QueryParameterValidateListener should run after authentication

[1ed]

API Platform version(s) affected: >=v2.3.0-beta.1

Description

I have a protected resource with a collection operation and a required integer filter. If I make a GET request without the filter and without an access token I get a 400 bad request instead of 401.

How to reproduce

See the description.

Possible Solution

The priority of the QueryParameterValidateListener seems to high to me, I think it should run just before the ReadListener at like priority 5.

Registered Listeners for "kernel.request" Event
===============================================

 ------- ---------------------------------------------------------------------------------------------- ---------- 
  Order   Callable                                                                                       Priority  
 ------- ---------------------------------------------------------------------------------------------- ---------- 
  #1      Symfony\Bridge\Monolog\Processor\WebProcessor::onKernelRequest()                               4096      
  #2      Symfony\Component\HttpKernel\EventListener\DebugHandlersListener::configure()                  2048      
  #3      Symfony\Component\HttpKernel\EventListener\ValidateRequestListener::onKernelRequest()          256       
  #4      Symfony\Component\HttpKernel\EventListener\SessionListener::onKernelRequest()                  128       
  #5      Symfony\Component\HttpKernel\EventListener\LocaleListener::setDefaultLocale()                  100       
  #6      Symfony\Component\HttpKernel\EventListener\RouterListener::onKernelRequest()                   32        
  #7      ApiPlatform\Core\EventListener\QueryParameterValidateListener::onKernelRequest()               16        
  #8      Symfony\Component\HttpKernel\EventListener\LocaleListener::onKernelRequest()                   16        
  #9      Symfony\Component\HttpKernel\EventListener\LocaleAwareListener::onKernelRequest()              15        
  #10     Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener::configureLogoutUrlGenerator()   8         
  #11     Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener::onKernelRequest()               8         
  #12     ApiPlatform\Core\EventListener\AddFormatListener::onKernelRequest()                            7         
  #13     Sentry\SentryBundle\EventListener\RequestListener::handleKernelRequestEvent()                  5         
  #14     Sentry\SentryBundle\EventListener\TracingRequestListener::handleKernelRequestEvent()           4         
  #15     ApiPlatform\Core\EventListener\ReadListener::onKernelRequest()                                 4         
  #16     Sentry\SentryBundle\EventListener\SubRequestListener::handleKernelRequestEvent()               3         
  #17     ApiPlatform\Core\Security\EventListener\DenyAccessListener::onSecurity()                       3         
  #18     Sentry\SentryBundle\EventListener\TracingSubRequestListener::handleKernelRequestEvent()        2         
  #19     ApiPlatform\Core\EventListener\DeserializeListener::onKernelRequest()                          2         
  #20     ApiPlatform\Core\Security\EventListener\DenyAccessListener::onSecurityPostDenormalize()        1         
  #21     ApiPlatform\Core\Bridge\Symfony\Bundle\EventListener\SwaggerUiListener::onKernelRequest()      0         
 ------- ---------------------------------------------------------------------------------------------- ---------- 

Additional Context

[stale]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[nawel-les-tilleuls]

I take this issue

[soyuka]

still open as the fix was breaking #5540

[soyuka]

Closing you've ways to fix this yourself now.

[maks-rafalko]

Closing you've ways to fix this yourself now.

could you please point to the place where it's documented? Sorry if I missed something

[soyuka]

Declare the service yourself changing the priority doesn't work? We can still change priorities though it's out of the backward compatibility layer (though it may break some tests out there ^^)...

On 3.2 you can even decorate the ReadProvider or the AccessCheckerProvider to do this. It's hard to provide user-configuration over these priorities without overriding the dependency injection though.