feature #42423 [Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials (wouterj)

This PR was squashed before being merged into the 5.4 branch.

Discussion
----------

[Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials

| Q             | A
| ------------- | ---
| Branch?       | 5.4
| Bug fix?      | no
| New feature?  | no
| Deprecations? | yes
| Tickets       | Ref #41613, #34909
| License       | MIT
| Doc PR        | -

This is a continuation of `@xabbuh`'s experiment in #34909 and `@chalasr`'s work in #42050. This hopefully is the last cleanup of `TokenInterface`:

* As tokens now always represent an authenticated user (and no longer e.g. the "username" input of the form), we can finally remove the weird `string|\Stringable` union from `Token::getUser()` and other helper methods and require a user to be an instance of `UserInterface`.
* For the same reason, we can also deprecate token credentials. I didn't deprecate `Token::eraseCredentials()` as this is still used to remove credentials from `UserInterface`.
* Meanwhile, this also deprecated the `AnonymousToken`, which we forgot in 5.3. This token is not used anymore in the new system (anonymous does no longer exists). This was also the only token in core that didn't fulfill the `UserInterface` requirement for authenticated tokens.

Commits
-------

44b843a355 [Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials

Author: fabpot

Controller/AbstractController.php

@@ -395,7 +395,7 @@ protected function getDoctrine(): ManagerRegistry
     /**
      * Get a user from the Security Token Storage.
      *
-     * @return UserInterface|object|null
+     * @return UserInterface|null
      *
      * @throws \LogicException If SecurityBundle is not available
      *
@@ -411,6 +411,7 @@ protected function getUser()
             return null;
         }
 
+        // @deprecated since 5.4, $user will always be a UserInterface instance
         if (!\is_object($user = $token->getUser())) {
             // e.g. anonymous authentication
             return null;

Tests/Controller/AbstractControllerTest.php

@@ -138,14 +138,17 @@ public function testForward()
     public function testGetUser()
     {
         $user = new InMemoryUser('user', 'pass');
-        $token = new UsernamePasswordToken($user, 'pass', 'default', ['ROLE_USER']);
+        $token = new UsernamePasswordToken($user, 'default', ['ROLE_USER']);
 
         $controller = $this->createController();
         $controller->setContainer($this->getContainerWithTokenStorage($token));
 
         $this->assertSame($controller->getUser(), $user);
     }
 
+    /**
+     * @group legacy
+     */
     public function testGetUserAnonymousUserConvertedToNull()
     {
         $token = new AnonymousToken('default', 'anon.');

composer.json

@@ -53,7 +53,7 @@
         "symfony/notifier": "^5.3|^6.0",
         "symfony/process": "^4.4|^5.0|^6.0",
         "symfony/rate-limiter": "^5.2|^6.0",
-        "symfony/security-bundle": "^5.3|^6.0",
+        "symfony/security-bundle": "^5.4|^6.0",
         "symfony/serializer": "^5.4|^6.0",
         "symfony/stopwatch": "^4.4|^5.0|^6.0",
         "symfony/string": "^5.0|^6.0",
@@ -89,7 +89,6 @@
         "symfony/property-access": "<5.3",
         "symfony/serializer": "<5.2",
         "symfony/security-csrf": "<5.3",
-        "symfony/security-core": "<5.3",
         "symfony/stopwatch": "<4.4",
         "symfony/translation": "<5.3",
         "symfony/twig-bridge": "<4.4",