IsGranted Attribute not working on LiveComponents

[Mauriceu]

As per the docs LiveComponents are like normal Symfony controllers, as that you can also use the Attributes you usually use.

However, when a LiveAction is invoked the currently logged in User is null, probably due to some priority settings.

This in turn leads to the #[isGranted] attribute failing - also every other (manual) security check fails, because Security::getUser() always returns null.

Example Code:

#[LiveAction]
#[IsGranted("SOME_ROLE")]
public function save(): Response 
{ 
    /** AuthenticationEntrypoint logic will be invoked, implying no logged in User is found */ 
}

#[LiveAction]
public function save(): Response 
{
    $user = $this->security->getUser();
    // User is null
}

My current firewall configuration:

        user:
            pattern: ^/
            lazy: false

            # Repository implements UserLoaderInterface 
            # retrieves the User by comparing an identifier 
            # to either email or username.
            provider: user

            custom_authenticators:
                - App\Security\Authenticator\UserAuthenticator

            entry_point: App\Security\Authenticator\AuthenticationEntryPoint
            user_checker: App\Security\IsDisabledChecker
            login_throttling:
                limiter: "app.user_rate_limiter"

            remember_me:
                secret: '%kernel.secret%'
                lifetime: 604800

            login_link:
                check_route: user_login_link
                signature_properties: [ 'id' ]
                success_handler: App\Security\AutoLoginSuccessHandler

[smnandre]

Do you have the same problems with default security settings / tools ?

[Mauriceu]

Do you have the same problems with default security settings / tools ?

No, applying #[IsGranted] on a normal Controller works as expected.
I assume that is what you meant...?

[smnandre]

Sorry no, i meant the opposite. Do the IsGranted attribute work on your component, with a more traditional / basic securty settings (firewall / authenticator / etc) ?

[Mauriceu]

I've pretty much removed everything from the security config and it still is not working.

Some additional info:

We use keycloak to authenticate our users and create a customized UserInterface DTO. This DTO only contains a few additional properties for conditional rendering. The AuthenticationToken within that DTO is correctly retrieved from the TokenStorage when invoking a normal controller, IsGranted works and everything else does too. Rendering a LiveComponent within a normal Controllers request context - e.g. GET request to a controller which renders a twig template that includes a LiveComponent - the AuthenticationToken is also correctly retrieved.

However, when invoking a LiveAction the TokenStorage::getToken() function always returns NULL.
I've confirmed that by tracing the Token within the AuthorizationChecker, the LiveComponents constructor, the LiveComponents LiveAction, and the LiveComponents Post/Pre-Mount function.

I'll try and setup a minimal reproducer in a few days time.

[smnandre]

Do you use custom events / event listeners in your Authenticator ?

Could you check the priorities:

php bin/console debug:event-dispatcher kernel