The EntityResource controller class has a deserialize() method which takes care of building the entity object from the submitted request data.
At some point, if either UnexpectedValueException or InvalidArgumentException are thrown by the underlying serialized, it is catched and an UnprocessableHttpEntityException is thrown by the method itself.
try {
...
}
// These two serialization exception types mean there was a problem with
// the structure of the decoded data and it's not valid.
catch (UnexpectedValueException $e) {
throw new UnprocessableHttpEntityException($e->getMessage());
}
catch (InvalidArgumentException $e) {
throw new UnprocessableHttpEntityException($e->getMessage());
}
The issue here is that, per its signature, UnprocessableHttpEntityException first argument should be an Exception object, not a string. When one of this situation occurs, a TypeError is thrown by PHP, breaking the execution flow and leading to a 5xx error instead of a JSON:API managed 4xx error.