symfony
diff --git a/‎Authentication/Token/AbstractToken.php
Lines changed: 4 additions & 0 deletions b/‎Authentication/Token/AbstractToken.php
Lines changed: 4 additions & 0 deletions
diff --git a/‎Authentication/Token/AnonymousToken.php
Lines changed: 4 additions & 0 deletions b/‎Authentication/Token/AnonymousToken.php
Lines changed: 4 additions & 0 deletions
diff --git a/‎Authentication/Token/PreAuthenticatedToken.php
Lines changed: 16 additions & 6 deletions b/‎Authentication/Token/PreAuthenticatedToken.php
Lines changed: 16 additions & 6 deletions
diff --git a/‎Authentication/Token/RememberMeToken.php
Lines changed: 3 additions & 1 deletion b/‎Authentication/Token/RememberMeToken.php
Lines changed: 3 additions & 1 deletion
diff --git a/‎Authentication/Token/SwitchUserToken.php
Lines changed: 20 additions & 4 deletions b/‎Authentication/Token/SwitchUserToken.php
Lines changed: 20 additions & 4 deletions
diff --git a/‎Authentication/Token/TokenInterface.php
Lines changed: 5 additions & 6 deletions b/‎Authentication/Token/TokenInterface.php
Lines changed: 5 additions & 6 deletions
diff --git a/‎Authentication/Token/UsernamePasswordToken.php
Lines changed: 14 additions & 5 deletions b/‎Authentication/Token/UsernamePasswordToken.php
Lines changed: 14 additions & 5 deletions
diff --git a/‎CHANGELOG.md
Lines changed: 3 additions & 0 deletions b/‎CHANGELOG.md
Lines changed: 3 additions & 0 deletions
diff --git a/‎Security.php
Lines changed: 2 additions & 0 deletions b/‎Security.php
Lines changed: 2 additions & 0 deletions
diff --git a/‎Tests/Authentication/AuthenticationTrustResolverTest.php
Lines changed: 25 additions & 17 deletions b/‎Tests/Authentication/AuthenticationTrustResolverTest.php
Lines changed: 25 additions & 17 deletions
@@ -99,6 +99,10 @@ public function setUser($user)
             throw new \InvalidArgumentException('$user must be an instanceof UserInterface, an object implementing a __toString method, or a primitive string.');
         }
 
+        if (!$user instanceof UserInterface) {
+            trigger_deprecation('symfony/security-core', '5.4', 'Using an object that is not an instance of "%s" as $user in "%s" is deprecated.', UserInterface::class, static::class);
+        }
+
         // @deprecated since Symfony 5.4, remove the whole block if/elseif/else block in 6.0
         if (1 < \func_num_args() && !func_get_arg(1)) {
             // ContextListener checks if the user has changed on its own and calls `setAuthenticated()` subsequently,
 
@@ -17,6 +17,8 @@
  * AnonymousToken represents an anonymous token.
  *
  * @author Fabien Potencier <[email protected]>
+ *
+ * @deprecated since 5.4, anonymous is now represented by the absence of a token
  */
 class AnonymousToken extends AbstractToken
 {
@@ -29,6 +31,8 @@ class AnonymousToken extends AbstractToken
      */
     public function __construct(string $secret, $user, array $roles = [])
     {
+        trigger_deprecation('symfony/security-core', '5.4', 'The "%s" class is deprecated.', __CLASS__);
+
         parent::__construct($roles);
 
         $this->secret = $secret;
 
@@ -24,20 +24,28 @@ class PreAuthenticatedToken extends AbstractToken
     private $firewallName;
 
     /**
-     * @param string|\Stringable|UserInterface $user
-     * @param mixed                            $credentials
-     * @param string[]                         $roles
+     * @param UserInterface $user
+     * @param string        $firewallName
+     * @param string[]      $roles
      */
-    public function __construct($user, $credentials, string $firewallName, array $roles = [])
+    public function __construct($user, /*string*/ $firewallName, /*array*/ $roles = [])
     {
+        if (\is_string($roles)) {
+            trigger_deprecation('symfony/security-core', '5.4', 'Argument $credentials of "%s()" is deprecated.', __METHOD__);
+
+            $credentials = $firewallName;
+            $firewallName = $roles;
+            $roles = \func_num_args() > 3 ? func_get_arg(3) : [];
+        }
+
         parent::__construct($roles);
 
         if ('' === $firewallName) {
             throw new \InvalidArgumentException('$firewallName must not be empty.');
         }
 
