Chapters

37 Chapters | 3:43:31 |

01

API Docs on Production?

8:22
02

API Tokens? Session Cookies?

8:07
03

API Login Form with json_login

5:36
04

Handling Authentication Errors

3:47
05

On Authentication Success

6:03
06

Logout & Passing API Data to JavaScript

5:45
07

Passing Values to Stimulus

4:32
08

Token Types & The ApiToken Entity

5:59
09

Generating the API Token & Fixtures

5:58
10

Access Token Authenticator

8:56
11

Customizing the OpenAPI Docs

7:31
12

API Token Scopes

5:51
13

Deny Access with The "security" Option

7:11
14

Bootstrapping a Killer Test System

8:18
15

JSON Test Assertions & Seeding the Database

3:41
16

Advanced & Flexible JSON Test Assertions

4:04
17

Testing Authentication

4:59
18

Customizing Browser Globally

3:50
19

Testing Token Authentication

3:24
20

New PUT Behavior

4:46
21

Only Allow Owners to Edit

7:49
22

Allow Admin Users to Edit any Treasure

4:11
23

Security Voter

6:13
24

Conditional Fields by User: ApiProperty

5:13
25

User Test + Plain Password

4:21
26

State Processors: Hashing the User Password

6:55
27

Validation Groups & Patch Formats

8:01
28

Dynamic Groups: Context Builder

8:26
29

Custom Normalizer

5:08
30

Normalizer Decoration & "Normalizer Aware"

6:29
31

Totally Custom Fields

3:24
32

Custom Validator

7:58
33

Validating how Values Change

8:30
34

Auto Setting the "owner"

4:19
35

Query Extension: Auto-Filter a Collection

6:15
36

404 On Unpublished Items

8:00
37

Filtering Relation Collection

5:39

> APIs > API Platform 3 Part 2: Security for your Treasures

Buy Access to Course

11.

Customizing the OpenAPI Docs

Autoplay

Keep on Learning!

If you liked what you've learned so far, dive in! Subscribe to get
access to this tutorial plus video, code and script downloads.

Start your All-Access Pass

Buy just this tutorial for $12.00

Previous Challenge

Next Challenge

With a Subscription, click any sentence in the script to jump to that part of the video!

To use API tokens in Swagger, we need to type the word "Bearer" and then the token. Lame! Especially if we intend for this to be used by real users. So how can we fix that?

The OpenAPI Spec is the Key

Remember that Swagger is entirely generated from the OpenAPI spec document that API Platform builds. You can see this document either by viewing the page source - you can see it all right there - or by going to /api/docs.json. A few minutes ago, we added some config to API Platform called Authorization:

            Copy Code

                            Show All Lines

                        18 lines
            |
            config/packages/api_platform.yaml
        
            api_platform:
        
                Show Lines

                                                    // ... lines 2 - 7
                            
                swagger:
        
                    api_keys:
        
                        access_token:
        
                            name: Authorization
        
                            type: header
        
                Show Lines

                                                    // ... lines 13 - 18

The end result is that it added these security sections down here. Yup, it's that simple: this config triggered these new sections in this JSON document: nothing else. Swagger then reads that and knows to make this "Authorization" available.

So I did some digging directly on the OpenAPI site and I found out that it does have a way to define an authentication scheme where you do not need to pass the "Bearer" part manually. Unfortunately, unless I'm missing it, API Platform's config does not support adding that. So are we done for? No way! And for an awesome reason.

Creating our OpenApiFactory

To create this JSON document, internally, API Platform creates an OpenApi object, populates all this data onto it and then sends it through Symfony's serializer. This is important because we can tweak the OpenApi object before it goes through the serializer. How? The OpenApi object is created via a core OpenApiFactory... and we can decorate that.

