Fix #[Security] on ExtendType fields (source-injection array_combine crash)

oojacoboo · oojacoboo · commit 7ba5654a905e · 2026-04-17T21:27:25.000-04:00
SecurityFieldMiddleware captures $parameters in process() before QueryField::fromFieldDescriptor prepends a SourceParameter when isInjectSource() is true. At resolver invocation time $args then includes the source as its first element while $parameters (captured earlier) does not, so array_combine() blows up with: Argument #1 ($keys) and argument #2 ($values) must have the same number of elements In practice this masks as a generic "Internal server error" from any #[Security]-decorated field on an #[ExtendType], which isn't discovered until someone tries to guard an ExtendType field by role. AuthorizationFieldMiddleware (@Logged / @right) sidesteps the issue by using `function (...\$args)` and passing args through transparently — it doesn't need to map args to parameter names because it has no expression language context. The Security middlewares are the only ones that zip args and parameters together, so they're the only ones that need the fix. The same bug exists in SecurityInputFieldMiddleware for input field factories where source is similarly injected by InputField::fromFieldDescriptor. Fix: pass isInjectSource() through to getVariables() and slice the leading source arg off \$args before the array_combine. The source is still available via `this` in the expression context, so no information is lost for Security expressions. Regression test: #[Security] on ExtendedContactType::extendedSecretName exercises the ExtendType + Security combination. Before the fix the test throws the array_combine TypeError; after, both the failWith null path and the authorized path return the expected values.
diff --git a/src/Middlewares/SecurityFieldMiddleware.php b/src/Middlewares/SecurityFieldMiddleware.php
@@ -18,7 +18,9 @@
 
 use function array_combine;
 use function array_keys;
+use function array_slice;
 use function assert;
+use function count;
 
 /**
  * A field middleware that reads "Security" Symfony annotations.
@@ -73,9 +75,15 @@ public function process(
         $originalResolver = $queryFieldDescriptor->getOriginalResolver();
 
         $parameters = $queryFieldDescriptor->getParameters();
+        // QueryField::fromFieldDescriptor prepends a SourceParameter to the parameters list when
+        // `injectSource` is true, but that injection happens AFTER this middleware runs. At resolver
+        // invocation time the runtime $args therefore includes the source as its first element while
+        // $parameters captured here does not. Track the flag so getVariables() can strip the leading
+        // source arg before zipping args to parameter names.
+        $injectSource = $queryFieldDescriptor->isInjectSource();
 
-        $queryFieldDescriptor = $queryFieldDescriptor->withResolver(function (object|null $source, ...$args) use ($originalResolver, $securityAnnotations, $resolver, $failWith, $parameters, $queryFieldDescriptor) {
-            $variables = $this->getVariables($args, $parameters, $originalResolver->executionSource($source));
+        $queryFieldDescriptor = $queryFieldDescriptor->withResolver(function (object|null $source, ...$args) use ($originalResolver, $securityAnnotations, $resolver, $failWith, $parameters, $queryFieldDescriptor, $injectSource) {
+            $variables = $this->getVariables($args, $parameters, $originalResolver->executionSource($source), $injectSource);
 
             foreach ($securityAnnotations as $annotation) {
                 try {
@@ -108,7 +116,7 @@ public function process(
      *
      * @return array<string, mixed>
      */
-    private function getVariables(array $args, array $parameters, object|null $source): array
+    private function getVariables(array $args, array $parameters, object|null $source, bool $injectSource = false): array
     {
         $variables = [
             // If a user is not logged, we provide an empty user object to make usage easier
@@ -118,8 +126,15 @@ private function getVariables(array $args, array $parameters, object|null $sourc
             'this' => $source,
         ];
 
+        // Strip the source arg prepended by QueryField::fromFieldDescriptor so the remaining
+        // user-supplied args line up positionally with the captured parameter names. The source
+        // is always exposed via `this`, so there's no loss of information for the expression.
+        if ($injectSource && count($args) > count($parameters)) {
+            $args = array_slice($args, 1);
+        }
+
         $argsName = array_keys($parameters);
-        $argsByName = array_combine($argsName, $args);
+        $argsByName = $argsName ? array_combine($argsName, $args) : [];
 
         return $variables + $argsByName;
     }
diff --git a/src/Middlewares/SecurityInputFieldMiddleware.php b/src/Middlewares/SecurityInputFieldMiddleware.php
@@ -15,6 +15,8 @@
 
 use function array_combine;
 use function array_keys;
+use function array_slice;
+use function count;
 
 /**
  * A field input middleware that reads "Security" Symfony annotations.
@@ -43,9 +45,13 @@ public function process(InputFieldDescriptor $inputFieldDescriptor, InputFieldHa
         $originalResolver = $inputFieldDescriptor->getOriginalResolver();
 
         $parameters = $inputFieldDescriptor->getParameters();
+        // InputField::fromFieldDescriptor prepends a SourceParameter to the parameters list when
+        // `injectSource` is true, but that injection happens AFTER this middleware runs. See the
+        // sibling SecurityFieldMiddleware for the detailed comment.
+        $injectSource = $inputFieldDescriptor->isInjectSource();
 
