symfony
diff --git a/‎DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPass.php
Lines changed: 2 additions & 0 deletions b/‎DependencyInjection/Compiler/RegisterGlobalSecurityEventListenersPass.php
Lines changed: 2 additions & 0 deletions
diff --git a/‎DependencyInjection/Compiler/ReplaceDecoratedRememberMeHandlerPass.php
Lines changed: 61 additions & 0 deletions b/‎DependencyInjection/Compiler/ReplaceDecoratedRememberMeHandlerPass.php
Lines changed: 61 additions & 0 deletions
diff --git a/‎DependencyInjection/Security/Factory/LoginLinkFactory.php
Lines changed: 10 additions & 4 deletions b/‎DependencyInjection/Security/Factory/LoginLinkFactory.php
Lines changed: 10 additions & 4 deletions
diff --git a/‎DependencyInjection/Security/Factory/RememberMeFactory.php
Lines changed: 97 additions & 28 deletions b/‎DependencyInjection/Security/Factory/RememberMeFactory.php
Lines changed: 97 additions & 28 deletions
diff --git a/‎DependencyInjection/SecurityExtension.php
Lines changed: 7 additions & 2 deletions b/‎DependencyInjection/SecurityExtension.php
Lines changed: 7 additions & 2 deletions
@@ -21,6 +21,7 @@
 use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Component\Security\Http\Event\TokenDeauthenticatedEvent;
 use Symfony\Component\Security\Http\SecurityEvents;
 
 /**
@@ -44,6 +45,7 @@ class RegisterGlobalSecurityEventListenersPass implements CompilerPassInterface
         AuthenticationTokenCreatedEvent::class,
         AuthenticationSuccessEvent::class,
         InteractiveLoginEvent::class,
+        TokenDeauthenticatedEvent::class,
 
         // When events are registered by their name
         AuthenticationEvents::AUTHENTICATION_SUCCESS,
 
@@ -0,0 +1,61 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <[email protected]>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Compiler;
+
+use Symfony\Bundle\SecurityBundle\RememberMe\DecoratedRememberMeHandler;
+use Symfony\Component\DependencyInjection\Compiler\CompilerPassInterface;
+use Symfony\Component\DependencyInjection\ContainerBuilder;
+
+/**
+ * Replaces the DecoratedRememberMeHandler services with the real definition.
+ *
+ * @author Wouter de Jong <[email protected]>
+ *
+ * @internal
+ */
+final class ReplaceDecoratedRememberMeHandlerPass implements CompilerPassInterface
+{
+    private const HANDLER_TAG = 'security.remember_me_handler';
+
+    /**
+     * {@inheritdoc}
+     */
+    public function process(ContainerBuilder $container): void
+    {
+        $handledFirewalls = [];
+        foreach ($container->findTaggedServiceIds(self::HANDLER_TAG) as $definitionId => $rememberMeHandlerTags) {
+            $definition = $container->findDefinition($definitionId);
+            if (DecoratedRememberMeHandler::class !== $definition->getClass()) {
+                continue;
+            }
+
+            // get the actual custom remember me handler definition (passed to the decorator)
+            $realRememberMeHandler = $container->findDefinition((string) $definition->getArgument(0));
+            if (null === $realRememberMeHandler) {
+                throw new \LogicException(sprintf('Invalid service definition for custom remember me handler; no service found with ID "%s".', (string) $definition->getArgument(0)));
+            }
+
+            foreach ($rememberMeHandlerTags as $rememberMeHandlerTag) {
+                // some custom handlers may be used on multiple firewalls in the same application
+                if (\in_array($rememberMeHandlerTag['firewall'], $handledFirewalls, true)) {
+                    continue;
+                }
+
+                $rememberMeHandler = clone $realRememberMeHandler;
+                $rememberMeHandler->addTag(self::HANDLER_TAG, $rememberMeHandlerTag);
+                $container->setDefinition('security.authenticator.remember_me_handler.'.$rememberMeHandlerTag['firewall'], $rememberMeHandler);
+
+                $handledFirewalls[] = $rememberMeHandlerTag['firewall'];
+            }
+        }
+    }
+}
@@ -113,18 +113,24 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
                 ->replaceArgument(1, $config['lifetime']);
         }
 
