Auth middleware raising unresolvable dependency on Api class

[tembra]

Hello guys!

For authentication I'm using tymondesigns/jwt-auth integrated with Laravel Passport classes, without using HTML boilerplate, of course, because it is an API.

So I have the following code registering routes in my routes/api.php:

app('json-api')->register('v1', [], function (ApiGroup $api, $router) {
    $router->group([
        'prefix' => 'auth',
        'as' => 'auth.',
    ], function ($router) {
        $router->post('login', 'AuthController@login')->name('login');
        $router->post('logout', 'AuthController@logout')->name('logout');
        ...
    });

    $router->group([
        'middleware' => ['auth'],
    ], function () use ($api, $router) {
        $api->resource('first-resource');
        $api->resource('second-resource');
        ...
    });
});

In my AuthController on __construct method I used $this->middleware('auth', 'except' => ['login']); and everything is working fine. Login is not protected and logout requires authentication. Notice that I'm using default Laravel router ($router) to define the routes.

However while protecting resources by creating a router group with middleware auth, when unauthenticated, the API is returning two errors:

1. A correctly unauthenticated error from auth middleware formated in JSON:API:

{
    "errors": [
        {
            "status": "401",
            "title": "Unauthenticated"
        }
    ]
}

2. An unresolvable dependency in JSON format:

{
    "message": "Unresolvable dependency resolving [Parameter #2 [ <required> $apiName ]] in class CloudCreativity\\LaravelJsonApi\\Api\\Api",
    "exception": "Illuminate\\Contracts\\Container\\BindingResolutionException",
    "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
    "line": 978,
    "trace": [
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 917,
            "function": "unresolvablePrimitive",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 855,
            "function": "resolvePrimitive",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 822,
            "function": "resolveDependencies",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 668,
            "function": "build",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 618,
            "function": "resolve",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Foundation\\Application.php",
            "line": 735,
            "function": "make",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 932,
            "function": "make",
            "class": "Illuminate\\Foundation\\Application",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 856,
            "function": "resolveClass",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 822,
            "function": "resolveDependencies",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 668,
            "function": "build",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Container\\Container.php",
            "line": 618,
            "function": "resolve",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Foundation\\Application.php",
            "line": 735,
            "function": "make",
            "class": "Illuminate\\Container\\Container",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Foundation\\Http\\Kernel.php",
            "line": 215,
            "function": "make",
            "class": "Illuminate\\Foundation\\Application",
            "type": "->"
        },
        {
            "file": "...vendor\\laravel\\framework\\src\\Illuminate\\Foundation\\Http\\Kernel.php",
            "line": 189,
            "function": "terminateMiddleware",
            "class": "Illuminate\\Foundation\\Http\\Kernel",
            "type": "->"
        },
        {
            "file": "...public\\index.php",
            "line": 58,
            "function": "terminate",
            "class": "Illuminate\\Foundation\\Http\\Kernel",
            "type": "->"
        },
        {
            "file": "...server.php",
            "line": 19,
            "function": "require_once"
        }
    ]
}

In case of an authentication is provided (a JWT through Bearer) everything works fine and the data is returned.

I had already tried to not use groups and:

1. Use 'middleware' => 'auth' option in each resource.
2. Extend controller by using 'controller' => 'ApiController' and then using $this->middleware('auth') inside controller's construct method.
3. Re-register the v1 API using 'middleware' => 'auth' option in second parameter of register function.

None of them worked and always these two errors are thrown to the user.
Is this a bug or may I'm missing something?

BTW I'm using dev-develop branch that was installed using reference 63095e737a5523ee64aefed901ed64a6623629ce

Thanks in advance!

[lindyhopchris]

Can you use route:list to find out what middleware is registered for the resource routes? They should have json-api:v1 as middleware. The exception trace implies they don't.

[lindyhopchris]

Also additional questions: do your login and logout routes return JSON API encoded content?

[tembra]

Can you use route:list to find out what middleware is registered for the resource routes? They should have json-api:v1 as middleware. The exception trace implies they don't.

Yes. I already done this. json-api:v1 is applied. Look:

