fix: ステートレスAPIリクエストでUnexpectedSessionUsageExceptionが発生する問題を修正#6760
Open
kurozumi wants to merge 545 commits into
Open
fix: ステートレスAPIリクエストでUnexpectedSessionUsageExceptionが発生する問題を修正#6760kurozumi wants to merge 545 commits into
kurozumi wants to merge 545 commits into
Conversation
…ajv-6.14.0 build(deps): bump ajv from 6.12.6 to 6.14.0
…l-message EC-CUBE#6614 認証キー設定画面のモーダル内メッセージを多言語対応
…webpack-5.105.0 build(deps-dev): bump webpack from 5.96.1 to 5.105.0
…oggle_shipping 出荷削除ボタンの重複data-bs-toggle属性を修正
…ation_i18n カート商品削除の確認メッセージを多言語化対応
…end-of-stream-1.4.5 build(deps-dev): bump end-of-stream from 1.4.4 to 1.4.5
…as/phpdotenv-5.6.3 build(deps): bump vlucas/phpdotenv from 5.6.0 to 5.6.3
…lodash-4.17.23 build(deps-dev): bump lodash from 4.17.21 to 4.17.23
EC-CUBE#6591 「同時購入できない商品がカートに含まれています。」というメッセージを変更
…psysh-0.12.19 build(deps-dev): bump psy/psysh from 0.12.8 to 0.12.19
…s/actions/download-artifact-8 build(deps): bump actions/download-artifact from 7 to 8
…minimatch-3.1.5 build(deps-dev): bump minimatch from 3.1.2 to 3.1.5
…detail-delete-favorite EC-CUBE#6526 商品詳細ページにお気に入り削除機能を追加
Bumps [symfony/polyfill-intl-icu](https://github.com/symfony/polyfill-intl-icu) from 1.32.0 to 1.33.0. - [Commits](symfony/polyfill-intl-icu@v1.32.0...v1.33.0) --- updated-dependencies: - dependency-name: symfony/polyfill-intl-icu dependency-version: 1.33.0 dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [@babel/helper-module-transforms](https://github.com/babel/babel/tree/HEAD/packages/babel-helper-module-transforms) from 7.26.0 to 7.28.6. - [Release notes](https://github.com/babel/babel/releases) - [Changelog](https://github.com/babel/babel/blob/main/CHANGELOG.md) - [Commits](https://github.com/babel/babel/commits/v7.28.6/packages/babel-helper-module-transforms) --- updated-dependencies: - dependency-name: "@babel/helper-module-transforms" dependency-version: 7.28.6 dependency-type: indirect update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [babel-loader](https://github.com/babel/babel-loader) from 8.2.5 to 10.1.0. - [Release notes](https://github.com/babel/babel-loader/releases) - [Changelog](https://github.com/babel/babel-loader/blob/main/CHANGELOG.md) - [Commits](babel/babel-loader@v8.2.5...v10.1.0) --- updated-dependencies: - dependency-name: babel-loader dependency-version: 10.1.0 dependency-type: direct:development update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…-sort-media-queries css-mqpackerをpostcss-sort-media-queriesに置き換え
Bumps [docker/login-action](https://github.com/docker/login-action) from 3 to 4. - [Release notes](https://github.com/docker/login-action/releases) - [Commits](docker/login-action@v3...v4) --- updated-dependencies: - dependency-name: docker/login-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/build-push-action](https://github.com/docker/build-push-action) from 6 to 7. - [Release notes](https://github.com/docker/build-push-action/releases) - [Commits](docker/build-push-action@v6...v7) --- updated-dependencies: - dependency-name: docker/build-push-action dependency-version: '7' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/metadata-action](https://github.com/docker/metadata-action) from 5 to 6. - [Release notes](https://github.com/docker/metadata-action/releases) - [Commits](docker/metadata-action@v5...v6) --- updated-dependencies: - dependency-name: docker/metadata-action dependency-version: '6' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [docker/setup-buildx-action](https://github.com/docker/setup-buildx-action) from 3 to 4. - [Release notes](https://github.com/docker/setup-buildx-action/releases) - [Commits](docker/setup-buildx-action@v3...v4) --- updated-dependencies: - dependency-name: docker/setup-buildx-action dependency-version: '4' dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
nanasess/setup-php enables opcache.jit=tracing for PHP >= 8.1, which causes segfault on PHP 8.1 due to known JIT bugs. Made-with: Cursor