         $this->setUser($user);
-        $this->credentials = $credentials;
+        $this->credentials = $credentials ?? null;
         $this->firewallName = $firewallName;
 
         if ($roles) {
@@ -55,7 +63,7 @@ public function __construct($user, $credentials, string $firewallName, array $ro
     public function getProviderKey()
     {
         if (1 !== \func_num_args() || true !== func_get_arg(0)) {
-            trigger_deprecation('symfony/security-core', '5.2', 'Method "%s" is deprecated, use "getFirewallName()" instead.', __METHOD__);
+            trigger_deprecation('symfony/security-core', '5.2', 'Method "%s()" is deprecated, use "getFirewallName()" instead.', __METHOD__);
         }
 
         return $this->firewallName;
@@ -71,6 +79,8 @@ public function getFirewallName(): string
      */
     public function getCredentials()
     {
+        trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated.', __METHOD__);
+
         return $this->credentials;
     }
 
 
@@ -69,7 +69,7 @@ public function setAuthenticated(bool $authenticated)
     public function getProviderKey()
     {
         if (1 !== \func_num_args() || true !== func_get_arg(0)) {
-            trigger_deprecation('symfony/security-core', '5.2', 'Method "%s" is deprecated, use "getFirewallName()" instead.', __METHOD__);
+            trigger_deprecation('symfony/security-core', '5.2', 'Method "%s()" is deprecated, use "getFirewallName()" instead.', __METHOD__);
         }
 
         return $this->firewallName;
@@ -95,6 +95,8 @@ public function getSecret()
      */
     public function getCredentials()
     {
+        trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated.', __METHOD__);
+
         return '';
     }
 
 
@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\Authentication\Token;
 
+use Symfony\Component\Security\Core\User\UserInterface;
+
 /**
  * Token representing a user who temporarily impersonates another one.
  *
@@ -22,15 +24,29 @@ class SwitchUserToken extends UsernamePasswordToken
     private $originatedFromUri;
 
     /**
-     * @param string|object $user              The username (like a nickname, email address, etc.), or a UserInterface instance or an object implementing a __toString method
-     * @param mixed         $credentials       This usually is the password of the user
+     * @param UserInterface $user
      * @param string|null   $originatedFromUri The URI where was the user at the switch
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct($user, $credentials, string $firewallName, array $roles, TokenInterface $originalToken, string $originatedFromUri = null)
+    public function __construct($user, /*string*/ $firewallName, /*array*/ $roles, /*TokenInterface*/ $originalToken, /*string*/ $originatedFromUri = null)
     {
-        parent::__construct($user, $credentials, $firewallName, $roles);
+        if (\is_string($roles)) {
+            // @deprecated since 5.4, deprecation is triggered by UsernamePasswordToken::__construct()
+            $credentials = $firewallName;
+            $firewallName = $roles;
+            $roles = $originalToken;
+            $originalToken = $originatedFromUri;
+            $originatedFromUri = \func_num_args() > 5 ? func_get_arg(5) : null;
+
+            parent::__construct($user, $credentials, $firewallName, $roles);
+        } else {
+            parent::__construct($user, $firewallName, $roles);
+        }
+
+        if (!$originalToken instanceof TokenInterface) {
+            throw new \TypeError(sprintf('Argument $originalToken of "%s" must be an instance of "%s", "%s" given.', __METHOD__, TokenInterface::class, get_debug_type($originalToken)));
+        }
 
         $this->originalToken = $originalToken;
         $this->originatedFromUri = $originatedFromUri;
 
@@ -43,25 +43,24 @@ public function getRoleNames(): array;
      * Returns the user credentials.
      *
      * @return mixed The user credentials
+     *
+     * @deprecated since 5.4
      */
     public function getCredentials();
 
