Enabling authentication manager causes debug toolbar to fail with 404

[Addvilz]

Symfony version(s) affected: 5.1.1

Description
Setting enable_authenticator_manager to true in security.yaml causes XMLHttpRequest against https://*/_wdt/* to fail with 404 response. Subsequently, debug toolbar displays An error occurred while loading the web debug toolbar. and is not usable.

For the particular code base just toggling enable_authenticator_manager on and off triggers the issue with no other changes. With key enable_authenticator_manager absent debug toolbar works just fine. With enable_authenticator_manager set true the _wdt endpoint returns 404.

Likely related to #34770 and #35365

How to reproduce
Set enable_authenticator_manager to true in security.yaml

Additional context
This particular project was created with and upgraded from 5.1 RC1. Something in the upgrade process maybe?

[Addvilz]

Looks like this is related to #37254 and potentially fixed with #37261. Setting csrf_protection: false in framework.yaml seems to make it all work again. If anyone can confirm this is indeed fixed already with pending release, that would be great.

⚠️ For whoever stumbles upon this ticket in search for a fix, setting csrf_protection to false in framework.yaml is a Very Bad Idea™. It's better to not have a debug toolbar than to not have CSRF protection enabled.

[wouterj]

Yes, I'm sorry. Please note that this is not breaking only in the debug toolbar - it's breaking your application.

So:

• If you're using the new system WITH csrf, consider staying at 5.1.0 and upgrading to 5.1.2 when it's available). If this is not possible, switch to the old system again for 5.1.1
• If you're using the new system WITHOUT csrf, use 5.1.1 (it's broken in 5.1.0).

I'm sorry for having created a major bug in 5.1.1. We've now added a better functional testsuite for the new system, to avoid major bugs after 5.1.1.

[Addvilz]

@wouterj absolutely don't worry about it, it's fine really - things happen. If the work on this is tracked elsewhere / merged, we can probably close this issue? Up to you.

[fabpot]

5.1.2 will be released later today to help people who have already (bravely) using the new security system.

[plencovich]

In my case, creating the .htaccess file in /public, it was fixed

   <IfModule mod_rewrite.c>
       RewriteEngine On
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*)$ index.php [QSA,L]
   </IfModule>

[Mesleo]

In my case, creating the .htaccess file in /public, it was fixed

   <IfModule mod_rewrite.c>
       RewriteEngine On
       RewriteCond %{REQUEST_FILENAME} !-f
       RewriteRule ^(.*)$ index.php [QSA,L]
   </IfModule>

This response is the best. Thanks, friend!

[fazliddin]

Wow, .htaccess solves the problem. But it is strange that Symfony does not have it by default.