+--------+----------+---------------------------------+-------------------------------+--------------------------------------------------------------------------+---------------------------------------+
| Domain | Method   | URI                             | Name                          | Action                                                                   | Middleware                            |
+--------+----------+---------------------------------+-------------------------------+--------------------------------------------------------------------------+---------------------------------------+
|        | POST     | api/v1/auth/login               | api:v1:auth.login             | App\Http\Controllers\AuthController@login                                | api,json-api:v1,json-api.content      |
|        | POST     | api/v1/auth/logout              | api:v1:auth.logout            | App\Http\Controllers\AuthController@logout                               | api,json-api:v1,auth,json-api.content |
|        | GET|HEAD | api/v1/first-resource           | api:v1:first-resource.index   | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@index  | api,json-api:v1,auth,json-api.content |
|        | POST     | api/v1/first-resource           | api:v1:first-resource.create  | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@create | api,json-api:v1,auth,json-api.content |
|        | GET|HEAD | api/v1/first-resource/{record}  | api:v1:first-resource.read    | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@read   | api,json-api:v1,auth,json-api.content |
|        | PATCH    | api/v1/first-resource/{record}  | api:v1:first-resource.update  | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@update | api,json-api:v1,auth,json-api.content |
|        | DELETE   | api/v1/first-resource/{record}  | api:v1:first-resource.delete  | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@delete | api,json-api:v1,auth,json-api.content |
|        | GET|HEAD | api/v1/second-resource          | api:v1:second-resource.index  | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@index  | api,json-api:v1,auth,json-api.content |
|        | POST     | api/v1/second-resource          | api:v1:second-resource.create | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@create | api,json-api:v1,auth,json-api.content |
|        | GET|HEAD | api/v1/second-resource/{record} | api:v1:second-resource.read   | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@read   | api,json-api:v1,auth,json-api.content |
|        | PATCH    | api/v1/second-resource/{record} | api:v1:second-resource.update | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@update | api,json-api:v1,auth,json-api.content |
|        | DELETE   | api/v1/second-resource/{record} | api:v1:second-resource.delete | CloudCreativity\LaravelJsonApi\Http\Controllers\JsonApiController@delete | api,json-api:v1,auth,json-api.content |
+--------+----------+---------------------------------+-------------------------------+--------------------------------------------------------------------------+---------------------------------------+

Also additional questions: do your login and logout routes return JSON API encoded content?

Yes. All my routes return JSON API encoded content. If it is not a resource we encapsulated it with meta as top-level member. I use following helpers functions provide by this package:

• json_api()->response()->meta()
• json_api()->response()->errors()
• json_api()->response()->noContent()

[lindyhopchris]

Ok, yeah so that looks like it should work. I'll see if I can reproduce this in the test suite.

[lindyhopchris]

So I can't reproduce this. I suspect that this may be a problem with the setup in your application - the reason being is that you say that two errors are thrown to the user, one in JSON API format and one in JSON format.

That shouldn't be happening and implies that something is wrong with your Exception handler set up, as only one rendering of an exception should occur. Can you share your exception handler code?

[lindyhopchris]

Although I say all of that, I'm not sure the problem is definitely in your Exception handler. There is definitely something wrong with the setup though if you're getting two error renderings, plus all the alternatives you've tried don't work. The use of the auth middleware is integration tested, plus I've got it in production apps and not seeing what you're seeing.

[tembra]

@lindyhopchris Thank you for your investigating.

BTW I really change my Exception handler a little bit to handle unauthenticated exception into JSON:API format and also to show error trace instead of 500 Internal Server Error when environment is local:

    /**
     * Render an exception into an HTTP response.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Exception $exception
     *
     * @return \Illuminate\Http\Response
     */
    public function render($request, Exception $exception)
    {
        if ($this->isJsonApi($request, $exception)) {
            $response = $this->renderJsonApi($request, $exception);

            if ('local' !== config('app.env')) {
                return $response;
            }

            $obj = json_decode($response->content());

            if ('500' !== @$obj->errors[0]->status) {
                return $response;
            }
        }

        return parent::render($request, $exception);
    }

    /**
     * Convert an authentication exception into a response.
     *
     * @param \Illuminate\Http\Request $request
     * @param \Illuminate\Auth\AuthenticationException $exception
     *
     * @return \Illuminate\Http\Response
     */
    protected function unauthenticated($request, AuthenticationException $exception)
    {
        return $this->renderJsonApi($request, $exception);
    }

As middlewares run in sequence I think that auth middleware is correctly raising an AuthenticationException and returning in JSON:API format, but the request is not being finished. Instead it makes a call to $next(...) and then json-api.content tries to run but fail to instantiate Api class because it does not have my v1 as $apiName what is really weird.

I did not go too deep into the code yet because I'm really busy, but I'll.
If I identify anything else that can help or even the root problem and the solution I'll reply here.

Also let me know if you have any new ideas about what is happening.

[lindyhopchris]

I think I've figured out what the problem might be... the kernel terminateMiddleware method is resolving all the middleware out of the container again so that it can call the terminate method on any terminable middleware.

So this means I probably shouldn't be type-hinting the API in the constructor of the json-api.content middleware because if an exception occurs before json-api:v1 runs, the API won't be bound in the container.

What I don't understand is why this is occurring in your scenario, as I've never seen it before. Out of interest, what's in your api middleware group?

[lindyhopchris]

Ok I can reproduce this now... the problem is the authentication exception is being thrown before json-api:v1 is being run, and then the exception occurs in the Kernel termination. That explains why you get the two responses... because the response is actually sent before termination.

It is a bug in this package because the binding resolution failure should not occur during termination. However, you need to check what is running before json-api:v1 because something before that is causing the authentication exception.

[tembra]

Yeah! You got it. That's is exactly what is happening.

And going through your thoughts the problem is that even if in my routes json-api:v1 comes first than auth, the auth is always called first because it is on Kernel $middlewarePriority property.

I did not test yet because I'm away from my desktop, but maybe for now if I add json-api:v1 in this property before auth it should work.

Out of interest, what's in your api middleware group?

BTW it's untouched:

        'api' => [
            'throttle:60,1',
            'bindings',
        ],

[lindyhopchris]

Ok great. I've got a test that re-creates the bug so I'll also push a fix to the develop branch.

[tembra]

Nice. Thank you again.