IBX-8324: Reworked JWT editorial bearer in page builder

[konradoboza]

🎫 Issue	IBX-8324

Related PRs:

• https://github.com/ibexa/page-builder/pull/388

Description:

Why on earth do we need yet another firewall? 😮‍💨 We actually don't, custom_authenticators fallback does the trick.

Symfony\Component\Security\Core\Authentication\Provider\AnonymousAuthenticationProvider was doing the job before it got deprecated. It means all the /_fragment calls were caught and PermissionResolver::setCurrentUserPreference was invoked so we were authenticated. Since we cannot rely on this mechanism anymore, I needed to figure out how to make sure we won't be having unauthenticated calls in page builder resulting in login screen redirection.

Why not EventSubscriber?

It just won't work - each call needs to go through built-in Symfony authenticator-based system whereas authentication providers are not to be relied upon anymore. Besides, we don't have any security-related events that are available for subrequests.

Why the original issue from the JIRA ticket emerges only on Varnish?

/_fragment calls are strictly related to ESI calls (render_esi Twig helpers for each Page Builder block) - if no reverse proxy is in use we fallback to render and no separate calls are there.

For QA:

Documentation:

Another security.yaml related change.

[github-actions]

Thanks for contribution! 🎉

To test the changes please execute:

composer config extra.symfony.endpoint https://api.github.com/repos/ibexa/recipes-dev/contents/index.json?ref=flex/pull-128

before executing the recipes.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarCloud

[tomaszszopinski]

QA approved on IbexaDXP 5.0 commerce p.sh