From e427a6cb7466dba166e17f446b0f5a210757c8b9 Mon Sep 17 00:00:00 2001
From: Matthieu Lempereur <matt.lempereur@gmail.com>
Date: Wed, 27 Nov 2024 06:18:03 +0100
Subject: [PATCH] [Security] Secret with remember me feature

---
 security/remember_me.rst | 25 ++++++++++---------------
 1 file changed, 10 insertions(+), 15 deletions(-)

diff --git a/security/remember_me.rst b/security/remember_me.rst
index 8fac6d78849..2fd0f7e8d1e 100644
--- a/security/remember_me.rst
+++ b/security/remember_me.rst
@@ -19,7 +19,7 @@ the session lasts using a cookie with the ``remember_me`` firewall option:
                 main:
                     # ...
                     remember_me:
-                        secret:   '%kernel.secret%' # required
+                        secret: '%kernel.secret%'
                         lifetime: 604800 # 1 week in seconds
                         # by default, the feature is enabled by checking a
                         # checkbox in the login form (see below), uncomment the
@@ -44,7 +44,7 @@ the session lasts using a cookie with the ``remember_me`` firewall option:
                 <firewall name="main">
                     <!-- ... -->
 
-                    <!-- secret: required
+                    <!-- secret: default to "%kernel.secret%"
                          lifetime: 604800 is 1 week in seconds -->
                     <remember-me
                         secret="%kernel.secret%"
@@ -67,7 +67,7 @@ the session lasts using a cookie with the ``remember_me`` firewall option:
             $security->firewall('main')
                 // ...
                 ->rememberMe()
-                    ->secret('%kernel.secret%') // required
+                    ->secret('%kernel.secret%')
                     ->lifetime(604800) // 1 week in seconds
 
                     // by default, the feature is enabled by checking a
@@ -77,9 +77,11 @@ the session lasts using a cookie with the ``remember_me`` firewall option:
             ;
         };
 
-The ``secret`` option is the only required option and it is used to sign
-the remember me cookie. It's common to use the ``kernel.secret`` parameter,
-which is defined using the ``APP_SECRET`` environment variable.
+.. versionadded:: 7.2
+
+    The ``secret`` option is no longer required starting from Symfony 7.2. By
+    default, ``%kernel.secret%`` is used, which is defined using the
+    ``APP_SECRET`` environment variable.
 
 After enabling the ``remember_me`` system in the configuration, there are a
 couple more things to do before remember me works correctly:
@@ -171,7 +173,6 @@ allow users to opt-out. In these cases, you can use the
                 main:
                     # ...
                     remember_me:
-                        secret: '%kernel.secret%'
                         # ...
                         always_remember_me: true
 
@@ -194,7 +195,6 @@ allow users to opt-out. In these cases, you can use the
                     <!-- ... -->
 
                     <remember-me
-                        secret="%kernel.secret%"
                         always-remember-me="true"
                     />
                 </firewall>
@@ -211,7 +211,6 @@ allow users to opt-out. In these cases, you can use the
             $security->firewall('main')
                 // ...
                 ->rememberMe()
-                    ->secret('%kernel.secret%')
                     // ...
                     ->alwaysRememberMe(true)
             ;
@@ -335,7 +334,6 @@ are fetched from the user object using the
                 main:
                     # ...
                     remember_me:
-                        secret: '%kernel.secret%'
                         # ...
                         signature_properties: ['password', 'updatedAt']
 
@@ -357,7 +355,7 @@ are fetched from the user object using the
                 <firewall name="main">
                     <!-- ... -->
 
-                    <remember-me secret="%kernel.secret%">
+                    <remember-me>
                         <signature-property>password</signature-property>
                         <signature-property>updatedAt</signature-property>
                     </remember-me>
@@ -375,7 +373,6 @@ are fetched from the user object using the
             $security->firewall('main')
                 // ...
                 ->rememberMe()
-                    ->secret('%kernel.secret%')
                     // ...
                     ->signatureProperties(['password', 'updatedAt'])
             ;
@@ -419,7 +416,6 @@ You can enable the doctrine token provider using the ``doctrine`` setting:
                 main:
                     # ...
                     remember_me:
-                        secret: '%kernel.secret%'
                         # ...
                         token_provider:
                             doctrine: true
@@ -442,7 +438,7 @@ You can enable the doctrine token provider using the ``doctrine`` setting:
                 <firewall name="main">
                     <!-- ... -->
 
-                    <remember-me secret="%kernel.secret%">
+                    <remember-me>
                         <token-provider doctrine="true"/>
                     </remember-me>
                 </firewall>
@@ -459,7 +455,6 @@ You can enable the doctrine token provider using the ``doctrine`` setting:
             $security->firewall('main')
                 // ...
                 ->rememberMe()
-                    ->secret('%kernel.secret%')
                     // ...
                     ->tokenProvider([
                         'doctrine' => true,