fix: make TrustedDeviceTokenStorage conform to ResetInterface

dt-thomas-durand · dt-thomas-durand · commit 0e6cbce29139 · 2025-03-21T15:46:44.000+01:00
In certain scenarios, TrustedDeviceTokenStorage might not be re-instanciated between requests.
That's the case when multiple requests are handled by a single worker, like when serving the application with RoadRunner or with FrankenPHP.
In that case, the trusted_device cookie leak from a request to another, and break the feature entirely.
By implementing ResetInterface, the storage is now properly reseted between requests
diff --git a/src/trusted-device/Security/TwoFactor/Trusted/TrustedDeviceTokenStorage.php b/src/trusted-device/Security/TwoFactor/Trusted/TrustedDeviceTokenStorage.php
@@ -7,14 +7,15 @@
 use RuntimeException;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
+use Symfony\Contracts\Service\ResetInterface;
 use function array_map;
 use function explode;
 use function implode;
 
 /**
  * @final
  */
-class TrustedDeviceTokenStorage
+class TrustedDeviceTokenStorage implements ResetInterface
 {
     private const TOKEN_DELIMITER = ';';
 
@@ -100,6 +101,12 @@ public function clearTrustedToken(string $username, string $firewall): void
         $this->updateCookie = true;
     }
 
+    public function reset(): void
+    {
+        $this->updateCookie = false;
+        $this->trustedTokenList = null;
+    }
+
     /**
      * @return TrustedDeviceToken[]
      */
