[SecurityBundle] Rename firewalls.logout.csrf_token_generator to firewalls.logout.csrf_token_manager

Author: MatTheCat

CHANGELOG.md

@@ -9,6 +9,7 @@ CHANGELOG
  * Add `StatelessAuthenticatorFactoryInterface` for authenticators targeting `stateless` firewalls only and that don't require a user provider
  * Modify "icon.svg" to improve accessibility for blind/low vision users
  * Make `Security::login()` return the authenticator response
+ * Deprecate the `security.firewalls.logout.csrf_token_generator` config option, use `security.firewalls.logout.csrf_token_manager` instead
 
 6.2
 ---

DependencyInjection/MainConfiguration.php

@@ -217,12 +217,20 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                 ->treatTrueLike([])
                 ->canBeUnset()
                 ->beforeNormalization()
-                    ->ifTrue(fn ($v): bool => \is_array($v) && (isset($v['csrf_token_generator']) xor isset($v['enable_csrf'])))
+                    ->ifTrue(fn ($v): bool => isset($v['csrf_token_generator']) && !isset($v['csrf_token_manager']))
                     ->then(function (array $v): array {
-                        if (isset($v['csrf_token_generator'])) {
+                        $v['csrf_token_manager'] = $v['csrf_token_generator'];
+
+                        return $v;
+                    })
+                ->end()
+                ->beforeNormalization()
+                    ->ifTrue(fn ($v): bool => \is_array($v) && (isset($v['csrf_token_manager']) xor isset($v['enable_csrf'])))
+                    ->then(function (array $v): array {
+                        if (isset($v['csrf_token_manager'])) {
                             $v['enable_csrf'] = true;
                         } elseif ($v['enable_csrf']) {
-                            $v['csrf_token_generator'] = 'security.csrf.token_manager';
+                            $v['csrf_token_manager'] = 'security.csrf.token_manager';
                         }
 
                         return $v;
@@ -232,7 +240,14 @@ private function addFirewallsSection(ArrayNodeDefinition $rootNode, array $facto
                     ->booleanNode('enable_csrf')->defaultNull()->end()
                     ->scalarNode('csrf_token_id')->defaultValue('logout')->end()
                     ->scalarNode('csrf_parameter')->defaultValue('_csrf_token')->end()
-                    ->scalarNode('csrf_token_generator')->end()
+                    ->scalarNode('csrf_token_generator')
+                        ->setDeprecated(
+                            'symfony/security-bundle',
+                            '6.3',
+                            'The "%node%" option is deprecated. Use "csrf_token_manager" instead.'
+                        )
+                    ->end()
+                    ->scalarNode('csrf_token_manager')->end()
                     ->scalarNode('path')->defaultValue('/logout')->end()
                     ->scalarNode('target')->defaultValue('/')->end()
                     ->booleanNode('invalidate_session')->defaultTrue()->end()

DependencyInjection/SecurityExtension.php

@@ -458,7 +458,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
 
             // add CSRF provider
             if ($firewall['logout']['enable_csrf']) {
-                $logoutListener->addArgument(new Reference($firewall['logout']['csrf_token_generator']));
+                $logoutListener->addArgument(new Reference($firewall['logout']['csrf_token_manager']));
             }
 
             // add session logout listener
@@ -482,7 +482,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
                     $firewall['logout']['path'],
                     $firewall['logout']['csrf_token_id'],
                     $firewall['logout']['csrf_parameter'],
-                    isset($firewall['logout']['csrf_token_generator']) ? new Reference($firewall['logout']['csrf_token_generator']) : null,
+                    isset($firewall['logout']['csrf_token_manager']) ? new Reference($firewall['logout']['csrf_token_manager']) : null,
                     false === $firewall['stateless'] && isset($firewall['context']) ? $firewall['context'] : null,
                 ])
             ;

Tests/DependencyInjection/MainConfigurationTest.php

@@ -71,7 +71,7 @@ public function testCsrfAliases()
             'firewalls' => [
                 'stub' => [
                     'logout' => [
-                        'csrf_token_generator' => 'a_token_generator',
+                        'csrf_token_manager' => 'a_token_manager',
                         'csrf_token_id' => 'a_token_id',
                     ],
                 ],
@@ -82,8 +82,8 @@ public function testCsrfAliases()
         $processor = new Processor();
         $configuration = new MainConfiguration([], []);
         $processedConfig = $processor->processConfiguration($configuration, [$config]);
-        $this->assertArrayHasKey('csrf_token_generator', $processedConfig['firewalls']['stub']['logout']);
-        $this->assertEquals('a_token_generator', $processedConfig['firewalls']['stub']['logout']['csrf_token_generator']);
+        $this->assertArrayHasKey('csrf_token_manager', $processedConfig['firewalls']['stub']['logout']);
+        $this->assertEquals('a_token_manager', $processedConfig['firewalls']['stub']['logout']['csrf_token_manager']);
         $this->assertArrayHasKey('csrf_token_id', $processedConfig['firewalls']['stub']['logout']);
         $this->assertEquals('a_token_id', $processedConfig['firewalls']['stub']['logout']['csrf_token_id']);
     }
@@ -92,13 +92,13 @@ public function testLogoutCsrf()
     {
         $config = [
             'firewalls' => [
-                'custom_token_generator' => [
+                'custom_token_manager' => [
                     'logout' => [
-                        'csrf_token_generator' => 'a_token_generator',
+                        'csrf_token_manager' => 'a_token_manager',
                         'csrf_token_id' => 'a_token_id',
                     ],
                 ],
-                'default_token_generator' => [
+                'default_token_manager' => [
                     'logout' => [
                         'enable_csrf' => true,
                         'csrf_token_id' => 'a_token_id',
@@ -121,18 +121,18 @@ public function testLogoutCsrf()
         $processedConfig = $processor->processConfiguration($configuration, [$config]);
 
         $assertions = [
-            'custom_token_generator' => [true, 'a_token_generator'],
-            'default_token_generator' => [true, 'security.csrf.token_manager'],
+            'custom_token_manager' => [true, 'a_token_manager'],
+            'default_token_manager' => [true, 'security.csrf.token_manager'],
             'disabled_csrf' => [false, null],
             'empty' => [false, null],
         ];
-        foreach ($assertions as $firewallName => [$enabled, $tokenGenerator]) {
+        foreach ($assertions as $firewallName => [$enabled, $tokenManager]) {
             $this->assertEquals($enabled, $processedConfig['firewalls'][$firewallName]['logout']['enable_csrf']);
-            if ($tokenGenerator) {
-                $this->assertEquals($tokenGenerator, $processedConfig['firewalls'][$firewallName]['logout']['csrf_token_generator']);
+            if ($tokenManager) {
+                $this->assertEquals($tokenManager, $processedConfig['firewalls'][$firewallName]['logout']['csrf_token_manager']);
                 $this->assertEquals('a_token_id', $processedConfig['firewalls'][$firewallName]['logout']['csrf_token_id']);
             } else {
-                $this->assertArrayNotHasKey('csrf_token_generator', $processedConfig['firewalls'][$firewallName]['logout']);
+                $this->assertArrayNotHasKey('csrf_token_manager', $processedConfig['firewalls'][$firewallName]['logout']);
             }
         }
     }

Tests/Functional/app/CsrfFormLogin/base_config.yml

@@ -43,7 +43,7 @@ security:
             logout:
                 path: /logout_path
                 target: /
-                csrf_token_generator: security.csrf.token_manager
+                csrf_token_manager: security.csrf.token_manager
 
     access_control:
         - { path: .*, roles: IS_AUTHENTICATED_FULLY }