fix: Fixed stateless with some listeners

config/packages/security.yaml

@@ -24,8 +24,48 @@ security:
         dev:
             pattern: ^/(_(profiler|wdt)|css|images|js)/
             security: false
+
+        # https://symfony.com/bundles/LexikJWTAuthenticationBundle/current/index.html#configure-application-routing
+        api_login:
+            pattern: ^/api/token
+            stateless: true
+            provider: all_users
+            login_throttling:
+                max_attempts: 3
+            json_login:
+                check_path: /api/token
+                username_path: username
+                password_path: password
+                success_handler: lexik_jwt_authentication.handler.authentication_success
+                failure_handler: lexik_jwt_authentication.handler.authentication_failure
+            user_checker: RZ\Roadiz\CoreBundle\Security\UserChecker
+
+        # https://symfony.com/bundles/LexikJWTAuthenticationBundle/current/8-jwt-user-provider.html#symfony-5-3-and-higher
+        api:
+            pattern: ^/api
+            stateless: true
+            # Do not reload user from database, trust JWT roles in order to restrict PreviewUsers
+            # Only drawback is when you want to disable / block / expire a user, you'll have to
+            # wait for JWT token to expire.
+            provider: jwt
+            # If you really want to reload user from database, uncomment this line, but Preview JWT
+            # will be reloaded as full user and not as PreviewUser.
+            #provider: all_users
+            jwt: ~
+
+        # disables session creation for assets and healthcheck controllers
+        assets:
+            pattern: ^/assets
+            stateless: true
+            security: false
+        healthCheck:
+            pattern: ^/health-check$
+            stateless: true
+            security: false
+
         main:
             lazy: true
+            stateless: false
             provider: all_users
             two_factor:
                 auth_form_path: 2fa_login    # The route name you have used in the routes.yaml
@@ -49,38 +89,7 @@ security:
             custom_authenticator:
                 - RZ\Roadiz\RozierBundle\Security\RozierAuthenticator
                 - roadiz_rozier.open_id.authenticator
-        # https://symfony.com/bundles/LexikJWTAuthenticationBundle/current/8-jwt-user-provider.html#symfony-5-3-and-higher
-        api:
-            pattern: ^/api
-            stateless: true
-            # Do not reload user from database, trust JWT roles in order to restrict PreviewUsers
-            # Only drawback is when you want to disable / block / expire a user, you'll have to
-            # wait for JWT token to expire.
-            provider: jwt
-            entry_point: jwt
-            # If you really want to reload user from database, uncomment this line, but Preview JWT
-            # will be reloaded as full user and not as PreviewUser.
-            #provider: all_users
-            jwt: ~
-            login_throttling:
-                max_attempts: 3
-            json_login:
-                check_path: /api/token
-                username_path: username
-                password_path: password
-                success_handler: lexik_jwt_authentication.handler.authentication_success
-                failure_handler: lexik_jwt_authentication.handler.authentication_failure
-            user_checker: RZ\Roadiz\CoreBundle\Security\UserChecker
 
-        # disables session creation for assets and healthcheck controllers
-        assets:
-            pattern: ^/assets
-            stateless: true
-            security: false
-        healthCheck:
-            pattern: ^/health-check$
-            stateless: true
-            security: false
     # Easy way to control access for large sections of your site
     # Note: Only the *first* access control that matches will be used
     access_control:

config/routes.yaml

@@ -20,6 +20,7 @@ rz_intervention_request:
 
 api_contact_form_definition:
     methods: [GET]
+    stateless: true
     path: /api/contact_form/definition
     defaults:
         _controller: App\Controller\ContactFormController::definitionAction
@@ -28,6 +29,7 @@ api_contact_form_definition:
 
 api_contact_form_post:
     methods: [POST]
+    stateless: true
     path: /api/contact_form/post
     defaults:
         _controller: App\Controller\ContactFormController::formAction

lib/RoadizCoreBundle/config/packages/security.yaml

@@ -25,6 +25,7 @@ security:
 
         # https://symfony.com/bundles/LexikJWTAuthenticationBundle/current/index.html#configure-application-routing
         api_login:
+            stateless: true
             pattern: ^/api/token
             provider: all_users
             login_throttling:

lib/RoadizCoreBundle/config/routing.yaml

@@ -5,12 +5,14 @@ api_custom_forms_item_definition:
     methods: [GET]
     path: /api/custom_forms/{id}/definition
     controller: RZ\Roadiz\CoreBundle\Controller\CustomFormController::definitionAction
+    stateless: true
     requirements:
         id: "[0-9]+"
 api_custom_forms_item_post:
     methods: [POST]
     path: /api/custom_forms/{id}/post
     controller: RZ\Roadiz\CoreBundle\Controller\CustomFormController::postAction
+    stateless: true
     requirements:
         id: "[0-9]+"
 
@@ -28,6 +30,7 @@ customFormSentAction:
 healthCheckAction:
     methods: [GET]
     path:     /health-check
+    stateless: true
     controller: RZ\Roadiz\CoreBundle\Controller\HealthCheckController
 
 roadiz_core_themes:
@@ -36,4 +39,5 @@ roadiz_core_themes:
 
 api_login_check:
     methods: [POST]
+    stateless: true
     path: /api/token

lib/RoadizCoreBundle/src/EventSubscriber/LocaleSubscriber.php

@@ -43,21 +43,26 @@ public function onKernelRequest(RequestEvent $event): void
         $request = $event->getRequest();
         $locale = $request->query->get('_locale') ?? $request->attributes->get('_locale');
 
-        if ($request->hasPreviousSession()) {
+        /*
+         * Set default locale
+         */
+        if (null !== $locale && $locale !== '') {
+            $this->setLocale($event, $locale);
+            return;
+        }
+
+        if (!$request->attributes->getBoolean('_stateless') && $request->hasPreviousSession()) {
             $locale = $request->getSession()->get('_locale', null);
             if (null !== $locale) {
                 $this->setLocale($event, $locale);
+                return;
             }
         }
 
-        /*
-         * Set default locale
-         */
-        if (null !== $locale && $locale !== '') {
-            $this->setLocale($event, $locale);
-        } elseif (null !== $translation = $this->getDefaultTranslation()) {
+        if (null !== $translation = $this->getDefaultTranslation()) {
             $shortLocale = $translation->getLocale();
             $this->setLocale($event, $shortLocale);
+            return;
         }
     }
 

lib/RoadizCoreBundle/src/EventSubscriber/UserLocaleSubscriber.php

@@ -44,6 +44,10 @@ public static function getSubscribedEvents(): array
      */
     public function onInteractiveLogin(InteractiveLoginEvent $event): void
     {
+        if ($this->requestStack->getMainRequest()?->attributes->getBoolean('_stateless')) {
+            return;
+        }
+
         $user = $event->getAuthenticationToken()->getUser();
 
         if (
@@ -59,6 +63,9 @@ public function onInteractiveLogin(InteractiveLoginEvent $event): void
      */
     public function onUserUpdated(FilterUserEvent $event): void
     {
+        if ($this->requestStack->getMainRequest()?->attributes->getBoolean('_stateless')) {
+            return;
+        }
         $user = $event->getUser();
 
         if (