fix(laravel): validate the model instead of body

Author: soyuka

src/Laravel/ApiPlatformDeferredProvider.php

@@ -46,6 +46,7 @@
 use ApiPlatform\Laravel\Metadata\ParameterValidationResourceMetadataCollectionFactory;
 use ApiPlatform\Laravel\State\ParameterValidatorProvider;
 use ApiPlatform\Laravel\State\SwaggerUiProcessor;
+use ApiPlatform\Laravel\State\ValidateProvider;
 use ApiPlatform\Metadata\InflectorInterface;
 use ApiPlatform\Metadata\Operation\PathSegmentNameGeneratorInterface;
 use ApiPlatform\Metadata\Property\Factory\PropertyMetadataFactoryInterface;
@@ -76,7 +77,6 @@
 use ApiPlatform\State\Pagination\Pagination;
 use ApiPlatform\State\ParameterProviderInterface;
 use ApiPlatform\State\ProcessorInterface;
-use ApiPlatform\State\Provider\DeserializeProvider;
 use ApiPlatform\State\Provider\ParameterProvider;
 use ApiPlatform\State\Provider\SecurityParameterProvider;
 use ApiPlatform\State\ProviderInterface;
@@ -133,7 +133,7 @@ public function register(): void
             return new ParameterProvider(
                 new ParameterValidatorProvider(
                     new SecurityParameterProvider(
-                        $app->make(DeserializeProvider::class),
+                        $app->make(ValidateProvider::class),
                         $app->make(ResourceAccessCheckerInterface::class)
                     ),
                 ),

src/Laravel/ApiPlatformProvider.php

@@ -343,12 +343,12 @@ public function register(): void
             return new SwaggerUiProvider($app->make(ReadProvider::class), $app->make(OpenApiFactoryInterface::class), $config->get('api-platform.swagger_ui.enabled', false));
         });
 
-        $this->app->singleton(ValidateProvider::class, function (Application $app) {
-            return new ValidateProvider($app->make(SwaggerUiProvider::class), $app);
+        $this->app->singleton(DeserializeProvider::class, function (Application $app) {
+            return new DeserializeProvider($app->make(SwaggerUiProvider::class), $app->make(SerializerInterface::class), $app->make(SerializerContextBuilderInterface::class));
         });
 
-        $this->app->singleton(DeserializeProvider::class, function (Application $app) {
-            return new DeserializeProvider($app->make(ValidateProvider::class), $app->make(SerializerInterface::class), $app->make(SerializerContextBuilderInterface::class));
+        $this->app->singleton(ValidateProvider::class, function (Application $app) {
+            return new ValidateProvider($app->make(DeserializeProvider::class), $app, $app->make(ObjectNormalizer::class));
         });
 
         if (class_exists(JsonApiProvider::class)) {

src/Laravel/State/ValidateProvider.php

@@ -14,12 +14,15 @@
 namespace ApiPlatform\Laravel\State;
 
 use ApiPlatform\Metadata\Error;
+use ApiPlatform\Metadata\Exception\RuntimeException;
 use ApiPlatform\Metadata\Operation;
 use ApiPlatform\State\ProviderInterface;
 use Illuminate\Contracts\Foundation\Application;
+use Illuminate\Database\Eloquent\Model;
 use Illuminate\Foundation\Http\FormRequest;
 use Illuminate\Support\Facades\Validator;
 use Illuminate\Validation\ValidationException;
+use Symfony\Component\Serializer\Normalizer\NormalizerInterface;
 
 /**
  * @implements ProviderInterface<object>
@@ -34,12 +37,13 @@ final class ValidateProvider implements ProviderInterface
     public function __construct(
         private readonly ProviderInterface $inner,
         private readonly Application $app,
+        // TODO: trigger deprecation in API Platform 4.2 when this is not defined
+        private readonly ?NormalizerInterface $normalizer = null,
     ) {
     }
 
     public function provide(Operation $operation, array $uriVariables = [], array $context = []): object|array|null
     {
-        $request = $context['request'];
         $body = $this->inner->provide($operation, $uriVariables, $context);
 
         if ($operation instanceof Error) {
@@ -74,12 +78,7 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
             return $body;
         }
 
-        // In Symfony, validation is done on the Resource object (here $body) using Deserialization before Validation
-        // Here, we did not deserialize yet, we validate on the raw body before.
-        $validationBody = $request->request->all();
-        if ('jsonapi' === $request->getRequestFormat()) {
-            $validationBody = $validationBody['data']['attributes'];
-        }
+        $validationBody = $this->getBodyForValidation($body);
 
         $validator = Validator::make($validationBody, $rules);
         if ($validator->fails()) {
@@ -88,4 +87,35 @@ public function provide(Operation $operation, array $uriVariables = [], array $c
 
         return $body;
     }
+
+    /**
+     * @return array<string, mixed>
+     */
+    private function getBodyForValidation(mixed $body): array
+    {
+        if (!$body) {
+            return [];
+        }
+
+        if ($body instanceof Model) {
+            return $body->toArray();
+        }
+
+        if ($this->normalizer) {
+            if (!\is_array($v = $this->normalizer->normalize($body))) {
+                throw new RuntimeException('An array is expected.');
+            }
+
+            return $v;
+        }
+
+        // hopefully this path never gets used, its there for BC-layer only
+        // TODO: deprecation in API Platform 4.2
+        // TODO: remove in 5.0
+        if ($s = json_encode($body)) {
+            return json_decode($s, true);
+        }
+
+        throw new RuntimeException('Could not transform the denormalized body in an array for validation');
+    }
 }

src/Laravel/Tests/SnakeCaseApiTest.php

@@ -69,4 +69,20 @@ public function testRelationIsHandledOnCreateWithNestedDataSnakeCase(): void
                 ],
             ]);
     }
+
+    public function testFailWithCamelCase(): void
+    {
+        $cartData = [
+            'productSku' => 'SKU_TEST_001',
+            'quantity' => 2,
+            'priceAtAddition' => '19.99',
+            'shoppingCart' => [
+                'userIdentifier' => 'user-'.Str::uuid()->toString(),
+                'status' => 'active',
+            ],
+        ];
+
+        $response = $this->postJson('/api/cart_items', $cartData, ['accept' => 'application/ld+json', 'content-type' => 'application/ld+json']);
+        $response->assertStatus(422);
+    }
 }

src/Laravel/workbench/app/ApiResource/RuleValidation.php

@@ -23,7 +23,7 @@
 )]
 class RuleValidation
 {
-    public function __construct(public int $prop, public ?int $max = null)
+    public function __construct(public ?int $prop = null, public ?int $max = null)
     {
     }
 }

src/Laravel/workbench/app/Models/CartItem.php

@@ -20,7 +20,15 @@
 use Illuminate\Database\Eloquent\Relations\BelongsTo;
 use Symfony\Component\Serializer\Attribute\Groups;
 
-#[ApiResource(denormalizationContext: ['groups' => ['cart_item.write']], normalizationContext: ['groups' => ['cart_item.write']])]
+#[ApiResource(
+    denormalizationContext: ['groups' => ['cart_item.write']],
+    normalizationContext: ['groups' => ['cart_item.write']],
+    rules: [
+        'product_sku' => 'required',
+        'quantity' => 'required',
+        'price_at_addition' => 'required',
+    ]
+)]
 #[Groups('cart_item.write')]
 #[ApiProperty(serialize: new Groups(['shopping_cart.write']), property: 'product_sku')]
 #[ApiProperty(serialize: new Groups(['shopping_cart.write']), property: 'price_at_addition')]