Check it out: over in the src/ directory, create a new directory called ApiPlatform/... and inside, a new PHP class called OpenApiFactoryDecorator. Make this implement OpenApiFactoryInterface. Then go to "Code"->"Generate" or Command+N on a Mac to implement the one method we need: __invoke():

            Copy Code

                            Show All Lines

                        15 lines
            |
            src/ApiPlatform/OpenApiFactoryDecorator.php
        
                Show Lines

                                                    // ... lines 1 - 2
                            
            namespace App\ApiPlatform;
        
            use ApiPlatform\OpenApi\Factory\OpenApiFactoryInterface;
        
            use ApiPlatform\OpenApi\OpenApi;
        
            class OpenApiFactoryDecorator implements OpenApiFactoryInterface
        
            {
        
                public function __invoke(array $context = []): OpenApi
        
                {
        
                    // TODO: Implement __invoke() method.
        
                }
        
            }

Hello Service Decoration!

Right now, a core OpenApiFactory service exists in API Platform that creates the OpenApi object with all this data on it. Here's our sneaky plan: we're going to tell Symfony to use our new class as the OpenApiFactory instead of the core one. But... we definitely do not want to re-implement all of the core logic. To avoid that, we'll also tell Symfony to pass us the original, core OpenApiFactory.

You might be familiar with what we're doing. It's class decoration: an object-oriented strategy for extending classes. It's really easy to do in Symfony and API Platform leverages it a lot.

Whenever you do decoration, you will always create a constructor that accepts the interface that you're decorating. So OpenApiFactoryInterface. I'll call this $decorated. Oh, and let me put private in front of that:

            Copy Code

                            Show All Lines

                        25 lines
            |
            src/ApiPlatform/OpenApiFactoryDecorator.php
        
                Show Lines

                                                    // ... lines 1 - 4
                            
            use ApiPlatform\OpenApi\Factory\OpenApiFactoryInterface;
        
                Show Lines

                                                    // ... lines 6 - 9
                            
            class OpenApiFactoryDecorator implements OpenApiFactoryInterface
        
            {
        
                public function __construct(private OpenApiFactoryInterface $decorated)
        
                {
        
                }
        
                Show Lines

                                                    // ... lines 15 - 23
                            
            }

Perfect.

Down here, to start, say $openApi = $this->decorated and then call the __invoke() method passing the same argument: $context:

            Copy Code

                            Show All Lines

                        25 lines
            |
            src/ApiPlatform/OpenApiFactoryDecorator.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class OpenApiFactoryDecorator implements OpenApiFactoryInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 15
                            
                public function __invoke(array $context = []): OpenApi
        
                {
        
                    $openApi = $this->decorated->__invoke($context);
        
                Show Lines

                                                    // ... lines 19 - 22
                            
                }
        
            }

That will call the core factory which will do all the hard work of creating the full OpenApi object. Down here, return that:

            Copy Code

                            Show All Lines

                        25 lines
            |
            src/ApiPlatform/OpenApiFactoryDecorator.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class OpenApiFactoryDecorator implements OpenApiFactoryInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 15
                            
                public function __invoke(array $context = []): OpenApi
        
                {
        
                    $openApi = $this->decorated->__invoke($context);
        
                Show Lines

                                                    // ... lines 19 - 21
                            
                    return $openApi;
        
                }
        
            }

And in between? Yup, that's where we can mess with things! To make sure this is working, for now, just dump the $openApi object:

            Copy Code

                            Show All Lines

                        25 lines
            |
            src/ApiPlatform/OpenApiFactoryDecorator.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            class OpenApiFactoryDecorator implements OpenApiFactoryInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 15
                            
                public function __invoke(array $context = []): OpenApi
        
                {
        
                    $openApi = $this->decorated->__invoke($context);
        
                    dump($openApi);
        
                    return $openApi;
        
                }
        
            }

The #[AsDecorator] Attribute

At this moment, from an object-oriented point of view, this class is set up correctly for decoration. But Symfony's container is still set up to use the normal OpenApiFactory: it's not going to use our new service at all. We somehow need to tell the container that, first, the core OpenApiFactory service should be replaced by our service, and second, that the original core service should be passed to us.