+        $signatureHasherId = 'security.authenticator.login_link_signature_hasher.'.$firewallName;
+        $container
+            ->setDefinition($signatureHasherId, new ChildDefinition('security.authenticator.abstract_login_link_signature_hasher'))
+            ->replaceArgument(1, $config['signature_properties'])
+            ->replaceArgument(3, $expiredStorageId ? new Reference($expiredStorageId) : null)
+            ->replaceArgument(4, $config['max_uses'] ?? null)
+        ;
+
         $linkerId = 'security.authenticator.login_link_handler.'.$firewallName;
         $linkerOptions = [
             'route_name' => $config['check_route'],
             'lifetime' => $config['lifetime'],
-            'max_uses' => $config['max_uses'] ?? null,
         ];
         $container
             ->setDefinition($linkerId, new ChildDefinition('security.authenticator.abstract_login_link_handler'))
             ->replaceArgument(1, new Reference($userProviderId))
-            ->replaceArgument(3, $config['signature_properties'])
-            ->replaceArgument(5, $linkerOptions)
-            ->replaceArgument(6, $expiredStorageId ? new Reference($expiredStorageId) : null)
+            ->replaceArgument(2, new Reference($signatureHasherId))
+            ->replaceArgument(3, $linkerOptions)
             ->addTag('security.authenticator.login_linker', ['firewall' => $firewallName])
         ;
 
 
@@ -11,11 +11,16 @@
 
 namespace Symfony\Bundle\SecurityBundle\DependencyInjection\Security\Factory;
 
+use Symfony\Bridge\Doctrine\Security\RememberMe\DoctrineTokenProvider;
+use Symfony\Bundle\SecurityBundle\RememberMe\DecoratedRememberMeHandler;
 use Symfony\Component\Config\Definition\Builder\NodeDefinition;
+use Symfony\Component\Config\Definition\Exception\InvalidConfigurationException;
+use Symfony\Component\Config\FileLocator;
 use Symfony\Component\DependencyInjection\Argument\IteratorArgument;
 use Symfony\Component\DependencyInjection\ChildDefinition;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 use Symfony\Component\DependencyInjection\Definition;
+use Symfony\Component\DependencyInjection\Loader\PhpFileLoader;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\HttpFoundation\Cookie;
 use Symfony\Component\Security\Http\EventListener\RememberMeLogoutListener;
@@ -94,31 +99,66 @@ public function create(ContainerBuilder $container, string $id, array $config, ?
 
     public function createAuthenticator(ContainerBuilder $container, string $firewallName, array $config, string $userProviderId): string
     {
-        $templateId = $this->generateRememberMeServicesTemplateId($config, $firewallName);
-        $rememberMeServicesId = $templateId.'.'.$firewallName;
+        if (!$container->hasDefinition('security.authenticator.remember_me')) {
+            $loader = new PhpFileLoader($container, new FileLocator(\dirname(__DIR__).'/../../Resources/config'));
+            $loader->load('security_authenticator_remember_me.php');
+        }
+
+        // create remember me handler (which manage the remember-me cookies)
+        $rememberMeHandlerId = 'security.authenticator.remember_me_handler.'.$firewallName;
+        if (isset($config['service']) && isset($config['token_provider'])) {
+            throw new InvalidConfigurationException(sprintf('You cannot use both "service" and "token_provider" in "security.firewalls.%s.remember_me".', $firewallName));
+        }
+
+        if (isset($config['service'])) {
+            $container->register($rememberMeHandlerId, DecoratedRememberMeHandler::class)
+                ->addArgument(new Reference($config['service']))
+                ->addTag('security.remember_me_handler', ['firewall' => $firewallName]);
+        } elseif (isset($config['token_provider'])) {
+            $tokenProviderId = $this->createTokenProvider($container, $firewallName, $config['token_provider']);
+            $container->setDefinition($rememberMeHandlerId, new ChildDefinition('security.authenticator.persistent_remember_me_handler'))
+                ->replaceArgument(0, new Reference($tokenProviderId))
+                ->replaceArgument(2, new Reference($userProviderId))
+                ->replaceArgument(4, $config)
+                ->addTag('security.remember_me_handler', ['firewall' => $firewallName]);
+        } else {
+            $signatureHasherId = 'security.authenticator.remember_me_signature_hasher.'.$firewallName;
+            $container->setDefinition($signatureHasherId, new ChildDefinition('security.authenticator.remember_me_signature_hasher'))
+                ->replaceArgument(1, $config['signature_properties'])
+            ;
+
+            $container->setDefinition($rememberMeHandlerId, new ChildDefinition('security.authenticator.signature_remember_me_handler'))
+                ->replaceArgument(0, new Reference($signatureHasherId))
+                ->replaceArgument(1, new Reference($userProviderId))
+                ->replaceArgument(3, $config)
+                ->addTag('security.remember_me_handler', ['firewall' => $firewallName]);
+        }
 
