Merge branch '7.4' into 8.0

* 7.4:
  [FrameworkBundle] Simplify usage of the Target attribute
  [HttpFoundation] Add documentation for #[IsSignatureValid] attribute with usage examples and options

Author: OskarStark

lock.rst

@@ -315,7 +315,7 @@ For example, to inject the ``invoice`` package defined earlier::
 
 When :ref:`dealing with multiple implementations of the same type <autowiring-multiple-implementations-same-type>`
 the ``#[Target]`` attribute helps you select which one to inject. Symfony creates
-a target called "asset package name" + ``.lock.factory`` suffix.
+a target with the same name as the lock.
 
 For example, to select the ``invoice`` lock defined earlier::
 
@@ -325,8 +325,13 @@ For example, to select the ``invoice`` lock defined earlier::
     class SomeService
     {
         public function __construct(
-            #[Target('invoice.lock.factory')] private LockFactory $lockFactory
+            #[Target('invoice')] private LockFactory $lockFactory
         ): void {
             // ...
         }
     }
+
+.. versionadded:: 7.4
+
+    Before Symfony 7.4, the target name had to include the ``.lock.factory``
+    suffix (e.g. ``#[Target('invoice.lock.factory')]``).

rate_limiter.rst

@@ -257,7 +257,7 @@ argument named ``$anonymousApiLimiter``::
 
 When :ref:`dealing with multiple implementations of the same type <autowiring-multiple-implementations-same-type>`
 the ``#[Target]`` attribute helps you select which one to inject. Symfony creates
-a target called "rate limiter name" + ``.limiter`` suffix.
+a target with the same name as the rate limiter.
 
 For example, to select the ``anonymous_api`` limiter defined earlier, use
 ``anonymous_api.limiter`` as the target::
@@ -268,7 +268,7 @@ For example, to select the ``anonymous_api`` limiter defined earlier, use
     class ApiController extends AbstractController
     {
         public function index(
-            #[Target('anonymous_api.limiter')] RateLimiterFactoryInterface $rateLimiter
+            #[Target('anonymous_api')] RateLimiterFactoryInterface $rateLimiter
         ): Response
         {
             // ...

reference/configuration/framework.rst

@@ -263,7 +263,7 @@ to inject the ``foo_package`` package defined earlier::
 
 When :ref:`dealing with multiple implementations of the same type <autowiring-multiple-implementations-same-type>`
 the ``#[Target]`` attribute helps you select which one to inject. Symfony creates
-a target called "asset package name" + ``.package`` suffix.
+a target with the same name as the asset package.
 
 For example, to select the ``foo_package`` package defined earlier::
 
@@ -273,12 +273,17 @@ For example, to select the ``foo_package`` package defined earlier::
     class SomeService
     {
         public function __construct(
-            #[Target('foo_package.package')] private PackageInterface $package
+            #[Target('foo_package')] private PackageInterface $package
         ): void {
             // ...
         }
     }
 
+.. versionadded:: 7.4
+
+    Before Symfony 7.4, the target name had to include the ``.package``
+    suffix (e.g. ``#[Target('foo_package.package')]``).
+
 .. _reference-framework-assets-packages:
 
 packages

routing.rst

@@ -3087,6 +3087,67 @@ If you need to know the reason why a signed URI is invalid, you can use the
     expirations. This allows you to :ref:`mock the current time in your tests
     <clock_writing-tests>`.
 
+Another way to validate incoming requests is to use the ``#[IsSignatureValid]`` attribute.
+
+In the following example, all incoming requests to this controller action will be verified for
+a valid signature. If the signature is missing or invalid,
+a ``SignedUriException`` will be thrown::
+
+    // src/Controller/SomeController.php
+    // ...
+
+    use App\Security\Attribute\IsSignatureValid;
+
+    #[IsSignatureValid]
+    public function someAction(): Response
+    {
+        // ...
+    }
+
+To restrict signature validation to specific HTTP methods,
+use the ``methods`` argument. This can be a string or an array of methods::
+
+    // Only validate POST requests
+    #[IsSignatureValid(methods: 'POST')]
+    public function createItem(): Response
+    {
+        // ...
+    }
+
+    // Validate both POST and PUT requests
+    #[IsSignatureValid(methods: ['POST', 'PUT'])]
+    public function updateItem(): Response
+    {
+        // ...
+    }
+
+You can also apply ``#[IsSignatureValid]`` at the controller class level.
+This way, all actions within the controller will automatically
+be protected by signature validation::
+
+    // src/Controller/SecureController.php
+    // ...
+
+    use App\Security\Attribute\IsSignatureValid;
+
+    #[IsSignatureValid]
+    class SecureController extends AbstractController
+    {
+        public function index(): Response
+        {
+            // ...
+        }
+
+        public function submit(): Response
+        {
+            // ...
+        }
+    }
+
+
+This attribute provides a declarative way to enforce request signature validation directly
+at the controller level, helping to keep your security logic consistent and maintainable.
+
 Troubleshooting
 ---------------