How can we do that? Above the class, add an attribute called #[AsDecorator] and hit tab to add that use statement. Pass this the service id of the original, core OpenApiFactory. You can do some digging to find this or usually the documentation will tell you. API platform actually documents decorating this service, so right in their docs, you'll find that the service id is api_platform.openapi.factory:

            Copy Code

                            Show All Lines

                        25 lines
            |
            src/ApiPlatform/OpenApiFactoryDecorator.php
        
                Show Lines

                                                    // ... lines 1 - 6
                            
            use Symfony\Component\DependencyInjection\Attribute\AsDecorator;
        
            #[AsDecorator('api_platform.openapi.factory')]
        
            class OpenApiFactoryDecorator implements OpenApiFactoryInterface
        
            {
        
                Show Lines

                                                    // ... lines 12 - 23
                            
            }

That's it! Thanks to this, anyone that was previously using the core api_platform.openapi.factory service will receive our service instead. But the original one will be passed to us.

So... it should be working! To test it, head to the API homepage and refresh. Yes! When this page loads, it renders the OpenAPI JSON document in the background. The dump in the web debug toolbar proves that it hit our code! And check out that beautiful OpenApi object: it has everything including security, which matches what we saw in the JSON. So now, we can tweak that!

Customizing the OpenAPI Config

The code I'll put here is a bit specific to the OpenApi object and the exact config that I know we need in the final Open API JSON:

            Copy Code

                            Show All Lines

                        30 lines
            |
            src/ApiPlatform/OpenApiFactoryDecorator.php
        
                Show Lines

                                                    // ... lines 1 - 9
                            
            #[AsDecorator('api_platform.openapi.factory')]
        
            class OpenApiFactoryDecorator implements OpenApiFactoryInterface
        
            {
        
                Show Lines

                                                    // ... lines 13 - 16
                            
                public function __invoke(array $context = []): OpenApi
        
                {
        
                    $openApi = $this->decorated->__invoke($context);
        
                    $securitySchemes = $openApi->getComponents()->getSecuritySchemes() ?: new \ArrayObject();
        
                Show Lines

                                                    // ... lines 22 - 26
                            
                    return $openApi;
        
                }
        
            }

We fetch the $securitySchemes, and then override access_token. This matches the name we used in the config. Set that to a new SecurityScheme() object with two named arguments: type: 'http' and scheme: 'bearer':

            Copy Code

                            Show All Lines

                        30 lines
            |
            src/ApiPlatform/OpenApiFactoryDecorator.php
        
                Show Lines

                                                    // ... lines 1 - 5
                            
            use ApiPlatform\OpenApi\Model\SecurityScheme;
        
                Show Lines

                                                    // ... lines 7 - 9
                            
            #[AsDecorator('api_platform.openapi.factory')]
        
            class OpenApiFactoryDecorator implements OpenApiFactoryInterface
        
            {
        
                Show Lines

                                                    // ... lines 13 - 16
                            
                public function __invoke(array $context = []): OpenApi
        
                {
        
                    $openApi = $this->decorated->__invoke($context);
        
                    $securitySchemes = $openApi->getComponents()->getSecuritySchemes() ?: new \ArrayObject();
        
                    $securitySchemes['access_token'] = new SecurityScheme(
        
                        type: 'http',
        
                        scheme: 'bearer',
        
                    );
        
                    return $openApi;
        
                }
        
            }

That's it! First refresh the raw JSON document so we can see what this looks like. Let me search for "Bearer". There we go! We modified what the JSON looks like!

What does Swagger think about this new config? Refresh and hit "Authorize". Ok cool: access_token, http, Bearer. Go steal an API token... paste without saying Bearer first and hit "Authorize". Let's test the same endpoint. Whoops, I need to hit "Try it out". And... gorgeous! Look at that Authorization header! It passed Bearer for us. Mission accomplished.

