Restore eraseCredentials() for Symfony 7.3 compatibility and manually clear plainPassword after hashing

kdefarge · web-flow · commit 850762581434 · 2025-08-17T21:52:40.000+02:00
- Re-adds the eraseCredentials() method to the User entity, which is still required by the UserInterface in Symfony 7.3.
  Although deprecated since Symfony 7.1, it must remain until Symfony 8.0 for compatibility.

- Adds a manual clearing of the plainPassword field in the password processor after hashing.
  Since eraseCredentials() is no longer called automatically, sensitive data must now be cleared explicitly to avoid leaving passwords in memory or logs.
diff --git a/symfony/user.md b/symfony/user.md
@@ -139,6 +139,17 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     {
         return (string) $this->email;
     }
+
+    /**
+     * @see UserInterface
+     *
+     * Required until Symfony 8.0, where eraseCredentials() will be removed from the interface.
+     * No-op since plainPassword is cleared manually in the password processor.
+     */
+    public function eraseCredentials(): void
+    {
+        // Intentionally left blank
+    }
 }
 ```
 
@@ -251,6 +262,9 @@ final readonly class UserPasswordHasher implements ProcessorInterface
         );
         $data->setPassword($hashedPassword);
 
+        // To avoid leaving sensitive data like the plain password in memory or logs, we manually clear it after hashing.
+        $data->setPlainPassword(null);
+
         return $this->processor->process($data, $operation, $uriVariables, $context);
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -139,6 +139,17 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface`
`139`	`139`	`{`
`140`	`140`	`return (string) $this->email;`
`141`	`141`	`}`
	`142`	`+`
	`143`	`+ /**`
	`144`	`+ * @see UserInterface`
	`145`	`+ *`
	`146`	`+ * Required until Symfony 8.0, where eraseCredentials() will be removed from the interface.`
	`147`	`+ * No-op since plainPassword is cleared manually in the password processor.`
	`148`	`+ */`
	`149`	`+ public function eraseCredentials(): void`
	`150`	`+ {`
	`151`	`+ // Intentionally left blank`
	`152`	`+ }`
`142`	`153`	`}`
`143`	`154`	```
`144`	`155`
`@@ -251,6 +262,9 @@ final readonly class UserPasswordHasher implements ProcessorInterface`
`251`	`262`	`);`
`252`	`263`	`$data->setPassword($hashedPassword);`
`253`	`264`
	`265`	`+ // To avoid leaving sensitive data like the plain password in memory or logs, we manually clear it after hashing.`
	`266`	`+ $data->setPlainPassword(null);`
	`267`	`+`
`254`	`268`	`return $this->processor->process($data, $operation, $uriVariables, $context);`
`255`	`269`	`}`
`256`	`270`	`}`