     /**
      * Returns a user representation.
      *
-     * @return string|\Stringable|UserInterface
+     * @return UserInterface
      *
      * @see AbstractToken::setUser()
      */
     public function getUser();
 
     /**
-     * Sets the user in the token.
-     *
-     * The user can be a UserInterface instance, or an object implementing
-     * a __toString method or the username as a regular string.
+     * Sets the authenticated user in the token.
      *
-     * @param string|\Stringable|UserInterface $user
+     * @param UserInterface $user
      *
      * @throws \InvalidArgumentException
      */
 
@@ -24,22 +24,29 @@ class UsernamePasswordToken extends AbstractToken
     private $firewallName;
 
     /**
-     * @param string|\Stringable|UserInterface $user        The username (like a nickname, email address, etc.) or a UserInterface instance
-     * @param mixed                            $credentials
-     * @param string[]                         $roles
+     * @param UserInterface $user
+     * @param string[]      $roles
      *
      * @throws \InvalidArgumentException
      */
-    public function __construct($user, $credentials, string $firewallName, array $roles = [])
+    public function __construct($user, /*string*/ $firewallName, /*array*/ $roles = [])
     {
+        if (\is_string($roles)) {
+            trigger_deprecation('symfony/security-core', '5.4', 'The $credentials argument of "%s" is deprecated.', static::class.'::__construct');
+
+            $credentials = $firewallName;
+            $firewallName = $roles;
+            $roles = \func_num_args() > 3 ? func_get_arg(3) : [];
+        }
+
         parent::__construct($roles);
 
         if ('' === $firewallName) {
             throw new \InvalidArgumentException('$firewallName must not be empty.');
         }
 
         $this->setUser($user);
-        $this->credentials = $credentials;
+        $this->credentials = $credentials ?? null;
         $this->firewallName = $firewallName;
 
         parent::setAuthenticated(\count($roles) > 0, false);
@@ -62,6 +69,8 @@ public function setAuthenticated(bool $isAuthenticated)
      */
     public function getCredentials()
     {
+        trigger_deprecation('symfony/security-core', '5.4', 'Method "%s" is deprecated.', __METHOD__);
+
         return $this->credentials;
     }
 
 
@@ -4,6 +4,9 @@ CHANGELOG
 5.4
 ---
 
+ * Deprecate `AnonymousToken`, as the related authenticator was deprecated in 5.3
+ * Deprecate `Token::getCredentials()`, tokens should no longer contain credentials (as they represent authenticated sessions)
+ * Deprecate returning `string|\Stringable` from `Token::getUser()` (it must return a `UserInterface`)
  * Deprecate the `$authenticationManager` argument of the `AuthorizationChecker` constructor
  * Deprecate setting the `$alwaysAuthenticate` argument to `true` and not setting the
    `$exceptionOnNoToken` argument to `false` of `AuthorizationChecker`
 
@@ -42,10 +42,12 @@ public function getUser(): ?UserInterface
         }
 
         $user = $token->getUser();
+        // @deprecated since 5.4, $user will always be a UserInterface instance
         if (!\is_object($user)) {
             return null;
         }
 
+        // @deprecated since 5.4, $user will always be a UserInterface instance
         if (!$user instanceof UserInterface) {
             return null;
         }
 
@@ -26,8 +26,6 @@ public function testIsAnonymous()
         $this->assertFalse($resolver->isAnonymous($this->getToken()));
         $this->assertFalse($resolver->isAnonymous($this->getRememberMeToken()));
         $this->assertFalse($resolver->isAnonymous(new FakeCustomToken()));
-        $this->assertTrue($resolver->isAnonymous(new RealCustomAnonymousToken()));
-        $this->assertTrue($resolver->isAnonymous($this->getAnonymousToken()));
     }
 
     public function testIsRememberMe()
@@ -36,7 +34,6 @@ public function testIsRememberMe()
 
         $this->assertFalse($resolver->isRememberMe(null));
         $this->assertFalse($resolver->isRememberMe($this->getToken()));
-        $this->assertFalse($resolver->isRememberMe($this->getAnonymousToken()));
         $this->assertFalse($resolver->isRememberMe(new FakeCustomToken()));
         $this->assertTrue($resolver->isRememberMe(new RealCustomRememberMeToken()));
         $this->assertTrue($resolver->isRememberMe($this->getRememberMeToken()));
@@ -47,9 +44,7 @@ public function testisFullFledged()
         $resolver = new AuthenticationTrustResolver();
 