By the way, you might think, because we're completely overriding the access_token config, that we could just delete it from api_platform.yaml. Unfortunately, for subtle reasons that have to do with how the security documentation is generated, we do still need this. But I'll say # overridden in OpenApiFactoryDecorator:

            Copy Code

                            Show All Lines

                        19 lines
            |
            config/packages/api_platform.yaml
        
            api_platform:
        
                Show Lines

                                                    // ... lines 2 - 7
                            
                swagger:
        
                    api_keys:
        
                        # overridden in OpenApiFactoryDecorator
        
                        access_token:
        
                Show Lines

                                                    // ... lines 12 - 19

This was just one example of how you could extend your Open API spec doc. But if you ever need to tweak something else, now you know how.

Next, let's talk about scopes.

13 Comments

Sort By

pasquale_pellicani 1 year ago edited

Hi guys, I follow all code but after I decorate the api_platform with the decorator, I paste a token on swagger and when I try a simple GET I receive '

Error: Internal Server Error

Response body
Downloads
{
 "@context": "/api/contexts/Error",
 "@id": "/api/errors/500",
 "@type": "Error",
 "title": "An error occurred",
 "detail": "Session was used while the request was declared stateless.",
 "status": 500,
 "type": "/errors/500"...

do i need to specify the stateless parameter in security.yaml? I'm with symfony 7.2 and in the video i didn't see the stateless pass, i was wondering if it should be done or not. thanks

| Reply |

pasquale_pellicani pasquale_pellicani 1 year ago edited

If I add stateless: true solved I paste below my yaml config:

firewalls:
    dev:
        pattern: ^/(_(profiler|wdt)|css|images|js)/
        security: false
    main:
        lazy: true
        provider: app_user_provider

        json_login:
            check_path: app_login
            username_path: email
            password_path: password

        logout:
            path: app_logout

        access_token:
            token_handler: App\Security\ApiTokenHandler

        stateless: true

| Reply |

sadikoff pasquale_pellicani 10 months ago

Hi,

Yeah but in this case you will loose session login and you will need to pass token in each request. There is a little tip on this page https://symfonycasts.com/screencast/api-platform-security/login-response#thanks-session about stateless ApiPlatform default configuration change. Maybe it will be helpful

Cheers!

1 | Reply |

Teddy-B 1 year ago edited

Hi SymfonyCast,
I have some issues with Authenticating using the Swagger UI.
I have had this problem a couple of days now,

I have modified the lexik_jwt_authentication.yaml file,
to extract a token from the authorization header with the name "X-Authorization" instead of "Authentication"
because I was previously having problems with the frontend application interacting with the backend through Caddy.

So changing the authorization header key to "X-Authorization" helpt avoid the issue between the backend and frontend authentication.

But now on swagger ui, I cant authenticate with the token because Swagger UI still tries making a Curl request with the "Authorization" key

I have read several forum and articles and tried the following configuraitons (see nelmio_api_doc.yaml below) to chang the curl request made by Swagger UI, but unfortunaly it does not accept the changes I am trying to make:

I also tried intercepting every request with a eventSubscriber and check every request "kernel.request" for a authorization key.
and modify it. I thought this was the way to go but it seems to ignore/ not work at all, so I gave up on this idea.
Unfortunaley I am stuck, else I just have to keep switching between "X-Authorization" and "Authorization" if I just want to check something on swagger ui.

I would like to know what I am doin wrong or if I just dont understand what ApiKeyAuth is supposed to be used for
and is it achievable what I am trying to do?

nelmio_api_doc.yaml

nelmio_api_doc:
    documentation:
        info:
            title: My App
            description: This is an awesome app!
            version: 1.0.0
        components:
            securitySchemes:
                # Bearer:
                #     type: http
                #     scheme: bearer
                ApiKeyAuth:
                    type: apiKey
                    in: header
                    name: X-Authorization
        security:
            - ApiKeyAuth: []
    areas: # to filter documented areas
        path_patterns:
            - ^/api(?!/doc$) # Accepts routes under /api except /api/doc

