HTTP Unauthorized after validation failure on PUT request

[subiabre]

API Platform version(s) affected: ^3.0.0

Description
Very similar behavior to the one described in https://github.com/api-platform/core/issues/3661. I have an entity with a PUT operation that has the security variable set to is_granted('ROLE_ADMIN') and in the Entity two properties with a Length Constraint. When the security and the validation constraints are satisfied the operation works as expected, but when the validation fails, regardless of the authenticated user, the operation will return a 401 Unauthorized state.

How to reproduce
I've set up a repository with a demo app in which this bug happens. https://github.com/subiabre/api-platform-validation-bug-report

Possible Solution
In the scenario repo, the session cookie is set to deleted on the third PUT operation, after the validation error. It could be possible to pop the header that invalidates the cookie with Symfony\Component\HttpFoundation\Session\SessionUtils::popSessionCookie() but why are we sending this header in the first place?

Additional Context

[soyuka]

It looks like our Security listener is hit before the validation so I don't really understand. Can you check if we go through https://github.com/api-platform/core/blob/main/src/Symfony/EventListener/DenyAccessListener.php#L39 before validation?

[subiabre]

Yes, apparently it goes through before validation.

Adding exit inside https://github.com/api-platform/core/blob/main/src/Symfony/EventListener/DenyAccessListener.php#L39 makes the app stop before returning the validation error response. Adding a var_dump also prints before the validation response. In fact, the var_dump fixes the problem because as it generates a response it prohibits the application from sending the Set-Cookie header that invalidates the session.

[subiabre]

Hi @soyuka any news on this issue?