Any URI starting with bolt.backend_url is treated as restricted

[lafor]

Bolt treats any URI starting with bolt.backend_url string as restricted, even if not immediately followed by a slash.

Details

Question	Answer
Relevant Bolt Version	5.1.24
Install type	Composer install
PHP version	8.2

Reproduction

Steps to reproduce

Log out from the backend if logged in. Assuming your bolt.backend_url (as defined in config/services.yaml) is the default /bolt, try accessing an URI like /bolts-and-nuts.

Expected result

You should be served /bolts-and-nuts resource if it exists, or 404 if it doesn't.

Actual result

You're redirected to /bolt/login.

Fix

Paths ending with bolt.backend_url in access_control definitions of config/packages/security.yaml should include trailing slashes, e.g.:

- { path: '^%bolt.backend_url%/', roles: IS_AUTHENTICATED_REMEMBERED }
- { path: '^/(%app_locales%)%bolt.backend_url%/', roles: IS_AUTHENTICATED_REMEMBERED }

[macintoshplus]

This issue fix must be applied in the repository and in project repository.

The route '/bolt$' must be protected.