
                        roles:              ROLE_USER
                    admin:
                        password:           admin
                        roles:              [ROLE_USER, ROLE_ADMIN]

    firewalls:
        dev:
            pattern: ^/(_(profiler|wdt)|css|images|js)/
            security: false
        vuejs:
            pattern: ^/(demo/login/(json|json/isloggedin|json/logout))|api)
            anonymous: ~
            json_login:
                check_path: /demo/login/json
            logout:
                path:   demo_login_json_logout
                target: index
                invalidate_session: true

An i configure my entities with that kind of annotations:

/*
 * @ApiResource(
 *     iri="http://schema.org/author",
 *     attributes={"access_control"="is_granted('ROLE_USER')"}
 * )
 * @ORM\Entity
 */
class Author { ... }

When i try to access to /api/authors?page=1 then i expect an HTTP 403 but i get an HTTP 500 sent from Symfony\Component\Security\Core\Exception\InsufficientAuthenticationException

If i look at the stack i can see that the original Exception is an Symfony\Component\Security\Core\Exception\AccessDeniedException thornw by the api-platform\core\src\Security\EventListener\DenyAccessListener.php

When i look at the Symfony Security Component documentation i see that i have to setup the status_code to get an HTTPException, or i'll get an AccessDeniedException.

So, is it possible to ask API-Platform to return a 403 ? and how can i do this ?

My setup is always a Symfony 4, with Flex, recipes Annotations, and bundles Security, SensioExtraFramework, a,d component api-platform from master

Thanks for help

[dunglas]

We probably to add this exception there: https://github.com/api-platform/core/blob/master/src/Bridge/Symfony/Bundle/DependencyInjection/Configuration.php#L245-L248

Would you mind opening a pull request?

[Rebolon]

I'll look at this tomorrow to try the modification and test it

[Rebolon]

I also opened an issue on symfony there is a bug with the json_login security system that can impact api-platform: symfony/symfony#25806

[asimonf]

@dunglas seeing as the PR didn't get anywhere and this doesn't seem to be getting anywhere on the Symfony issue, what is the proper course of action here to get it fixed mainline?

[dunglas]

@asimonf IMO it should be fixed upstream in Symfony. I think that a PR would be very welcome.

[alanpoulain]

Fixed in Symfony: symfony/symfony#28801.