         $this->assertFalse($resolver->isFullFledged(null));
-        $this->assertFalse($resolver->isFullFledged($this->getAnonymousToken()));
         $this->assertFalse($resolver->isFullFledged($this->getRememberMeToken()));
-        $this->assertFalse($resolver->isFullFledged(new RealCustomAnonymousToken()));
         $this->assertFalse($resolver->isFullFledged(new RealCustomRememberMeToken()));
         $this->assertTrue($resolver->isFullFledged($this->getToken()));
         $this->assertTrue($resolver->isFullFledged(new FakeCustomToken()));
@@ -62,8 +57,6 @@ public function testIsAnonymousWithClassAsConstructorButStillExtending()
         $this->assertFalse($resolver->isAnonymous(null));
         $this->assertFalse($resolver->isAnonymous($this->getToken()));
         $this->assertFalse($resolver->isAnonymous($this->getRememberMeToken()));
-        $this->assertTrue($resolver->isAnonymous($this->getAnonymousToken()));
-        $this->assertTrue($resolver->isAnonymous(new RealCustomAnonymousToken()));
     }
 
     public function testIsRememberMeWithClassAsConstructorButStillExtending()
@@ -72,7 +65,6 @@ public function testIsRememberMeWithClassAsConstructorButStillExtending()
 
         $this->assertFalse($resolver->isRememberMe(null));
         $this->assertFalse($resolver->isRememberMe($this->getToken()));
-        $this->assertFalse($resolver->isRememberMe($this->getAnonymousToken()));
         $this->assertTrue($resolver->isRememberMe($this->getRememberMeToken()));
         $this->assertTrue($resolver->isRememberMe(new RealCustomRememberMeToken()));
     }
@@ -82,13 +74,27 @@ public function testisFullFledgedWithClassAsConstructorButStillExtending()
         $resolver = $this->getResolver();
 
         $this->assertFalse($resolver->isFullFledged(null));
-        $this->assertFalse($resolver->isFullFledged($this->getAnonymousToken()));
         $this->assertFalse($resolver->isFullFledged($this->getRememberMeToken()));
-        $this->assertFalse($resolver->isFullFledged(new RealCustomAnonymousToken()));
         $this->assertFalse($resolver->isFullFledged(new RealCustomRememberMeToken()));
         $this->assertTrue($resolver->isFullFledged($this->getToken()));
     }
 
+    /**
+     * @group legacy
+     */
+    public function testLegacy()
+    {
+        $resolver = $this->getResolver();
+
+        $this->assertTrue($resolver->isAnonymous($this->getAnonymousToken()));
+        $this->assertTrue($resolver->isAnonymous($this->getRealCustomAnonymousToken()));
+
+        $this->assertFalse($resolver->isRememberMe($this->getAnonymousToken()));
+
+        $this->assertFalse($resolver->isFullFledged($this->getAnonymousToken()));
+        $this->assertFalse($resolver->isFullFledged($this->getRealCustomAnonymousToken()));
+    }
+
     protected function getToken()
     {
         return $this->createMock(TokenInterface::class);
@@ -99,6 +105,15 @@ protected function getAnonymousToken()
         return $this->getMockBuilder(AnonymousToken::class)->setConstructorArgs(['', ''])->getMock();
     }
 
+    private function getRealCustomAnonymousToken()
+    {
+        return new class() extends AnonymousToken {
+            public function __construct()
+            {
+            }
+        };
+    }
+
     protected function getRememberMeToken()
     {
         return $this->getMockBuilder(RememberMeToken::class)->setMethods(['setPersistent'])->disableOriginalConstructor()->getMock();
@@ -192,13 +207,6 @@ public function setAttribute(string $name, $value)
     }
 }
 