Bumps [actions/cache](https://github.com/actions/cache) from 5.0.4 to 5.0.5. - [Release notes](https://github.com/actions/cache/releases) - [Changelog](https://github.com/actions/cache/blob/main/RELEASES.md) - [Commits](actions/cache@6682284...27d5ce7) --- updated-dependencies: - dependency-name: actions/cache dependency-version: 5.0.5 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 7.0.0 to 7.0.1. - [Release notes](https://github.com/actions/upload-artifact/releases) - [Commits](actions/upload-artifact@v7...043fb46) --- updated-dependencies: - dependency-name: actions/upload-artifact dependency-version: 7.0.1 dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com>
Bumps [actions/setup-node](https://github.com/actions/setup-node) from 4.4.0 to 6.3.0. - [Release notes](https://github.com/actions/setup-node/releases) - [Commits](actions/setup-node@49933ea...53b8394) --- updated-dependencies: - dependency-name: actions/setup-node dependency-version: 6.3.0 dependency-type: direct:production update-type: version-update:semver-major ... Signed-off-by: dependabot[bot] <support@github.com>
…s/actions/setup-node-6.3.0 build(deps): bump actions/setup-node from 4.4.0 to 6.3.0
…r-v2.4.0 bump: nanasess/setup-chromedriver v2.4.0
…follow-redirects-1.16.0 build(deps-dev): bump follow-redirects from 1.15.6 to 1.16.0
…eclib/phpseclib-3.0.51 build(deps): bump phpseclib/phpseclib from 3.0.50 to 3.0.51
…multi-7ea0977b71 build(deps): bump immutable
…rine/common-3.5.0 build(deps): bump doctrine/common from 3.4.5 to 3.5.0
…babel/plugin-transform-classes-7.28.6 build(deps-dev): bump @babel/plugin-transform-classes from 7.25.9 to 7.28.6
…chart.js-4.5.1 build(deps): bump chart.js from 3.9.1 to 4.5.1
…class-post-size fix: 商品規格編集画面のPOSTサイズを削減
chore: bump webpack-cli to v5
…s/codecov/codecov-action-6.0.0 build(deps): bump codecov/codecov-action from 5.5.3 to 6.0.0
…s/actions/upload-artifact-7.0.1 build(deps): bump actions/upload-artifact from 7.0.0 to 7.0.1
…ation Docker環境でのテンプレート開発を改善する
…s/actions/cache-5.0.5 build(deps): bump actions/cache from 5.0.4 to 5.0.5
createImmutable は既定で PutenvAdapter を含まず, `getenv()` でしか保持されない値を 「未設定」と判定する. CI Apache では PassEnv 未指定の DATABASE_URL がこれに該当し, `.env` の sqlite URL で `$_SERVER` が上書きされて admin01 テストが SQLite 接続 → 500 になっていた. Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
fix(CI/CD): Dockerbuild が失敗していたため修正
stateless: trueのファイアウォール(/api)で認証失敗が発生した際、 SecurityListenerのonAuthenticationFailureがセッションに書き込もうとするため Symfony\Component\HttpKernel\Exception\UnexpectedSessionUsageExceptionが発生し 500エラーになる問題を修正する。 セッションが未開始の場合はスキップすることで、Bearer token認証の APIリクエストが401を正しく返すようにした。 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Important Review skippedAuto reviews are disabled on base/target branches other than the default branch. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Tip 💬 Introducing Slack Agent: The best way for teams to turn conversations into code.Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.
Built for teams:
One agent for your entire SDLC. Right inside Slack. Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## 4.4 #6760 +/- ##
======================================
Coverage ? 78.65%
Complexity ? 6827
======================================
Files ? 476
Lines ? 27082
Branches ? 0
======================================
Hits ? 21301
Misses ? 5781
Partials ? 0
Flags with carried forward coverage won't be shown. Click here to find out more. ☔ View full report in Codecov by Harness. 🚀 New features to boost your workflow:
|
Contributor
|
@kurozumi |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
概要
stateless: trueのファイアウォール(/api)に対して認証失敗が発生した際、SecurityListener::onAuthenticationFailure()がセッションに書き込もうとするためUnexpectedSessionUsageExceptionが発生し、500エラーになる問題を修正します。問題の詳細
EC-CUBE の Api42 プラグインは
/apiルートをstateless: trueで設定しています。このため、Bearer トークン認証に失敗した場合(例:トークン期限切れ)、本来 401 を返すべきところが 500 になります。エラーログ:
原因:
SecurityListener::onAuthenticationFailure()は、フロント用ログインフォームの「ログイン状態を保持する」チェックボックスの値をセッションに保存するために書かれたコードです。しかしこのリスナーは API からの認証失敗でも呼ばれるため、ステートレスリクエストでセッションに書き込もうとして例外が発生します。修正内容
セッションが未開始の場合(=ステートレスリクエスト)は早期リターンすることで、API リクエストが正しく 401 を返すようにしました。
影響範囲