Handling DTOs with custom controller

[vicdelfant]

There seem to be two different options for handling non-entity requests such as a "recover password":

1. Using a custom controller
2. Using a custom EventSubscriber

Which one is the actual recommended way for our "recover password" use case? Using a custom controller (option 1) feels closest to how Symfony would normally work, but the documentation says:

Note: the event system should be preferred over custom controllers when applicable.

Using an EventSubscriber works flawlessly but does add quite some complexity compared to the custom controller approach.

We have tested option 2 (using a custom EventSubscriber) and this works flawlessly. We then tried option 1 (a custom controller) but it seems as if no validation is being done on the input before __invoke is called. There's an @Assert\NotBlank() and @Assert\Email() in place on the property in our DTO, but the controller is invoked even with incomplete or incorrect input. This is kind of confusing because the docs say:

In this case, the entity will pass through all built-in event listeners of API Platform. It will be automatically validated, persisted and serialized in JSON-LD.

The exact same DTO is, without any changes, validated properly if we switch our implementation back to the EventSubscriber option.

Are we doing something wrong or should we simply stick to the EventSubscriber approach? The annotations, operations etc. all work perfectly so the problem is limited to the actual validation of the input.

[wimme002]

i think validation is performed on the response of a controller.
If you want to validate the data, you have to do it manually in your controller or in a DeserializeListener

[vicdelfant]

It feels kind of weird that validation is done out the output instead of the input, but now that I found api-platform/core#1538 and more specifically api-platform/core#1538 (comment), I think it's best to leave this as-is and stick with the EventListener approach instead of an action.