Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.When fetching the array of authentication methods to populate the checkbox options the parameter "authentication_providers" from the container is returned in getAuthOptions() with array_combine. This alters array keys and causes provider_id's to not match what you would expect, causing 403 Forbidden on all requests to rest export routes with authentication enabled.
Example
With array_combine this is the returned value from getAuthOptions
array (size=3)
'basic_auth' => string 'basic_auth' (length=10)
'simple_oauth' => string 'simple_oauth' (length=12)
'user' => string 'user' (length=4)
Without array_combine this is the returned value. As you can see the key for simple_oauth now matches the provider id specified in the simple_oauth.services.yml. This is also true with cookie/user auth
array (size=3)
'basic_auth' => string 'basic_auth' (length=10)
'token_bearer' => string 'simple_oauth' (length=12)
'cookie' => string 'user' (length=4)
Then when AuthenticationManager->defaultFilter() is called and checks for the provider_id in the routes auth options they match and the views result is returned.
in_array($provider_id, $route->getOption('_auth'));
I cannot see any need for the array_combine so will submit a patch to remove it unless someone knows otherwise.
| Comment | File | Size | Author |
|---|---|---|---|
| #6 | restexport_authentication_options-2808583-6.patch | 811 bytes | james.williams |
| #2 | cant_authenticate_with_rest_export-2808583-1.patch | 607 bytes | Robytfc |
Comments
Comment #2
Robytfc CreditAttribution: Robytfc commentedComment #3
Robytfc CreditAttribution: Robytfc commentedComment #4
Wim LeersThanks! Sorry that you didn't get feedback sooner, this fell off my radar.
I'm afraid this looks wrong, because:
i.e. because An array to use as value for "#options" in the form element.. In that case, the keys are the values used in Form API, and the values are the labels presented to the user. Hence the use of
array_combine()does make sense to me.Comment #5
Wim LeersComment #6
james.williams CreditAttribution: james.williams at ComputerMinds commentedThe keys should indeed be kept untouched, which avoiding
array_combine()achieves. However, labels for each option are needed, which aren't anywhere in the codebase at the moment. There are no annotations for authentication providers to provide a human-readable label, nor methods to provide them instead. So although values for the #options array are needed, at the moment even the keys are wrong, and labels would need adding somewhere new. I'm not sure of the best place for them?Perhaps a new
label()method needs adding toAuthenticationProviderInterface, or to preserve backwards-compatibilty, a newLabelledAuthenticationProviderInterfacewould be needed? This starts to get messy.I suggest the best start-point would be to fix the keys, since otherwise this just doesn't work, plain and simple. Then a separate follow-up ticket could proceed with the architectural change to add labels. Here's my suggested patch to get the keys correct, and have a more useful label that does not require architectural change, based on the pattern used on the Field list report (/admin/reports/fields). This may even suffice rather than having any truly human-readable labels maybe?
Comment #7
james.williams CreditAttribution: james.williams at ComputerMinds commentedComment #8
dawehnerNote: This is a duplicate of #2825204: REST views: authentication is broken in which we already have at least tests for some parts of the patch.
Comment #9
james.williams CreditAttribution: james.williams at ComputerMinds commentedAh - thanks!