Issue #3454346 by kristiaanvandeneynde, bbrala, mxr576:...

namespace Drupal\jsonapi\EventSubscriber;

use Drupal\Core\Cache\CacheableMetadata;

use Drupal\Core\Cache\CacheableResponseInterface;

use Drupal\jsonapi\JsonApiSpec;

use Symfony\Component\EventDispatcher\EventSubscriberInterface;

use Symfony\Component\HttpFoundation\Request;

use Symfony\Component\HttpKernel\Event\RequestEvent;

use Drupal\Core\Http\Exception\CacheableBadRequestHttpException;

use Symfony\Component\HttpKernel\Event\ResponseEvent;

use Symfony\Component\HttpKernel\KernelEvents;

/**

 * Request subscriber that validates a JSON:API request.

 * Subscriber that validates the query parameter names on a JSON:API request.

 *

 * @internal JSON:API maintains no PHP API. The API is the HTTP API. This class

 *   may change at any time and could break any dependencies on it.

    $this->validateQueryParams($request);

  }

  /**

   * Validates JSON:API requests.

   *

   * @param \Symfony\Component\HttpKernel\Event\ResponseEvent $event

   *   The event to process.

   */

  public function onResponse(ResponseEvent $event) {

    $request = $event->getRequest();

    if ($request->getRequestFormat() !== 'api_json') {

      return;

    }

    // At this point, we've already run validation on the request by checking

    // the query arguments. This means that if the query arguments change, we

    // may need to run this validation again. Therefore, all responses need to

    // vary by url.query_args.

    $response = $event->getResponse();

    if ($response instanceof CacheableResponseInterface) {

      $response->addCacheableDependency((new CacheableMetadata())->addCacheContexts(['url.query_args']));

    }

  }

  /**

   * Validates custom (implementation-specific) query parameter names.

   *

      }

    }

    if (empty($invalid_query_params)) {

      return NULL;

    }

    // Drupal uses the `_format` query parameter for Content-Type negotiation.

    // Using it violates the JSON:API spec. Nudge people nicely in the correct

    // direction. (This is special cased because using it is pretty common.)

    if (in_array('_format', $invalid_query_params, TRUE)) {

      $uri_without_query_string = $request->getSchemeAndHttpHost() . $request->getBaseUrl() . $request->getPathInfo();

      $exception = new CacheableBadRequestHttpException((new CacheableMetadata())->addCacheContexts(['url.query_args:_format']), 'JSON:API does not need that ugly \'_format\' query string! 🤘 Use the URL provided in \'links\' 🙏');

      $exception = new CacheableBadRequestHttpException((new CacheableMetadata())->addCacheContexts(['url.query_args']), 'JSON:API does not need that ugly \'_format\' query string! 🤘 Use the URL provided in \'links\' 🙏');

      $exception->setHeaders(['Link' => $uri_without_query_string]);

      throw $exception;

    }

    if (empty($invalid_query_params)) {

      return NULL;

    }

    $message = sprintf('The following query parameters violate the JSON:API spec: \'%s\'.', implode("', '", $invalid_query_params));

    $exception = new CacheableBadRequestHttpException((new CacheableMetadata())->addCacheContexts(['url.query_args']), $message);

    $exception->setHeaders(['Link' => 'http://jsonapi.org/format/#query-parameters']);

   */

  public static function getSubscribedEvents(): array {

    $events[KernelEvents::REQUEST][] = ['onRequest'];

    // Run before the resource response subscriber (priority 128), so that said

    // subscriber gets the cacheable metadata from this one.

    $events[KernelEvents::RESPONSE][] = ['onResponse', 129];

    return $events;

  }

        'http_response',

        'user:2',

      ])

      ->setCacheContexts(['url.site', 'user.roles']);

      ->setCacheContexts(['url.query_args', 'url.site', 'user.roles']);

  }

  /**

  protected function getExpectedCacheContexts(?array $sparse_fieldset = NULL) {

    $cache_contexts = parent::getExpectedCacheContexts($sparse_fieldset);

    if ($sparse_fieldset === NULL || in_array('computed_test_cacheable_string_field', $sparse_fieldset)) {

      $cache_contexts = Cache::mergeContexts($cache_contexts, ['url.query_args:computed_test_cacheable_string_field']);

      $cache_contexts = Cache::mergeContexts($cache_contexts, ['url.query_args']);

    }

    return $cache_contexts;

    $response = $this->request('GET', Url::fromUri('base://jsonapi'), $request_options);

    $document = $this->getDocumentFromResponse($response);

    $expected_cache_contexts = [

      'url.query_args',

      'url.site',

      'user.roles:authenticated',

    ];

    // This request fails despite the upload succeeding, because we're not

    // allowed to view the entity we're uploading to.

    $response = $this->fileRequest($uri, $this->testFileData);

    $this->assertResourceErrorResponse(403, $this->getExpectedUnauthorizedAccessMessage('GET'), $uri, $response, FALSE, ['4xx-response', 'http_response'], ['url.site', 'user.permissions']);

    $this->assertResourceErrorResponse(403, $this->getExpectedUnauthorizedAccessMessage('GET'), $uri, $response, FALSE, ['4xx-response', 'http_response'], ['url.query_args', 'url.site', 'user.permissions']);

    $this->setUpAuthorization('GET');