-class RealCustomAnonymousToken extends AnonymousToken
-{
-    public function __construct()
-    {
-    }
-}
-
 class RealCustomRememberMeToken extends RememberMeToken
 {
     public function __construct()
Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@`
`17`	`17`	`* AnonymousToken represents an anonymous token.`
`18`	`18`	`*`
`19`	`19`	`* @author Fabien Potencier <[email protected]>`
	`20`	`+ *`
	`21`	`+ * @deprecated since 5.4, anonymous is now represented by the absence of a token`
`20`	`22`	`*/`
`21`	`23`	`class AnonymousToken extends AbstractToken`
`22`	`24`	`{`
`@@ -29,6 +31,8 @@ class AnonymousToken extends AbstractToken`
`29`	`31`	`*/`
`30`	`32`	`public function __construct(string $secret, $user, array $roles = [])`
`31`	`33`	`{`
	`34`	`+ trigger_deprecation('symfony/security-core', '5.4', 'The "%s" class is deprecated.', __CLASS__);`
	`35`	`+`
`32`	`36`	`parent::__construct($roles);`
`33`	`37`
`34`	`38`	`$this->secret = $secret;`
Original file line number	Diff line number	Diff line change
`@@ -69,7 +69,7 @@ public function setAuthenticated(bool $authenticated)`
`69`	`69`	`public function getProviderKey()`
`70`	`70`	`{`
`71`	`71`	`if (1 !== \func_num_args() \|\| true !== func_get_arg(0)) {`
`72`		`- trigger_deprecation('symfony/security-core', '5.2', 'Method "%s" is deprecated, use "getFirewallName()" instead.', __METHOD__);`
	`72`	`+ trigger_deprecation('symfony/security-core', '5.2', 'Method "%s()" is deprecated, use "getFirewallName()" instead.', __METHOD__);`
`73`	`73`	`}`
`74`	`74`
`75`	`75`	`return $this->firewallName;`
`@@ -95,6 +95,8 @@ public function getSecret()`
`95`	`95`	`*/`
`96`	`96`	`public function getCredentials()`
`97`	`97`	`{`
	`98`	`+ trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated.', __METHOD__);`
	`99`	`+`
`98`	`100`	`return '';`
`99`	`101`	`}`
`100`	`102`
Original file line number	Diff line number	Diff line change
`@@ -43,25 +43,24 @@ public function getRoleNames(): array;`
`43`	`43`	`* Returns the user credentials.`
`44`	`44`	`*`
`45`	`45`	`* @return mixed The user credentials`
	`46`	`+ *`
	`47`	`+ * @deprecated since 5.4`
`46`	`48`	`*/`
`47`	`49`	`public function getCredentials();`
`48`	`50`
`49`	`51`	`/**`
`50`	`52`	`* Returns a user representation.`
`51`	`53`	`*`
`52`		`- * @return string\|\Stringable\|UserInterface`
	`54`	`+ * @return UserInterface`
`53`	`55`	`*`
`54`	`56`	`* @see AbstractToken::setUser()`
`55`	`57`	`*/`
`56`	`58`	`public function getUser();`
`57`	`59`
`58`	`60`	`/**`
`59`		`- * Sets the user in the token.`
`60`		`- *`
`61`		`- * The user can be a UserInterface instance, or an object implementing`
`62`		`- * a __toString method or the username as a regular string.`
	`61`	`+ * Sets the authenticated user in the token.`
`63`	`62`	`*`
`64`		`- * @param string\|\Stringable\|UserInterface $user`
	`63`	`+ * @param UserInterface $user`
`65`	`64`	`*`
`66`	`65`	`* @throws \InvalidArgumentException`
`67`	`66`	`*/`
Original file line number	Diff line number	Diff line change
`@@ -42,10 +42,12 @@ public function getUser(): ?UserInterface`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`$user = $token->getUser();`
	`45`	`+ // @deprecated since 5.4, $user will always be a UserInterface instance`
`45`	`46`	`if (!\is_object($user)) {`
`46`	`47`	`return null;`
`47`	`48`	`}`
`48`	`49`
	`50`	`+ // @deprecated since 5.4, $user will always be a UserInterface instance`
`49`	`51`	`if (!$user instanceof UserInterface) {`
`50`	`52`	`return null;`
`51`	`53`	`}`