Lexik_jwt_authentication.yaml

lexik_jwt_authentication:
    secret_key: '%env(resolve:JWT_SECRET_KEY)%'
    public_key: '%env(resolve:JWT_PUBLIC_KEY)%'
    pass_phrase: '%env(JWT_PASSPHRASE)%'
    token_ttl: 36000
    # token_ttl: 3600
    # clock_skew: 0
    # allow_no_expiration: false
    api_platform:
        check_path: /api/login_check
        username_path: email
        password_path: security.credentials.password
    # encoder:
    #     service: acme_api.encoder.nixilla_jwt_encoder
# token extraction settings
    token_extractors:
    #     # look for a token as Authorization Header
        authorization_header:
            enabled: true
            prefix: Bearer
            name:   X-Authorization

swagger ui curl request

curl -X 'GET' \
  'https://localhost/api/users?page=1' \
  -H 'accept: application/ld+json' \
  -H 'Authorization: xxxxxx.         <<<<<<<< key is not X-Authorization as specified in nelmio__api_doc.yaml

| Reply |

Jared 1 year ago edited

Guys, I got the following error:

The service "App\ApiPlatform\OpenApiFactoryDecorator" has a dependency on a non-existent service "api_platform.open_api.factory".

I did print bin/console config:dump api_platform possible config options, but there is no factory parameter.
The Symfony version is 6.2.6.

@weaverryan @MolloKhan

| Reply |

Jared Jared 1 year ago edited

I got it. Instead of api_platform.open_api.factory should be api_platform.openapi.factory.
But I still don't realize where the factory option is coming from, it doesn't exists in the config.

| Reply |

Victor SFCASTS Jared 1 year ago edited

Hey Jared,

Yep, seems like you made a typo, the correct service name is api_platform.openapi.factory.

But I still don't realize where the factory option is coming from, it doesn't exists in the config

The api_platform.openapi.factory is a service name, not a config path, i.e. this is a standalone service ID @api_platform.openapi.factory that is injected in OpenApiFactoryDecorator. You probably mislead it with a config path.

Cheers!

1 | Reply |

Jared Victor 1 year ago

Thank you! I got it :)

| Reply |

Oleh-K 2 years ago

Maybe something has been changed in API Platform with updates, since this video was recorded. I've tried, and securitySchemes hasn't been overridden.

        $securitySchemes = $openApi->getComponents()->getSecuritySchemes() ?: new \ArrayObject();
        $securitySchemes['access_token'] = new SecurityScheme(
            type: 'http',
            scheme: 'bearer',
        );

After some workaround I've stopped on this solution:

    public function __invoke(array $context = []): OpenApi
    {
        $decorated = $this->factory->__invoke($context);

        $components = $decorated->getComponents()->withSecuritySchemes(
            new ArrayObject(
                [
                    'JWT' => new SecurityScheme(
                        type:         'http',
                        description:  'Value for the JWT Authorization header parameter.',
                        scheme:       'bearer',
                        bearerFormat: 'JWT'
                    )
                ]
            )
        );

        return $decorated->withComponents($components);
    }

| Reply |

weaverryan SFCASTS Oleh-K 2 years ago

Hey @Oleh-K!

Sorry for the slow reply! Hmm. I wonder: did you add the access_token config to api_platform.yaml? I actually think your solution is superior. My guess (I could be wrong) is that you don't have this config. And so, this line:

$securitySchemes = $openApi->getComponents()->getSecuritySchemes() ?: new \ArrayObject();

is using the new \ArrayObject part. But in my code, because I have the config, the $openApi->getComponents()->getSecuritySchemes() is returning an ArrayObject. The difference is that, in my case, I'm them "mutating" this existing object. But in your case, your "mutation" the new \ArrayObject(), which is then never actually set into the OpenApi object. Basically, my code was short-sighted and would ONLY work in the case where $openApi->getComponents()->getSecuritySchemes() DOES return an ArrayObject.

