Open mrblur opened 17 hours ago
The Symfony Runtime for FrankenPHP does call the reset method of the kernel between each request. This is most likely a service with a global state (in your app or in a 3rd party bundle such as LexikJWT) that doesn't implement the ResetInterface
to cleanup this global state, while it should.
What happened?
Quick context: Application on Symfony 6.4, Api Platform, Lexik JWT Bundle, very basic (CRUD-type) - almost default configuration.
Once deployed in production mode, my app started to behave oddly, mainly, my JWT-signed endpoints for secure file downloads started to return 403s, but only when called multiple at once. Everything was fine on dev builds (docker target
frankenphp_dev
), but once I've built onfrankenphp_prod
it randomly returned 403's. If I'd hit refresh, sometimes it did load! I'd hit it again - 403, on the other hand, once the container is restarted, if I'd refresh on only a single file - it loaded fine every single time 20/20. But once I tried to load multiple files - random 403's were back. This happens only on production build, took me a couple of hours to figure it out as this is my first impression of FrankenPHP.I use stateless firewall with Lexik JWT Bundle and this specific endpoint uses custom authenticator to resolve user from JWT token provided as query parameter. Basically this endpoint handles signed urls for downloading or displaying a file. Every request has its own username and file id combo stored in JWT payload, if the JWT signature is valid the user gets instantiated with two properties: username and file_id (and no
USER_ROLE
so that the JWT cannot be used for anything else than file download).I have a
#[IsGranted()]
on controller's endpoint with a complementary Voter that fetches current user instance fromSecurity::getToken()->getUser()
, checks if the user is that special class instance and if it is - compares file_id of the request with the file_id stored in token's payload. This works flawlessly on dev builds and during tests.In worker mode of frankenphp, sometimes these two file_id's do not match. It is not the frontend part mixing stuff as you can hit F5 a couple of times and get different results for the exact same request and JWT token.
I figured these have to be related to
TokenStorage
not being reset between requests. But since I am very new to FrankenPhp and especially worker mode, I might be just stupid and need a guidance :sweat_smile:Shouldn't Franken's runner call
service_resetter
after every request, since normally Kernel does it only onboot()
?Build Type
Docker (Debian Bookworm)
Worker Mode
Yes
Operating System
GNU/Linux
CPU Architecture
x86_64
PHP configuration
Relevant log output
No response