-        // create remember me services (which manage the remember me cookies)
-        $this->createRememberMeServices($container, $firewallName, $templateId, [new Reference($userProviderId)], $config);
+        // create check remember me conditions listener (which checks if a remember-me cookie is supported and requested)
+        $rememberMeConditionsListenerId = 'security.listener.check_remember_me_conditions.'.$firewallName;
+        $container->setDefinition($rememberMeConditionsListenerId, new ChildDefinition('security.listener.check_remember_me_conditions'))
+            ->replaceArgument(0, array_intersect_key($config, ['always_remember_me' => true, 'remember_me_parameter' => true]))
+            ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
+        ;
 
         // create remember me listener (which executes the remember me services for other authenticators and logout)
-        $this->createRememberMeListener($container, $firewallName, $rememberMeServicesId);
+        $rememberMeListenerId = 'security.listener.remember_me.'.$firewallName;
+        $container->setDefinition($rememberMeListenerId, new ChildDefinition('security.listener.remember_me'))
+            ->replaceArgument(0, new Reference($rememberMeHandlerId))
+            ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
+        ;
 
-        // create remember me authenticator (which re-authenticates the user based on the remember me cookie)
+        // create remember me authenticator (which re-authenticates the user based on the remember-me cookie)
         $authenticatorId = 'security.authenticator.remember_me.'.$firewallName;
         $container
             ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.remember_me'))
-            ->replaceArgument(0, new Reference($rememberMeServicesId))
-            ->replaceArgument(3, $container->getDefinition($rememberMeServicesId)->getArgument(3))
+            ->replaceArgument(0, new Reference($rememberMeHandlerId))
+            ->replaceArgument(3, $config['name'] ?? $this->options['name'])
         ;
 
         foreach ($container->findTaggedServiceIds('security.remember_me_aware') as $serviceId => $attributes) {
             // register ContextListener
             if ('security.context_listener' === substr($serviceId, 0, 25)) {
-                $container
-                    ->getDefinition($serviceId)
-                    ->addMethodCall('setRememberMeServices', [new Reference($rememberMeServicesId)])
-                ;
-
                 continue;
             }
 
@@ -148,15 +188,33 @@ public function addConfiguration(NodeDefinition $node)
         $builder
             ->scalarNode('secret')->isRequired()->cannotBeEmpty()->end()
             ->scalarNode('service')->end()
-            ->scalarNode('token_provider')->end()
             ->arrayNode('user_providers')
                 ->beforeNormalization()
                     ->ifString()->then(function ($v) { return [$v]; })
                 ->end()
                 ->prototype('scalar')->end()
             ->end()
             ->booleanNode('catch_exceptions')->defaultTrue()->end()
-        ;
+            ->arrayNode('signature_properties')
+                ->prototype('scalar')->end()
+                ->requiresAtLeastOneElement()
+                ->info('An array of properties on your User that are used to sign the remember-me cookie. If any of these change, all existing cookies will become invalid.')
+                ->example(['email', 'password'])
+            ->end()
+            ->arrayNode('token_provider')
+                ->beforeNormalization()
+                    ->ifString()->then(function ($v) { return ['service' => $v]; })
+                ->end()
+                ->children()
+                    ->scalarNode('service')->info('The service ID of a custom rememberme token provider.')->end()
+                    ->arrayNode('doctrine')
+                        ->canBeEnabled()
+                        ->children()
+                            ->scalarNode('connection')->defaultNull()->end()
+                        ->end()
+                    ->end()
+                ->end()
+            ->end();
 
         foreach ($this->options as $name => $value) {
             if ('secure' === $name) {
@@ -195,9 +253,8 @@ private function createRememberMeServices(ContainerBuilder $container, string $i
         $rememberMeServices->replaceArgument(2, $id);
 
         if (isset($config['token_provider'])) {
-            $rememberMeServices->addMethodCall('setTokenProvider', [
-                new Reference($config['token_provider']),
-            ]);
+            $tokenProviderId = $this->createTokenProvider($container, $id, $config['token_provider']);
+            $rememberMeServices->addMethodCall('setTokenProvider', [new Reference($tokenProviderId)]);
         }
 
