Problem/Motivation

A fatal TypeError is thrown when accessing a user's API key management page (/user/{user}/key-auth) under certain conditions (e.g. when the route is resolved without a fully authenticated user context, or triggered via a redirect from the login page).

The error message is:

Uncaught PHP Exception TypeError: "Drupal\key_auth\KeyAuth::access(): Argument #1 ($user)
must be of type Drupal\user\UserInterface,
Drupal\Core\Session\AccountProxy given, called in
/modules/contrib/key_auth/src/Form/UserKeyAuthForm.php on line 118"
at /modules/contrib/key_auth/src/KeyAuth.php line 114

The root cause is in UserKeyAuthForm::checkAccess(): when checking whether the current user may view their own key, $this->keyAuth->access($account) is called with $account (an AccountInterface / AccountProxy instance), but KeyAuth::access() declares its parameter as UserInterface. PHP 8 enforces this type declaration strictly and throws a TypeError.

Additionally, PHP 8.4 emits two deprecation notices for implicitly nullable parameters in buildForm() (line 40) and checkAccess() (line 109). The explicit ?UserInterface syntax is required.

Steps to reproduce

  1. Install the key_auth module.
  2. Log in as a regular user (or be redirected to login and back).
  3. Visit /user/{uid}/key-auth for your own account.
  4. Observe the TypeError in the PHP error log and a blank/error page in the browser.

Proposed resolution

In UserKeyAuthForm::checkAccess(), replace $account with $user in the call to $this->keyAuth->access(). The $user argument is already resolved to a UserInterface object by the route's parameter upcasting, making it the correct argument to pass.

Before (line ~118):

return AccessResult::allowedIf($this->keyAuth->access($account))

After:

return AccessResult::allowedIf($this->keyAuth->access($user))

This is semantically correct as well: the intent is to check whether the user whose key page is being viewed has access enabled, not the currently logged-in session account (which may differ in edge cases such as masquerading or admin acting as user).

Remaining tasks

  • Review the proposed fix.
  • Add a regression test covering the checkAccess() method with a standard authenticated user.
  • Commit and release a patch release.

User interface changes

None.

API changes

None.

Data model changes

None.

CommentFileSizeAuthor
#3 key_auth-3587887-php84-nullable-buildform-1.patch514 bytesboinkster
key_auth_fix_checkaccess.patch774 bytesfoxfabi
#2 key_auth_fix_all.patch1.1 KBfoxfabi

Issue fork key_auth-3587887

Command icon Show commands

Start within a Git clone of the project using the version control instructions.

Or, if you do not have SSH keys set up on git.drupalcode.org:

About issue forks

Comments

foxfabi created an issue. See original summary.

foxfabi’s picture

foxfabi commented
Title: KeyAuth::access() requires a UserInterface » PHP 8.x compatibility issues in UserKeyAuthForm: TypeError and nullable type deprecations
Issue summary: View changes
StatusFileSize
new key_auth_fix_all.patch1.1 KB

The explicit ?UserInterface syntax is required.

boinkster’s picture

boinkster commented
StatusFileSize
new key_auth-3587887-php84-nullable-buildform-1.patch514 bytes

Neither patches applied for me, here's a rerolled patch.

ishani patel made their first commit to this issue’s fork.

ishani patel opened merge request !28