Am I correct? Does $openApi->getComponents()->getSecuritySchemes() return an ArrayObject or is it null? Anyway, your solution is superior, I believe, as it will work in call cases.

Cheers!

| Reply |

Joris-Mak weaverryan 1 year ago edited

I've noticed that modifying the existing objects in place doesn't seem to alter the openApi object returned. The 'withXxxx' methods seem to suggest they are immutable as well (otherwise there would be getters and setters, you often see 'withers' if the original object is inmutable).

For other openApi-doc-tweaks I've had to use the 'with' calls to change the openApi object returend, and I ran into the same here. I really had the exact same lines in api_platform.yaml, and the Swagger docs were showing the previous 'auth' method where you had to paste in 'Bearer' yourself.

If I look at $openApi->getSecurity() instead of getComponents()->getSecuritySchemes(), I DO see the 'access_token' keyname in there, but it contains an empty array.

After doing it the way in this tutorial, the word 'bearer' just does not occur in the openapi json file... at all. Which can't be right :).

I've went with something similar as @Oleh-K above, but more of a nod to the tutorial code:

        $openApi = $this->decorated->__invoke($context);

        $components = $openApi->getComponents();
        $schemes = $components->getSecuritySchemes();
        if ($schemes === null) {
            throw new \Exception('No security schemes found in OpenAPI spec');
        }
        
        $schemes['access_token'] = new SecurityScheme(
            type: 'http',
            scheme: 'bearer',
        );

        return $openApi->withComponents($components->withSecuritySchemes($schemes));

| Reply |

iclaborda weaverryan 2 years ago edited

Hello @weaverryan , I had a similar issue, but in my case, the code is failing at:

$openApi = $this->decorated->__invoke($context);

Cannot access offset string on string. the code is just like yours. what could be the cause?

| Reply |

weaverryan SFCASTS iclaborda 2 years ago

Hey @iclaborda!

Sorry for the super slow reply - busy season in the Symfony world :).

Hmm. That specific line looks fine and I can't see how you're accessing an array offset on that line specifically. Perhaps the stacktrace showed you a bit more info - like the error was happening deeper somewhere? If you're still on this issue and have a stracktrace, let me know :).

Cheers!

| Reply |

API Platform 3 Symfony 6.2

What PHP libraries does this tutorial use?

// composer.json
{
    "require": {
        "php": ">=8.2",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "api-platform/core": "^3.0", // v3.1.2
        "doctrine/annotations": "^2.0", // 2.0.1
        "doctrine/doctrine-bundle": "^2.8", // 2.8.3
        "doctrine/doctrine-migrations-bundle": "^3.2", // 3.2.2
        "doctrine/orm": "^2.14", // 2.14.1
        "nelmio/cors-bundle": "^2.2", // 2.2.0
        "nesbot/carbon": "^2.64", // 2.66.0
        "phpdocumentor/reflection-docblock": "^5.3", // 5.3.0
        "phpstan/phpdoc-parser": "^1.15", // 1.16.1
        "symfony/asset": "6.2.*", // v6.2.5
        "symfony/console": "6.2.*", // v6.2.5
        "symfony/dotenv": "6.2.*", // v6.2.5
        "symfony/expression-language": "6.2.*", // v6.2.5
        "symfony/flex": "^2", // v2.2.4
        "symfony/framework-bundle": "6.2.*", // v6.2.5
        "symfony/property-access": "6.2.*", // v6.2.5
        "symfony/property-info": "6.2.*", // v6.2.5
        "symfony/runtime": "6.2.*", // v6.2.5
        "symfony/security-bundle": "6.2.*", // v6.2.6
        "symfony/serializer": "6.2.*", // v6.2.5
        "symfony/twig-bundle": "6.2.*", // v6.2.5
        "symfony/ux-react": "^2.6", // v2.7.1
        "symfony/ux-vue": "^2.7", // v2.7.1
        "symfony/validator": "6.2.*", // v6.2.5
        "symfony/webpack-encore-bundle": "^1.16", // v1.16.1
        "symfony/yaml": "6.2.*" // v6.2.5
    },
    "require-dev": {
        "doctrine/doctrine-fixtures-bundle": "^3.4", // 3.4.2
        "mtdowling/jmespath.php": "^2.6", // 2.6.1
        "phpunit/phpunit": "^9.5", // 9.6.3
        "symfony/browser-kit": "6.2.*", // v6.2.5
        "symfony/css-selector": "6.2.*", // v6.2.5
        "symfony/debug-bundle": "6.2.*", // v6.2.5
        "symfony/maker-bundle": "^1.48", // v1.48.0
        "symfony/monolog-bundle": "^3.0", // v3.8.0
        "symfony/phpunit-bridge": "^6.2", // v6.2.5
        "symfony/stopwatch": "6.2.*", // v6.2.5
        "symfony/web-profiler-bundle": "6.2.*", // v6.2.5
        "zenstruck/browser": "^1.2", // v1.2.0
        "zenstruck/foundry": "^1.26" // v1.28.0
    }
}

