Symfony version(s) affected

7.0.3

Description

Contrary to the docs, the form login authenticator also kicks in on multipart/form-data forms, when form_only is set to true.

Was this behavior changed when switching to the new Authenticator-based security system recently?

How to reproduce

https://symfony.com/doc/current/reference/configuration/security.html#form-only says about form_only: true:

it checks that the request content-type is application/x-www-form-urlencoded

However, when I send (another) form to check_path with this header:

Content-Type: multipart/form-data; boundary=---------------------------411040105842114354384279440350

... I still get the error:

The key "_username" must be a string, "NULL" given.

i.e. the form login authenticator handles the request.

Possible Solution

The easiest fix would be to adjust the docs ;-)
But changing the behavior to adhere to the docs would in fact bring a new feature, namely the ability to have another form (besides the login form) on check_path - which is what I'd need (see below).

Additional Context

What I want is to also process another form on my check_path. But the form login authenticator always intercepts the submission. So I figured to change this other form's enctype to multipart/form-data ;-)
Is there a better/cleaner way?