fix(jsonapi): prevent double unwrapping of data.attributes with input DTOs

| Q             | A
| ------------- | ---
| Branch?       | 4.2
| Tickets       | Fixes #7794
| License       | MIT
| Doc PR        | ∅

* When re-entering the serializer for input DTO denormalization, the data
  has already been unwrapped from the JSON:API `data.attributes` structure.
* Without this guard, JsonApi\ItemNormalizer::denormalize() runs a second
  time on flat data, reads `$data['data']['attributes']` → null, and nulls
  every DTO property.
* Skip JSON:API extraction when `api_platform_input` context flag is set.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: soyuka

src/JsonApi/Serializer/ItemNormalizer.php

@@ -169,6 +169,12 @@ public function supportsDenormalization(mixed $data, string $type, ?string $form
      */
     public function denormalize(mixed $data, string $class, ?string $format = null, array $context = []): mixed
     {
+        // When re-entering for input DTO denormalization, data has already been
+        // unwrapped from the JSON:API structure by the first pass. Skip extraction.
+        if (isset($context['api_platform_input'])) {
+            return parent::denormalize($data, $class, $format, $context);
+        }
+
         // Avoid issues with proxies if we populated the object
         if (!isset($context[self::OBJECT_TO_POPULATE]) && isset($data['data']['id'])) {
             if (true !== ($context['api_allow_update'] ?? true)) {

src/JsonApi/Tests/Fixtures/InputDto.php

@@ -0,0 +1,20 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\JsonApi\Tests\Fixtures;
+
+final class InputDto
+{
+    public string $title = '';
+    public string $body = '';
+}