-        $inputFieldDescriptor = $inputFieldDescriptor->withResolver(function (object|null $source, ...$args) use ($originalResolver, $securityAnnotations, $resolver, $parameters, $inputFieldDescriptor) {
-            $variables = $this->getVariables($args, $parameters, $originalResolver->executionSource($source));
+        $inputFieldDescriptor = $inputFieldDescriptor->withResolver(function (object|null $source, ...$args) use ($originalResolver, $securityAnnotations, $resolver, $parameters, $inputFieldDescriptor, $injectSource) {
+            $variables = $this->getVariables($args, $parameters, $originalResolver->executionSource($source), $injectSource);
 
             foreach ($securityAnnotations as $annotation) {
                 try {
@@ -71,18 +77,22 @@ public function process(InputFieldDescriptor $inputFieldDescriptor, InputFieldHa
      *
      * @return array<string, mixed>
      */
-    private function getVariables(array $args, array $parameters, object|null $source): array
+    private function getVariables(array $args, array $parameters, object|null $source, bool $injectSource = false): array
     {
         $variables = [
             // If a user is not logged, we provide an empty user object to make usage easier
             'user' => $this->authenticationService->getUser(),
-            'authorizationService' => $this->authorizationService, // Used by the is_granted expression language function.
+            'authorizationService' => $this->authenticationService, // Used by the is_granted expression language function.
             'authenticationService' => $this->authenticationService, // Used by the is_logged expression language function.
             'this' => $source,
         ];
 
+        if ($injectSource && count($args) > count($parameters)) {
+            $args = array_slice($args, 1);
+        }
+
         $argsName = array_keys($parameters);
-        $argsByName = array_combine($argsName, $args);
+        $argsByName = $argsName ? array_combine($argsName, $args) : [];
 
         return $variables + $argsByName;
     }
diff --git a/tests/Fixtures/Integration/Types/ExtendedContactType.php b/tests/Fixtures/Integration/Types/ExtendedContactType.php
@@ -6,6 +6,7 @@
 
 use TheCodingMachine\GraphQLite\Annotations\ExtendType;
 use TheCodingMachine\GraphQLite\Annotations\Field;
+use TheCodingMachine\GraphQLite\Annotations\Security;
 use TheCodingMachine\GraphQLite\Fixtures\Integration\Models\Contact;
 
 use function strtoupper;
@@ -34,4 +35,17 @@ public function company(Contact $contact): string
     {
             return $contact->getName() . ' Ltd';
     }
+
+    /**
+     * Regression: #[Security] on an ExtendType field used to blow up with
+     * "array_combine(): ... must have the same number of elements" because
+     * SecurityFieldMiddleware didn't mirror the source-injection that
+     * QueryField::fromFieldDescriptor performs.
+     */
+    #[Field]
+    #[Security("user && user.bar == 42", failWith: null)]
+    public function extendedSecretName(Contact $contact): string|null
+    {
+        return $contact->getName();
+    }
 }
diff --git a/tests/Integration/EndToEndTest.php b/tests/Integration/EndToEndTest.php
@@ -1338,6 +1338,63 @@ public function testEndToEndSecurityInField(): void
         $this->assertSame('Access denied.', $result->toArray(DebugFlag::RETHROW_UNSAFE_EXCEPTIONS)['errors'][0]['message']);
     }
 
+    /**
+     * Regression test for #[Security] on an #[ExtendType] field method.
+     *
+     * SecurityFieldMiddleware captures $parameters at process() time, but
+     * QueryField::fromFieldDescriptor prepends an implicit SourceParameter
+     * AFTER the middleware runs when isInjectSource() is true. At runtime the
+     * resolver receives N+1 args for N captured parameter names, which used
+     * to blow array_combine() up with "Argument #1 ($keys) and argument #2
+     * ($values) must have the same number of elements".
+     */
+    public function testEndToEndSecurityOnExtendTypeField(): void
+    {
+        // No logged-in user → the Security expression `user.bar == 42` fails, failWith returns null.
+        $schema = $this->mainContainer->get(Schema::class);
+        assert($schema instanceof Schema);
+
+        $queryString = '
+        query {
+            contacts {
+                name
+                extendedSecretName
+            }
+        }
+        ';
+
+        $result = GraphQL::executeQuery($schema, $queryString);
+        $data = $this->getSuccessResult($result);
+        $this->assertSame('Joe', $data['contacts'][0]['name']);
+        $this->assertNull($data['contacts'][0]['extendedSecretName']);
+
+        // Logged-in user with bar=42 → the Security expression passes and the field returns the name.
+        $container = $this->createContainer([
+            AuthenticationServiceInterface::class => static function () {
+                return new class implements AuthenticationServiceInterface {
+                    public function isLogged(): bool
+                    {
+                        return true;
+                    }
+
+                    public function getUser(): object|null
+                    {
+                        $user = new stdClass();
+                        $user->bar = 42;
+                        return $user;
+                    }
+                };
+            },
+        ]);
+
+        $schema = $container->get(Schema::class);
+        assert($schema instanceof Schema);
+
+        $result = GraphQL::executeQuery($schema, $queryString);
+        $data = $this->getSuccessResult($result);
+        $this->assertSame('Joe', $data['contacts'][0]['extendedSecretName']);
+    }
+
     public function testEndToEndUnions(): void
     {
         $schema = $this->mainContainer->get(Schema::class);
