11.
JSON Errors in your API
Keep on Learning!
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
If you liked what you've learned so far, dive in! Subscribe to get access to this tutorial plus video, code and script downloads.
Whoops, an error! Please, try again later.
5 Comments
Well, unfortunately, with Symfony 3.3 I ran into the issue well-described here: https://github.com/symfony/symfony/issues/23253
<strong>BadCredentialsException</strong> does not trigger the entry point. It simply goes directly to <strong>ApiExceptionSubscriber</strong>, bypassing the <strong>start()</strong> method. Also, instead of an <strong>AuthenticationException</strong> a <strong>DenyAccessException</strong> is thrown, which is neither an <strong>AuthenticationException</strong> nor an <strong>HttpException</strong>.
At this moment, I have added the following code into the <strong>onKernelException</strong> method of <strong>ApiExceptionSubscriber</strong>:
`
# Let Symfony handle all other exceptions
if (!$exception instanceof HttpExceptionInterface) {
}
`
Are you aware of this issue? Any possible solution to it?
Hey Vladimir Z.!
Haha, I'm aware of this issue now that you've mentioned it! And since you posted, a PR has been opened (I'm actually chatting right now with the author of that PR about it). So, in short, we will hopefully fix the issue soon. But, you should be able to fix it yourself by giving your
ApiExceptionSubscribera priority of -1 (that will make a bit more sense if you read the issue you linked to). You can see how to add a priority in the phpdoc for the EventSubscriberInterface: https://github.com/symfony/symfony/blob/master/src/Symfony/Component/EventDispatcher/EventSubscriberInterface.phpCheers!
Hi guys, sorry if I missed something, but I couldn't find.
With JwtTokenAuthenticator working in every end point, what would we do in the end point api/tokens. How could we define a public end point as we need to ask the token first to be used in the others ones ;)
Yo Gisele!
It's a good question :). I'll say two things:
1) JwtTokenAuthenticator works on every endpoint. But, in getCredentials(), if we don't see the Authorization header, then we return null. When this happens, the authenticator doesn't do anything: the request is allowed to continue to your controller anonymously. So, even though the authenticator works on every endpoint, this doesn't mean that every endpoint *requires* a JWT: it simply means that the authenticator is ready to authenticate the user *if* there is a token. If there is no token, the request continues anonymously. Then, it's up to your controller - or access_control in security.yml - to determine whether or not each endpoint does in fact require authentication. If you don't check for a role in either of these places, then that endpoint is public.
2) So, in the case of /api/tokens (where we obviously don't have a JWT yet), this is a public endpoint, and in the controller, we manually check for a username+password combination on the request. If that's there, then we send back the JWT.
Does that help?
Cheers!
weaverryan
Thanks for your explanation, makes total sense. You've been doing a great job.. thanks again ;)
"Houston: no signs of life"
Start the conversation!