REST 403 responses are nullified when JSON API is enabled

I can confirm this error.

\Drupal\jsonapi\EventSubscriber\DefaultExceptionSubscriber::onException handles the exception

Then in \Drupal\jsonapi\EventSubscriber\DefaultExceptionSubscriber::setEventResponse
$encoded_content = $this->serializer->serialize($exception, $format, ['data_wrapper' => 'errors']);
The exception sent to serialize() here does have the message "The 'access content' permission is required."

$encoded_content though then equals {}

I think the error gets taken out \Drupal\jsonapi\Normalizer\HttpExceptionNormalizer::normalize

The above could try to be fixed but would there be a way to check if the error is from a jsonapi route and then only handle errors from those routes?

would there be a way to check if the error is from a jsonapi route and then only handle errors from those routes?

The short answer is that in the current state of core. We can't. See #2831137: Remove the need for ?_format=api_json: assume the use of the 'api_json' format for routes managed by JSON API.

No, the bug is in \Drupal\jsonapi\EventSubscriber\DefaultExceptionSubscriber::onException().

It is not checking the getHandledFormats() return value: it's not comparing that to the format of the current request. Instead, it is handling every format that is supported by the serializer. This is wrong.

I came to this realization while working on #2825347: 'Accept' header still is used for determining response format of error responses, ?_format= has no effect AND serialization module's exception subscriber does not support status code 500 error responses.

I'll work on a patch for this when I'm done with that issue!

Basically this.

Retesting...

Thanks everyone!