ARTICLE AD BOX
I am using API Platform 4 with Symfony 8 and a CQRS + Clean Architecture approach.
I have a security requirement: for sensitive DELETE operations (for example deleting a session or an account), I need to require a current password confirmation before executing the command.
Current setup:
API Platform (state processor pattern)
Symfony 8
CQRS (CommandBus + Handler)
Domain service responsible for password verification
The flow looks like this:
DELETE /api/auth/sessions/{id} → Processor → CommandBus (DeleteSessionCommand) → Handler → Domain service validates password → Repository deletes entityCurrently, I pass the password via a custom HTTP header:
X-CURRENT-PASSWORD: my_passwordIn the API Platform processor:
$currentPassword = $request->headers->get('X-CURRENT-PASSWORD'); $command = new DeleteSessionCommand( user: $user, sessionId: $sessionId, currentPassword: $currentPassword );The handler then validates the password through a domain service.
My questions:
What is the recommended approach in the Symfony 8 / API Platform ecosystem for this type of requirement?
Is using a custom header like X-CURRENT-PASSWORD acceptable for this use case?
Should this instead be part of the request body even for a DELETE operation?
Is there a more standard API Platform approach (state provider, denormalizer, custom input DTO, etc.) to handle this cleanly?
How do teams typically implement "password confirmation before destructive actions" in API Platform when using CQRS?
Constraints:
Must remain RESTful (DELETE operation required)
Using CQRS (CommandBus + Handler)
Password verification is a domain responsibility (not framework validation)
Clean separation between HTTP layer and domain layer is preferred
What I am trying to achieve:
A reusable and clean pattern for:
password confirmation on sensitive operations
minimal duplication across resources
proper OpenAPI documentation
clean CQRS separation
