Security Bug with Symfony (Hitting Protected Endpoint Always Returns Unauthorized)

Question

I have the following config/packages/security.yml file and it really looks like follows:

framework:
    rate_limiter:
        username_ip_login:
            policy: token_bucket
            limit: 5
            rate: { interval: '5 minutes' }

        ip_login:
            policy: sliding_window
            limit: 50
            interval: '15 minutes'

    services:
        app.login_rate_limiter:
            class: Symfony\Component\Security\Http\RateLimiter\DefaultLoginRateLimiter
            arguments:
                $globalFactory: '@limiter.ip_login'
                $localFactory: '@limiter.username_ip_login'

    security:
        enable_authenticator_manager: true
        password_hashers:
            App\Entity\User:
                algorithm: auto

        providers:
            app_user_provider:
                entity:
                    class: App\Entity\User
                    property: email
        firewalls:
            dev:
                pattern: ^/(_(profiler|wdt)|css|images|js)/
                security: false
                login_throttling:
                    max_attempts: 3
                    interval: '15 minutes'
                    limiter: app.login_rate_limiter
            main:
                lazy: true
                provider: app_user_provider
                login_throttling:
                    max_attempts: 3
                    interval: '15 minutes'
                    limiter: app.login_rate_limiter
                json_login:
                    check_path: /login
                    username_path: email
                    password_path: password
                custom_authenticators: 
                    - App\Security\TokenAuthenticator
                entry_point: App\Security\EntryPointAuth
                stateless: true

        access_control:
            - { path: ^/profile, roles: ROLE_USER }
            - { path: ^/books, roles: ROLE_USER }

And here is my controller:

<?php

namespace App\Controller;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\JsonResponse;
use Symfony\Component\Routing\Annotation\Route;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Serializer\SerializerInterface;

class ProfileController extends AbstractController
{

    private SerializerInterface $serializer;

    public function __construct(SerializerInterface $serializer)
    {
        $this->serializer = $serializer;
    }

    #[Route('/profile', name: 'get_profile', methods: ["GET"])]
    public function index(): JsonResponse
    {
        $user = $this->getUser();

        $result = $this->serializer->serialize($user, 'json', ['groups' => ['read']]);

        return JsonResponse::fromJsonString($result);
    }

    #[Route("/profile", name: "update_profile", methods: ["PUT"])]
    public function update(): JsonResponse
    {
        echo 2;
        exit;
    }
}

Now it succeeds when I hit GET /profile But when I hit PUT /profile to update, it gives me 410 unauthorized response.

I use access token stateless implementation for security and the protected endpoint GET /profile is working perfectly, why PUT /profile is not working even if I use the same token for both endpoints?

Any ideas? Will be appreciated.

Answer 1

I got to manage it working by changing the PUT route to profile/update instead of just profile because it makes a conflict. I think it is a bug in Symfony that needs to be addressed.

Or you need to change the access control route to /profile to the following:

- { path: ^/profile, roles: ROLE_USER, methods: [GET, PUT] }