Access_Control refuses anonymous token'ed user to go through

Question

Im building a project with a front app in Angular and a REST API backend in Symfony2 (2.7, needs to move to 3.3 soon). Backend side, i'm using FOSRestBundle, FOSUSerBundle, LexikAuthBundle and a bunch of other cool bundles for REST API needs. I recently implemented one time Login through social providers Google and Facebook (front login buttons, then create fos_user backend side and manually set to just recognized user, a JWT provided by LexikBundle). This works well with the following app\config\security.yml:

security:
    encoders:
        Symfony\Component\Security\Core\User\User: plaintext
        FOS\UserBundle\Model\UserInterface: sha512

role_hierarchy:
    ROLE_ADMIN:       ROLE_USER
    ROLE_API:         ROLE_USER
    ROLE_SUPER_ADMIN: [ROLE_USER, ROLE_ADMIN, ROLE_ALLOWED_TO_SWITCH]

providers:
    fos_userbundle:
        id: fos_user.user_provider.username

firewalls:
    dev:
        pattern:  ^/(_(profiler|wdt)|css|images|js)/
        security: false
    login:
        pattern:  ^/api/login
        stateless: true
        anonymous: true
        form_login:
            check_path:               /api/login_check
            login_path:               /api/login
            require_previous_session: false
            username_parameter:       username
            password_parameter:       password
            success_handler:          lexik_jwt_authentication.handler.authentication_success
            failure_handler:          lexik_jwt_authentication.handler.authentication_failure
    api:
        pattern:   ^/api
        stateless: true
        anonymous: true
        lexik_jwt:
            authorization_header:
                enabled: true
                prefix:  Bearer
            query_parameter:
                enabled: true
                name:    bearer

always_authenticate_before_granting:  true
    access_control:
        - { path: ^/api/login, roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api/registration., roles: IS_AUTHENTICATED_ANONYMOUSLY }
        - { path: ^/api, roles: [IS_AUTHENTICATED_FULLY, ROLE_API] }

This works fine for /api/login/social routes (where data is in body, POST), but impossible to reach /api/registration :( :

    INFO - Matched route "myapp_security_register". 
        Context: {"route_parameters":     {"_controller":"myapp\\CoreBundle\\Controller\\SecurityController::registerAction","_route":"myapp_security_register"},"request_uri":"http://127.0.0.1:8000/api/registration"}
    INFO - Populated the TokenStorage with an anonymous Token.
    ERROR - Uncaught PHP Exception Symfony\Component\HttpKernel\Exception\AccessDeniedHttpException: "You do not have the necessary permissions" at C:\projects\myappAPI\vendor\friendsofsymfony\rest-bundle\FOS\RestBundle\EventListener\AccessDeniedListener.php line 70 
    Context: {"exception":"Object(Symfony\\Component\\HttpKernel\\Exception\\AccessDeniedHttpException)"}

I dont get it, because the anonymous token is set ! Why access_control doesnt let /api/registration access my controller ? What am i missing ? I can also post FOSRestBundle config if it may help.

Thanks, Bor.

Answer 1

There is a typo in your access_control directive:

- { path: ^/api/registration., roles: ['..'] }

... should be

- { path: ^/api/registration, roles: ['..'] }