Add pre-firewall request body validation to RequestValidationSubscriber

src/Validation/EventSubscriber/RequestValidationSubscriber.php

@@ -37,6 +37,7 @@ public static function getSubscribedEvents(): array
     {
         return [
             KernelEvents::REQUEST => [
+                ['validateRequestBeforeFirewall', 10],
                 ['validateRequest', 7],
             ],
         ];
@@ -47,6 +48,16 @@ public function __construct(ValidatorInterface $requestValidator)
         $this->requestValidator = $requestValidator;
     }
 
+    public function validateRequestBeforeFirewall(RequestEvent $event): void
+    {
+        $request = $event->getRequest();
+        if ($this->isManagedRoute($request) === false || $this->isPreFirewallRequestValidationEnabled($request) === false) {
+            return;
+        }
+
+        $this->validateRequest($event);
+    }
+
     public function validateRequest(RequestEvent $event): void
     {
         $request = $event->getRequest();
@@ -64,4 +75,11 @@ private function isManagedRoute(Request $request): bool
     {
         return $request->attributes->has(RouteContext::REQUEST_ATTRIBUTE);
     }
+
+    private function isPreFirewallRequestValidationEnabled(Request $request): bool
+    {
+        $routeContext = $request->attributes->get(RouteContext::REQUEST_ATTRIBUTE);
+
+        return $routeContext[RouteContext::REQUEST_VALIDATE_BEFORE_FIREWALL] ?? false;
+    }
 }

tests/Functional/App/config.yaml

@@ -33,12 +33,12 @@ security:
 
   firewalls:
     main:
-      pattern: '^/api/authenticated'
+      pattern: '^/api/(authenticate|authenticated)'
       lazy: true
       stateless: true
       provider: users_in_memory
       json_login:
-        check_path: "/api/authenticated"
+        check_path: "/api/authenticate"
         username_path: email
         password_path: password
 

tests/Functional/Validation/JsonRequestBodyValidationTest.php

@@ -108,6 +108,45 @@ public function testCanReturnProblemDetailsJsonObjectForInvalidRequestBody(): vo
         );
     }
 
+    public function testCanReturnProblemDetailsJsonObjectForInvalidRequestBodyBeforeFirewall(): void
+    {
+        $this->client->request(
+            Request::METHOD_POST,
+            '/api/authenticate',
+            [],
+            [],
+            [
+                'CONTENT_TYPE' => 'application/json',
+            ],
+            '{}'
+        );
+
+        $expectedJsonResponseBody = [
+            'type' => 'about:blank',
+            'title' => 'The request body contains errors.',
+            'status' => 400,
+            'detail' => 'Validation of JSON request body failed.',
+            'violations' => [
+                [
+                    'constraint' => 'required',
+                    'message' => 'The property username is required',
+                    'property' => 'username',
+                ],
+                [
+                    'constraint' => 'required',
+                    'message' => 'The property password is required',
+                    'property' => 'password',
+                ],
+            ],
+        ];
+
+        static::assertResponseStatusCodeSame(Response::HTTP_BAD_REQUEST);
+        static::assertJsonStringEqualsJsonString(
+            json_encode($expectedJsonResponseBody),
+            $this->client->getResponse()->getContent()
+        );
+    }
+
     public function testCannotReturnProblemDetailsJsonObjectWithoutRequiredRequestBody(): void
     {
         $this->client->request(

tests/Validation/EventSubscriber/RequestValidationSubscriberTest.php

@@ -54,6 +54,7 @@ public function testCanReturnSubscribedEvents(): void
         $this->assertSame(
             [
                 KernelEvents::REQUEST => [
+                    ['validateRequestBeforeFirewall', 10],
                     ['validateRequest', 7],
                 ],
             ],