src/JsonApi/Tests/Serializer/ItemNormalizerTest.php

@@ -17,6 +17,7 @@
 use ApiPlatform\JsonApi\Serializer\ReservedAttributeNameConverter;
 use ApiPlatform\JsonApi\Tests\Fixtures\CircularReference;
 use ApiPlatform\JsonApi\Tests\Fixtures\Dummy;
+use ApiPlatform\JsonApi\Tests\Fixtures\InputDto;
 use ApiPlatform\JsonApi\Tests\Fixtures\RelatedDummy;
 use ApiPlatform\Metadata\ApiProperty;
 use ApiPlatform\Metadata\ApiResource;
@@ -35,9 +36,11 @@
 use Prophecy\PhpUnit\ProphecyTrait;
 use Symfony\Component\HttpFoundation\EventStreamResponse;
 use Symfony\Component\PropertyAccess\Exception\NoSuchPropertyException;
+use Symfony\Component\PropertyAccess\PropertyAccessor;
 use Symfony\Component\PropertyAccess\PropertyAccessorInterface;
 use Symfony\Component\Serializer\Exception\NotNormalizableValueException;
 use Symfony\Component\Serializer\Exception\UnexpectedValueException;
+use Symfony\Component\Serializer\Normalizer\DenormalizerInterface;
 use Symfony\Component\Serializer\Normalizer\NormalizerInterface;
 use Symfony\Component\Serializer\Serializer;
 use Symfony\Component\Serializer\SerializerInterface;
@@ -577,4 +580,81 @@ public function testNormalizeWithNullToOneAndEmptyToManyRelationships(): void
         $this->assertArrayHasKey('relatedDummies', $result['data']['relationships']);
         $this->assertSame(['data' => []], $result['data']['relationships']['relatedDummies']);
     }
+
+    /**
+     * Reproducer for https://github.com/api-platform/core/issues/7794.
+     *
+     * When a resource uses an input DTO, AbstractItemNormalizer::denormalize() re-enters
+     * the serializer with the already-unwrapped (flat) data plus an 'api_platform_input'
+     * context flag. Without the guard, JsonApi\ItemNormalizer::denormalize() runs a second
+     * time on the flat data, tries to read $data['data']['attributes'] and gets null,
+     * which nulls every DTO property.
+     */
+    public function testDenormalizeInputDtoDoesNotDoubleUnwrapJsonApiStructure(): void
+    {
+        $jsonApiData = [
+            'data' => [
+                'type' => 'dummy',
+                'attributes' => [
+                    'title' => 'Hello',
+                    'body' => 'World',
+                ],
+            ],
+        ];
+
+        $propertyNameCollectionFactoryProphecy = $this->prophesize(PropertyNameCollectionFactoryInterface::class);
+        $propertyNameCollectionFactoryProphecy->create(Dummy::class, Argument::any())->willReturn(new PropertyNameCollection([]));
+        $propertyNameCollectionFactoryProphecy->create(InputDto::class, Argument::any())->willReturn(new PropertyNameCollection(['title', 'body']));
+
+        $propertyMetadataFactoryProphecy = $this->prophesize(PropertyMetadataFactoryInterface::class);
+        $propertyMetadataFactoryProphecy->create(InputDto::class, 'title', Argument::any())->willReturn((new ApiProperty())->withNativeType(Type::string())->withReadable(true)->withWritable(true));
+        $propertyMetadataFactoryProphecy->create(InputDto::class, 'body', Argument::any())->willReturn((new ApiProperty())->withNativeType(Type::string())->withReadable(true)->withWritable(true));
+
+        $iriConverterProphecy = $this->prophesize(IriConverterInterface::class);
+
+        $resourceClassResolverProphecy = $this->prophesize(ResourceClassResolverInterface::class);
+        $resourceClassResolverProphecy->getResourceClass(null, Dummy::class)->willReturn(Dummy::class);
+        $resourceClassResolverProphecy->isResourceClass(Dummy::class)->willReturn(true);
+        $resourceClassResolverProphecy->isResourceClass(InputDto::class)->willReturn(false);
+        $resourceClassResolverProphecy->getResourceClass(null, InputDto::class)->willReturn(InputDto::class);
+
+        $resourceMetadataCollectionFactory = $this->prophesize(ResourceMetadataCollectionFactoryInterface::class);
+        $resourceMetadataCollectionFactory->create(Dummy::class)->willReturn(new ResourceMetadataCollection(Dummy::class, [
+            (new ApiResource())->withOperations(new Operations([new Get(name: 'get')])),
+        ]));
+
+        $normalizer = new ItemNormalizer(
+            $propertyNameCollectionFactoryProphecy->reveal(),
+            $propertyMetadataFactoryProphecy->reveal(),
+            $iriConverterProphecy->reveal(),
+            $resourceClassResolverProphecy->reveal(),
+            new PropertyAccessor(),
+            new ReservedAttributeNameConverter(),
+            null,
+            [],
+            $resourceMetadataCollectionFactory->reveal(),
+        );
+
+        // Create a mock serializer that simulates the real serializer chain:
+        // when re-entering for the input DTO, it calls back into the normalizer.
+        $serializerProphecy = $this->prophesize(SerializerInterface::class);
+        $serializerProphecy->willImplement(DenormalizerInterface::class);
+        $serializerProphecy->willImplement(NormalizerInterface::class);
+        $serializerProphecy->denormalize(Argument::type('array'), InputDto::class, ItemNormalizer::FORMAT, Argument::type('array'))
+            ->will(static function ($args) use ($normalizer) {
+                // This simulates the serializer re-entering the normalizer chain
+                return $normalizer->denormalize($args[0], $args[1], $args[2], $args[3]);
+            });
+
+        $normalizer->setSerializer($serializerProphecy->reveal());
+
+        $result = $normalizer->denormalize($jsonApiData, Dummy::class, ItemNormalizer::FORMAT, [
+            'input' => ['class' => InputDto::class],
+            'resource_class' => Dummy::class,
+        ]);
+
+        $this->assertInstanceOf(InputDto::class, $result);
+        $this->assertSame('Hello', $result->title);
+        $this->assertSame('World', $result->body);
+    }
 }