Previous Challenge

Next Challenge

Customizing the OpenAPI Docs

Share this awesome video!

Keep on Learning!

The OpenAPI Spec is the Key

Creating our OpenApiFactory

Hello Service Decoration!

The #[AsDecorator] Attribute

Customizing the OpenAPI Config

13 Comments

Delete comment?

What PHP libraries does this tutorial use?

	api_platform:
Show Lines	// ... lines 2 - 7
	swagger:
	api_keys:
	access_token:
	name: Authorization
	type: header
Show Lines	// ... lines 13 - 18

Show Lines	// ... lines 1 - 2
	namespace App\ApiPlatform;

	use ApiPlatform\OpenApi\Factory\OpenApiFactoryInterface;
	use ApiPlatform\OpenApi\OpenApi;

	class OpenApiFactoryDecorator implements OpenApiFactoryInterface
	{
	public function __invoke(array $context = []): OpenApi
	{
	// TODO: Implement __invoke() method.
	}
	}

Show Lines	// ... lines 1 - 4
	use ApiPlatform\OpenApi\Factory\OpenApiFactoryInterface;
Show Lines	// ... lines 6 - 9
	class OpenApiFactoryDecorator implements OpenApiFactoryInterface
	{
	public function __construct(private OpenApiFactoryInterface $decorated)
	{
	}
Show Lines	// ... lines 15 - 23
	}

Show Lines	// ... lines 1 - 9
	class OpenApiFactoryDecorator implements OpenApiFactoryInterface
	{
Show Lines	// ... lines 12 - 15
	public function __invoke(array $context = []): OpenApi
	{
	$openApi = $this->decorated->__invoke($context);
Show Lines	// ... lines 19 - 22
	}
	}

Show Lines	// ... lines 1 - 6
	use Symfony\Component\DependencyInjection\Attribute\AsDecorator;

	#[AsDecorator('api_platform.openapi.factory')]
	class OpenApiFactoryDecorator implements OpenApiFactoryInterface
	{
Show Lines	// ... lines 12 - 23
	}

Show Lines	// ... lines 1 - 5
	use ApiPlatform\OpenApi\Model\SecurityScheme;
Show Lines	// ... lines 7 - 9
	#[AsDecorator('api_platform.openapi.factory')]
	class OpenApiFactoryDecorator implements OpenApiFactoryInterface
	{
Show Lines	// ... lines 13 - 16
	public function __invoke(array $context = []): OpenApi
	{
	$openApi = $this->decorated->__invoke($context);

	$securitySchemes = $openApi->getComponents()->getSecuritySchemes() ?: new \ArrayObject();
	$securitySchemes['access_token'] = new SecurityScheme(
	type: 'http',
	scheme: 'bearer',
	);

	return $openApi;
	}
	}