Description
Symfony version(s) affected: 4.4-BETA2
Description
I updated an application to 4.4-BETA2 and I have a failing test (only one!).
I request the API entrypoint without credential, and I assert it returns a 401.
With SF 4.3 => OK
With SF 4.4 => KO, I got a 200
How to reproduce
I created 2 new projets with the website skeleton. One on 4.4 and one on 4.3 and I create an empty guard + a controller (thanks to maker bundle). Then I updated the security to:
security:
firewalls:
main:
pattern: ^/
stateless: true
anonymous: false
guard:
authenticators:
- App\Security\AppCustomAuthenticatorSo I'm expecting a 401 when no credential are present in the request because of anonymous: false.
With Symfony 4.4 => 200
With Symfony 4.3 => 500 : The App\Security\AppCustomAuthenticator::start() method must return a Response object (NULL returned)
Possible Solution
I'm not sure my application has the same side effect, I will dig.
But anyway, with anonymous=false, I expect to throw a 401 when the credentials are not present (and so the authentication is not done)