src/Serializer/Tests/AbstractItemNormalizerTest.php

@@ -34,10 +34,10 @@
 use ApiPlatform\Serializer\AbstractItemNormalizer;
 use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\DtoWithNullValue;
 use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\Dummy;
-use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\DummyWithMultipleRequiredConstructorArgs;
 use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\DummyTableInheritance;
 use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\DummyTableInheritanceChild;
 use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\DummyTableInheritanceRelated;
+use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\DummyWithMultipleRequiredConstructorArgs;
 use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\NonCloneableDummy;
 use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\PropertyCollectionIriOnly;
 use ApiPlatform\Serializer\Tests\Fixtures\ApiResource\PropertyCollectionIriOnlyRelation;

tests/Fixtures/TestBundle/ApiResource/JsonApiInputDto.php

@@ -0,0 +1,23 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource;
+
+/**
+ * Input DTO for JsonApiInputResource.
+ */
+final class JsonApiInputDto
+{
+    public string $title = '';
+    public string $body = '';
+}

tests/Fixtures/TestBundle/ApiResource/JsonApiInputResource.php

@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\Metadata\Post;
+
+/**
+ * Reproducer for https://github.com/api-platform/core/issues/7794.
+ *
+ * When using input DTOs with JSON:API format, the JsonApi\ItemNormalizer must
+ * not unwrap the data twice. On re-entry for the input DTO, the data is already
+ * flat (attributes have been extracted from the JSON:API structure).
+ */
+#[Post(
+    uriTemplate: '/jsonapi_input_test',
+    formats: ['jsonapi' => ['application/vnd.api+json']],
+    input: JsonApiInputDto::class,
+    processor: [self::class, 'process'],
+)]
+class JsonApiInputResource
+{
+    public ?string $id = null;
+    public string $title = '';
+    public string $body = '';
+
+    public static function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): self
+    {
+        \assert($data instanceof JsonApiInputDto);
+
+        $resource = new self();
+        $resource->id = '1';
+        $resource->title = $data->title;
+        $resource->body = $data->body;
+
+        return $resource;
+    }
+}

tests/Fixtures/TestBundle/ApiResource/JsonApiRequiredFieldsInputDto.php

@@ -0,0 +1,30 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource;
+
+/**
+ * Input DTO with required constructor args — no defaults, not nullable.
+ *
+ * Used to reproduce the Sylius failures where only the first missing
+ * constructor argument is reported instead of all of them.
+ */
+final class JsonApiRequiredFieldsInputDto
+{
+    public function __construct(
+        public string $title,
+        public int $rating,
+        public string $comment,
+    ) {
+    }
+}

tests/Fixtures/TestBundle/ApiResource/JsonApiRequiredFieldsResource.php

@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the API Platform project.
+ *
+ * (c) Kévin Dunglas <dunglas@gmail.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+declare(strict_types=1);
+
+namespace ApiPlatform\Tests\Fixtures\TestBundle\ApiResource;
+
+use ApiPlatform\Metadata\Operation;
+use ApiPlatform\Metadata\Post;
+
+/**
+ * Resource using an input DTO with required constructor arguments.
+ *
+ * Tests that all missing constructor arguments are reported (not just the first).
+ */
+#[Post(
+    uriTemplate: '/jsonapi_required_fields_test',
+    formats: ['jsonapi' => ['application/vnd.api+json']],
+    input: JsonApiRequiredFieldsInputDto::class,
+    processor: [self::class, 'process'],
+)]
+class JsonApiRequiredFieldsResource
+{
+    public ?string $id = null;
+    public string $title = '';
+    public int $rating = 0;
+    public string $comment = '';
+
+    public static function process(mixed $data, Operation $operation, array $uriVariables = [], array $context = []): self
+    {
+        \assert($data instanceof JsonApiRequiredFieldsInputDto);
+
+        $resource = new self();
+        $resource->id = '1';
+        $resource->title = $data->title;
+        $resource->rating = $data->rating;
+        $resource->comment = $data->comment;
+
+        return $resource;
+    }
+}