fix(jsonapi): allow opt-in client-generated IDs on POST per spec#7930
Conversation
| // Per JSON:API spec, `id` is optional in the request body of a creation: | ||
| // https://jsonapi.org/format/#crud-creating | ||
| $required = ['type', 'id']; | ||
| if (Schema::TYPE_INPUT === $type && $resourceOperation instanceof Post) { |
There was a problem hiding this comment.
we prefer $resourceOperation->getMethod()
There was a problem hiding this comment.
Updated, I switched to 'POST' === $resourceOperation->getMethod() and dropped the now-unused Post import. Added a null guard since $resourceOperation is typed ?Operation. Thanks! 🙂
| // Avoid issues with proxies if we populated the object | ||
| if (!isset($context[self::OBJECT_TO_POPULATE]) && isset($data['data']['id'])) { | ||
| if (true !== ($context['api_allow_update'] ?? true)) { | ||
| if ($operation instanceof Post) { |
There was a problem hiding this comment.
same lets prefer the getMethod approach
|
Good alignment with the spec, we need to provide a configuration option that sets this context value, also this will be considered as a new feature and commit/pr title should be renamed accordingly. |
abderrahimghazali
changed the title
|
Done in 251eb81 — #[Post(extraProperties: [ItemNormalizer::ALLOW_CLIENT_GENERATED_ID => true])]Added a test covering that path. Renamed the PR title to |
|
|
||
| $allowClientGeneratedId = $context[self::ALLOW_CLIENT_GENERATED_ID] ?? null; | ||
| if (null === $allowClientGeneratedId && $isPostOperation) { | ||
| $allowClientGeneratedId = $operation->getExtraProperties()[self::ALLOW_CLIENT_GENERATED_ID] ?? false; |
There was a problem hiding this comment.
you should use the denormalization context directly we don't need to use extra properties here.
|
|
||
| $result = $normalizer->denormalize($data, Dummy::class, ItemNormalizer::FORMAT, [ | ||
| 'operation' => new Post(extraProperties: [ItemNormalizer::ALLOW_CLIENT_GENERATED_ID => true]), | ||
| 'operation' => new Post(), |
There was a problem hiding this comment.
nice or it could be via denormalizerContext: [] in an operation (default context is fine for the test)
| ->defaultTrue() | ||
| ->info('Set to false to use entity identifiers instead of IRIs as the "id" field in JSON:API responses.') | ||
| ->end() | ||
| ->booleanNode('allow_client_generated_id') |
There was a problem hiding this comment.
you need to change ConfigurationTest::testDefaultConfig
soyuka
force-pushed
the
fix/jsonapi-post-id-not-required
branch
2 times, most recently
from
151198b to
58e1bcb
Compare
soyuka
changed the title
Per https://jsonapi.org/format/#crud-creating-client-ids a client MAY supply an id when creating a resource. The JSON:API ItemNormalizer previously treated any incoming `data.id` on POST as a hint to load an existing resource, throwing "Update is not allowed for this operation" or failing the IRI lookup, even when the application is designed for client-generated identifiers. A new opt-in `ALLOW_CLIENT_GENERATED_ID` denormalization context flag lets the client id flow through to the entity setter without querying the IriConverter. Off by default to avoid an id-spoofing footgun on public endpoints. Configurable globally via the Symfony bundle (`api_platform.jsonapi.allow_client_generated_id`) and Laravel (`api-platform.jsonapi.allow_client_generated_id`), per-operation via `denormalizationContext`. Also tightens the input-schema guard added in api-platform#8252: adds a `Schema::TYPE_INPUT === $type` check so POST response schemas keep requiring `id`, and captures the resource operation before the relationship loop reassigns `$operation` so the requirement check targets the correct operation when the resource has relationships. Refs api-platform#6738 Co-authored-by: soyuka <soyuka@users.noreply.github.com>
soyuka
force-pushed
the
fix/jsonapi-post-id-not-required
branch
from
58e1bcb to
92dde53
Compare
|
Merging as bug fix as it is a specification update, needs to be documented still. |
2 participants
What's in this PR?
Two related JSON:API issues prevent valid POST requests with client-generated IDs (per JSON:API §7.3):
SchemaFactory) declareddata.idrequiredfor every operation, including the request body of aPOST. The spec saysidMAY be supplied by the client and is otherwise optional on creation.ItemNormalizer) treated any incomingdata.idas a hint to load an existing resource, then either threwUpdate is not allowed for this operationor failed to resolve the IRI when the client passed a fresh UUID.Together they make it impossible to POST
{"data":{"type":"…","id":"<uuid>","attributes":{…}}}even when the application is designed for client-generated identifiers (Doctrine UUID PK, ULID, etc.).Fix
JsonApi\JsonSchema\SchemaFactorySchema::TYPE_INPUTon aPostoperation,data.requiredis now["type"]. Output schemas and non-Postoperations remain["type", "id"](response payloads still always carry anid).buildDefinitionPropertiesSchema()because the relationship loop reassigns\$operation.Before (POST request body):
```json
"required": ["type", "id"]
```
After:
```json
"required": ["type"]
```
JsonApi\Serializer\ItemNormalizerItemNormalizer::ALLOW_CLIENT_GENERATED_ID('allow_client_generated_id').Post, an incomingdata.idno longer triggers an existing-resource lookup.NotNormalizableValueExceptionwith a clear message — no behaviour change for endpoints that don't expect client-generated IDs, and no risk of silently letting a client spoof an ID.OBJECT_TO_POPULATE) is preserved.The flag is off by default to keep the change non-breaking and to avoid an ID-spoofing footgun on public endpoints. Applications opt in per-operation by passing the flag in the denormalization context (or via a state processor / serializer context builder).
Tests
SchemaFactoryTest::testBuildSchemaForPostInputDoesNotRequireId— POST input dropsidfromrequired.SchemaFactoryTest::testBuildSchemaForPostOutputStillRequiresId— POST output still requiresid.ItemNormalizerTest::testDenormalizePostWithIdThrowsWithoutOptIn— POST with client id throws without opt-in.ItemNormalizerTest::testDenormalizePostWithIdSucceedsWithOptIn— POST with client id succeeds with opt-in, IRI converter is not called, id is set on the new entity.Full
src/JsonApi/Testssuite: 57 tests / 145 assertions, all green (the 2 PHPUnit notices are pre-existing).Spec references
Credit to @cay89 for the original analysis in #6738.