Merge branch '3.4' into 4.3

* 3.4:
  [Security] Fix clearing remember-me cookie after deauthentication
  more robust initialization from request

Author: nicolas-grekas

DependencyInjection/Security/Factory/RememberMeFactory.php

@@ -83,7 +83,11 @@ public function create(ContainerBuilder $container, $id, $config, $userProvider,
                     throw new \RuntimeException('Each "security.remember_me_aware" tag must have a provider attribute.');
                 }
 
-                $userProviders[] = new Reference($attribute['provider']);
+                // context listeners don't need a provider
+                if ('none' !== $attribute['provider']) {
+                    $userProviders[] = new Reference($attribute['provider']);
+                }
+
                 $container
                     ->getDefinition($serviceId)
                     ->addMethodCall('setRememberMeServices', [new Reference($rememberMeServicesId)])

DependencyInjection/SecurityExtension.php

@@ -321,10 +321,11 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         $listeners[] = new Reference('security.channel_listener');
 
         $contextKey = null;
+        $contextListenerId = null;
         // Context serializer listener
         if (false === $firewall['stateless']) {
             $contextKey = $firewall['context'] ?? $id;
-            $listeners[] = new Reference($this->createContextListener($container, $contextKey));
+            $listeners[] = new Reference($contextListenerId = $this->createContextListener($container, $contextKey));
             $sessionStrategyId = 'security.authentication.session_strategy';
         } else {
             $this->statelessFirewallKeys[] = $id;
@@ -397,7 +398,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
         $configuredEntryPoint = isset($firewall['entry_point']) ? $firewall['entry_point'] : null;
 
         // Authentication listeners
-        list($authListeners, $defaultEntryPoint) = $this->createAuthenticationListeners($container, $id, $firewall, $authenticationProviders, $defaultProvider, $providerIds, $configuredEntryPoint);
+        list($authListeners, $defaultEntryPoint) = $this->createAuthenticationListeners($container, $id, $firewall, $authenticationProviders, $defaultProvider, $providerIds, $configuredEntryPoint, $contextListenerId);
 
         $config->replaceArgument(7, $configuredEntryPoint ?: $defaultEntryPoint);
 
@@ -452,7 +453,7 @@ private function createContextListener($container, $contextKey)
         return $this->contextListeners[$contextKey] = $listenerId;
     }
 
-    private function createAuthenticationListeners($container, $id, $firewall, &$authenticationProviders, $defaultProvider = null, array $providerIds, $defaultEntryPoint)
+    private function createAuthenticationListeners($container, $id, $firewall, &$authenticationProviders, $defaultProvider = null, array $providerIds, $defaultEntryPoint, $contextListenerId = null)
     {
         $listeners = [];
         $hasListeners = false;
@@ -470,6 +471,10 @@ private function createAuthenticationListeners($container, $id, $firewall, &$aut
                     } elseif ('remember_me' === $key) {
                         // RememberMeFactory will use the firewall secret when created
                         $userProvider = null;
+
+                        if ($contextListenerId) {
+                            $container->getDefinition($contextListenerId)->addTag('security.remember_me_aware', ['id' => $id, 'provider' => 'none']);
+                        }
                     } elseif ($defaultProvider) {
                         $userProvider = $defaultProvider;
                     } elseif (empty($providerIds)) {

Tests/Functional/ClearRememberMeTest.php

@@ -0,0 +1,77 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\Tests\Functional;
+
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\User\InMemoryUserProvider;
+use Symfony\Component\Security\Core\User\User;
+use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Core\User\UserProviderInterface;
+
+class ClearRememberMeTest extends AbstractWebTestCase
+{
+    public function testUserChangeClearsCookie()
+    {
+        $client = $this->createClient(['test_case' => 'ClearRememberMe', 'root_config' => 'config.yml']);
+
+        $client->request('POST', '/login', [
+            '_username' => 'johannes',
+            '_password' => 'test',
+        ]);
+
+        $this->assertSame(302, $client->getResponse()->getStatusCode());
+        $cookieJar = $client->getCookieJar();
+        $this->assertNotNull($cookieJar->get('REMEMBERME'));
+
+        $client->request('GET', '/foo');
+        $this->assertSame(200, $client->getResponse()->getStatusCode());
+        $this->assertNull($cookieJar->get('REMEMBERME'));
+    }
+}
+
+class RememberMeFooController
+{
+    public function __invoke(UserInterface $user)
+    {
+        return new Response($user->getUsername());
+    }
+}
+
+class RememberMeUserProvider implements UserProviderInterface
+{
+    private $inner;
+
+    public function __construct(InMemoryUserProvider $inner)
+    {
+        $this->inner = $inner;
+    }
+
+    public function loadUserByUsername($username)
+    {
+        return $this->inner->loadUserByUsername($username);
+    }
+
+    public function refreshUser(UserInterface $user)
+    {
+        $user = $this->inner->refreshUser($user);
+
+        $alterUser = \Closure::bind(function (User $user) { $user->password = 'foo'; }, null, User::class);
+        $alterUser($user);
+
+        return $user;
+    }
+
+    public function supportsClass($class)
+    {
+        return $this->inner->supportsClass($class);
+    }
+}

Tests/Functional/app/ClearRememberMe/bundles.php

@@ -0,0 +1,18 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+use Symfony\Bundle\FrameworkBundle\FrameworkBundle;
+use Symfony\Bundle\SecurityBundle\SecurityBundle;
+
+return [
+    new FrameworkBundle(),
+    new SecurityBundle(),
+];

Tests/Functional/app/ClearRememberMe/config.yml

@@ -0,0 +1,31 @@
+imports:
+    - { resource: ./../config/framework.yml }
+
+security:
+    encoders:
+        Symfony\Component\Security\Core\User\User: plaintext
+
+    providers:
+        in_memory:
+            memory:
+                users:
+                    johannes: { password: test, roles: [ROLE_USER] }
+
+    firewalls:
+        default:
+            form_login:
+                check_path: login
+                remember_me: true
+            remember_me:
+                always_remember_me: true
+                secret: key
+            anonymous: ~
+
+    access_control:
+        - { path: ^/foo, roles: ROLE_USER }
+
+services:
+    Symfony\Bundle\SecurityBundle\Tests\Functional\RememberMeUserProvider:
+        public: true
+        decorates: security.user.provider.concrete.in_memory
+        arguments: ['@Symfony\Bundle\SecurityBundle\Tests\Functional\RememberMeUserProvider.inner']

Tests/Functional/app/ClearRememberMe/routing.yml

@@ -0,0 +1,7 @@
+login:
+    path: /login
+
+foo:
+    path: /foo
+    defaults:
+        _controller: Symfony\Bundle\SecurityBundle\Tests\Functional\RememberMeFooController

composer.json

@@ -24,7 +24,7 @@
         "symfony/security-core": "~4.3",
         "symfony/security-csrf": "~4.2",
         "symfony/security-guard": "~4.2",
-        "symfony/security-http": "^4.3.8"
+        "symfony/security-http": "~4.3.9|^4.4.1"
     },
     "require-dev": {
         "symfony/asset": "~3.4|~4.0",