fix: review

api/composer.json

@@ -34,7 +34,6 @@
         "symfony/validator": "7.0.*",
         "symfony/yaml": "7.0.*",
         "web-token/jwt-bundle": "^3.3",
-        "web-token/jwt-library": "^3.3",
         "webonyx/graphql-php": "^15.8",
         "zenstruck/foundry": "^1.36"
     },

api/config/packages/framework.yaml

@@ -26,6 +26,7 @@ framework:
 
     http_client:
         scoped_clients:
+            # use scoped client to ease mock on functional tests
             security.authorization.client:
                 base_uri: '%env(OIDC_SERVER_URL_INTERNAL)%/'
 

api/config/packages/security.yaml

@@ -29,13 +29,13 @@ when@prod: &prod
             main:
                 access_token:
                     token_handler: App\Security\Http\AccessToken\Oidc\OidcDiscoveryTokenHandler
-                    # todo support Discovery in Symfony
-#                       oidc:
-#                           claim: 'email'
+                        # todo support Discovery in Symfony
+#                        oidc:
+#                            claim: 'email'
 #                            base_uri: '%env(OIDC_SERVER_URL)%'
 #                            audience: '%env(OIDC_AUD)%'
 #                            cache: '@cache.app' # default
-#                            cache_ttl: 3600 # default
+#                            cache_ttl: 600 # default
 
 when@dev: *prod
 

api/src/Entity/Bookmark.php

@@ -36,7 +36,7 @@
     operations: [
         new GetCollection(),
         new Delete(
-            security: 'object.user == user'
+            security: 'object.user === user'
         ),
         new Post(
             processor: BookmarkPersistProcessor::class

api/src/Entity/Review.php

@@ -111,7 +111,7 @@
                 'bookId' => new Link(toProperty: 'book', fromClass: Book::class),
                 'id' => new Link(fromClass: Review::class),
             ],
-            security: 'object.user == user or is_granted("ADMIN")',
+            security: 'object.user === user',
             // Mercure publish is done manually in MercureProcessor through ReviewPersistProcessor
             processor: ReviewPersistProcessor::class
         ),
@@ -121,7 +121,7 @@
                 'bookId' => new Link(toProperty: 'book', fromClass: Book::class),
                 'id' => new Link(fromClass: Review::class),
             ],
-            security: 'object.user == user or is_granted("ADMIN")',
+            security: 'object.user === user',
             // Mercure publish is done manually in MercureProcessor through ReviewRemoveProcessor
             processor: ReviewRemoveProcessor::class
         ),

api/src/Entity/User.php

@@ -40,7 +40,7 @@
         ),
         new Get(
             uriTemplate: '/users/{id}{._format}',
-            security: 'user.sub === object.sub'
+            security: 'object.sub === user.sub'
         ),
     ],
     normalizationContext: [

api/src/Security/Http/AccessToken/Oidc/OidcDiscoveryTokenHandler.php

@@ -33,7 +33,7 @@ public function __construct(
         private JWSLoader $jwsLoader,
         private readonly HttpClientInterface $securityAuthorizationClient,
         private string $claim = 'email',
-        private int $ttl = 3600,
+        private int $ttl = 600,
         private ?LoggerInterface $logger = null,
     ) {
     }