         // remember-me options
@@ -222,17 +279,29 @@ private function createRememberMeServices(ContainerBuilder $container, string $i
         $rememberMeServices->replaceArgument(0, new IteratorArgument(array_unique($userProviders)));
     }
 
-    private function createRememberMeListener(ContainerBuilder $container, string $id, string $rememberMeServicesId): void
+    private function createTokenProvider(ContainerBuilder $container, string $firewallName, array $config): string
     {
-        $container
-            ->setDefinition('security.listener.remember_me.'.$id, new ChildDefinition('security.listener.remember_me'))
-            ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$id])
-            ->replaceArgument(0, new Reference($rememberMeServicesId))
-        ;
+        $tokenProviderId = $config['service'] ?? false;
+        if ($config['doctrine']['enabled'] ?? false) {
+            if (!class_exists(DoctrineTokenProvider::class)) {
+                throw new InvalidConfigurationException('Cannot use the "doctrine" token provider for "remember_me" because the Doctrine Bridge is not installed. Try running "composer require symfony/doctrine-bridge".');
+            }
 
-        $container
-            ->setDefinition('security.logout.listener.remember_me.'.$id, new Definition(RememberMeLogoutListener::class))
-            ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$id])
-            ->addArgument(new Reference($rememberMeServicesId));
+            if (null === $config['doctrine']['connection']) {
+                $connectionId = 'database_connection';
+            } else {
+                $connectionId = 'doctrine.dbal.'.$config['doctrine']['connection'].'_connection';
+            }
+
+            $tokenProviderId = 'security.remember_me.doctrine_token_provider.'.$firewallName;
+            $container->register($tokenProviderId, DoctrineTokenProvider::class)
+                ->addArgument(new Reference($connectionId));
+        }
+
+        if (!$tokenProviderId) {
+            throw new InvalidConfigurationException(sprintf('No token provider was set for firewall "%s". Either configure a service ID or set "remember_me.token_provider.doctrine" to true.', $firewallName));
+        }
+
+        return $tokenProviderId;
     }
 }
@@ -34,6 +34,7 @@
 use Symfony\Component\EventDispatcher\EventDispatcher;
 use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
 use Symfony\Component\HttpKernel\DependencyInjection\Extension;
+use Symfony\Component\HttpKernel\KernelEvents;
 use Symfony\Component\PasswordHasher\Hasher\NativePasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\Pbkdf2PasswordHasher;
 use Symfony\Component\PasswordHasher\Hasher\PlaintextPasswordHasher;
@@ -392,7 +393,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
         // Context serializer listener
         if (false === $firewall['stateless']) {
             $contextKey = $firewall['context'] ?? $id;
-            $listeners[] = new Reference($contextListenerId = $this->createContextListener($container, $contextKey));
+            $listeners[] = new Reference($contextListenerId = $this->createContextListener($container, $contextKey, $this->authenticatorManagerEnabled ? $firewallEventDispatcherId : null));
             $sessionStrategyId = 'security.authentication.session_strategy';
 
             if ($this->authenticatorManagerEnabled) {
@@ -557,7 +558,7 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
         return [$matcher, $listeners, $exceptionListener, null !== $logoutListenerId ? new Reference($logoutListenerId) : null];
     }
 
-    private function createContextListener(ContainerBuilder $container, string $contextKey)
+    private function createContextListener(ContainerBuilder $container, string $contextKey, ?string $firewallEventDispatcherId)
     {
         if (isset($this->contextListeners[$contextKey])) {
             return $this->contextListeners[$contextKey];
@@ -566,6 +567,10 @@ private function createContextListener(ContainerBuilder $container, string $cont
         $listenerId = 'security.context_listener.'.\count($this->contextListeners);
         $listener = $container->setDefinition($listenerId, new ChildDefinition('security.context_listener'));
         $listener->replaceArgument(2, $contextKey);
+        if (null !== $firewallEventDispatcherId) {
+            $listener->replaceArgument(4, new Reference($firewallEventDispatcherId));
+            $listener->addTag('kernel.event_listener', ['event' => KernelEvents::RESPONSE, 'method' => 'onKernelResponse']);
+        }
 
         return $this->contextListeners[$contextKey] = $listenerId;
     }