feature symfony#56838 [Security] Deprecate argument $secret of RememberMeToken and RememberMeAuthenticator (nicolas-grekas)

fabpot · fabpot · commit 4de15631e492 · 2024-05-21T19:12:00.000+02:00
This PR was merged into the 7.2 branch. Discussion ---------- [Security] Deprecate argument $secret of RememberMeToken and RememberMeAuthenticator | Q | A | ------------- | --- | Branch? | 7.2 | Bug fix? | no | New feature? | no | Deprecations? | yes | Issues | - | License | MIT One less use for `kernel.secret`. The secret is not used since the new authentication system. Commits ------- 6909ec9 [Security] Deprecate argument $secret of RememberMeToken and RememberMeAuthenticator
diff --git a/UPGRADE-7.2.md b/UPGRADE-7.2.md
@@ -0,0 +1,14 @@
+UPGRADE FROM 7.1 to 7.2
+=======================
+
+Symfony 7.2 is a minor release. According to the Symfony release process, there should be no significant
+backward compatibility breaks. Minor backward compatibility breaks are prefixed in this document with
+`[BC BREAK]`, make sure your code is compatible with these entries before upgrading.
+Read more about this in the [Symfony documentation](https://symfony.com/doc/7.2/setup/upgrade_minor.html).
+
+If you're upgrading from a version below 7.1, follow the [7.1 upgrade guide](UPGRADE-7.1.md) first.
+
+Security
+--------
+
+ * Deprecate argument `$secret` of `RememberMeToken` and `RememberMeAuthenticator`
diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
@@ -107,7 +107,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
         $container
             ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.remember_me'))
             ->replaceArgument(0, new Reference($rememberMeHandlerId))
-            ->replaceArgument(3, $config['name'] ?? $this->options['name'])
+            ->replaceArgument(2, $config['name'] ?? $this->options['name'])
         ;
 
         return $authenticatorId;
diff --git a/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_remember_me.php b/src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator_remember_me.php
@@ -85,7 +85,6 @@
             ->abstract()
             ->args([
                 abstract_arg('remember me handler'),
-                param('kernel.secret'),
                 service('security.token_storage'),
                 abstract_arg('options'),
                 service('logger')->nullOnInvalid(),
diff --git a/src/Symfony/Bundle/SecurityBundle/composer.json b/src/Symfony/Bundle/SecurityBundle/composer.json
@@ -26,9 +26,9 @@
         "symfony/http-kernel": "^6.4|^7.0",
         "symfony/http-foundation": "^6.4|^7.0",
         "symfony/password-hasher": "^6.4|^7.0",
-        "symfony/security-core": "^6.4|^7.0",
+        "symfony/security-core": "^7.2",
         "symfony/security-csrf": "^6.4|^7.0",
-        "symfony/security-http": "^7.1",
+        "symfony/security-http": "^7.2",
         "symfony/service-contracts": "^2.5|^3"
     },
     "require-dev": {
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
@@ -21,28 +21,26 @@
  */
 class RememberMeToken extends AbstractToken
 {
-    private string $secret;
+    private ?string $secret = null;
     private string $firewallName;
 
     /**
-     * @param string $secret A secret used to make sure the token is created by the app and not by a malicious client
-     *
      * @throws \InvalidArgumentException
      */
-    public function __construct(UserInterface $user, string $firewallName, #[\SensitiveParameter] string $secret)
+    public function __construct(UserInterface $user, string $firewallName)
     {
         parent::__construct($user->getRoles());
 
-        if (!$secret) {
-            throw new InvalidArgumentException('A non-empty secret is required.');
+        if (\func_num_args() > 2) {
+            trigger_deprecation('symfony/security-core', '7.2', 'The "$secret" argument of "%s()" is deprecated.', __METHOD__);
+            $this->secret = func_get_arg(2);
         }
 
         if (!$firewallName) {
             throw new InvalidArgumentException('$firewallName must not be empty.');
         }
 
         $this->firewallName = $firewallName;
-        $this->secret = $secret;
 
         $this->setUser($user);
     }
@@ -52,13 +50,19 @@ public function getFirewallName(): string
         return $this->firewallName;
     }
 
+    /**
+     * @deprecated since Symfony 7.2
+     */
     public function getSecret(): string
     {
-        return $this->secret;
+        trigger_deprecation('symfony/security-core', '7.2', 'The "%s()" method is deprecated.', __METHOD__);
+
+        return $this->secret ??= base64_encode(random_bytes(8));
     }
 
     public function __serialize(): array
     {
+        // $this->firewallName should be kept at index 1 for compatibility with payloads generated before Symfony 8
         return [$this->secret, $this->firewallName, parent::__serialize()];
     }
 
diff --git a/src/Symfony/Component/Security/Core/CHANGELOG.md b/src/Symfony/Component/Security/Core/CHANGELOG.md
@@ -1,6 +1,10 @@
 CHANGELOG
 =========
 
+7.2
+---
+
+ * Deprecate argument `$secret` of `RememberMeToken`
 
 7.0
 ---
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/AuthenticationTrustResolverTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/AuthenticationTrustResolverTest.php
@@ -72,7 +72,7 @@ protected function getRememberMeToken()
     {
         $user = new InMemoryUser('wouter', '', ['ROLE_USER']);
 
-        return new RememberMeToken($user, 'main', 'secret');
+        return new RememberMeToken($user, 'main');
     }
 }
 
diff --git a/src/Symfony/Component/Security/Core/Tests/Authentication/Token/RememberMeTokenTest.php b/src/Symfony/Component/Security/Core/Tests/Authentication/Token/RememberMeTokenTest.php
@@ -20,22 +20,22 @@ class RememberMeTokenTest extends TestCase
     public function testConstructor()
     {
         $user = $this->getUser();
-        $token = new RememberMeToken($user, 'fookey', 'foo');
+        $token = new RememberMeToken($user, 'fookey');
 
         $this->assertEquals('fookey', $token->getFirewallName());
-        $this->assertEquals('foo', $token->getSecret());
         $this->assertEquals(['ROLE_FOO'], $token->getRoleNames());
         $this->assertSame($user, $token->getUser());
     }
 
-    public function testConstructorSecretCannotBeEmptyString()
+    /**
+     * @group legacy
+     */
+    public function testSecret()
     {
-        $this->expectException(\InvalidArgumentException::class);
-        new RememberMeToken(
-            $this->getUser(),
-            '',
-            ''
-        );
+        $user = $this->getUser();
+        $token = new RememberMeToken($user, 'fookey', 'foo');
+
+        $this->assertEquals('foo', $token->getSecret());
     }
 
     protected function getUser($roles = ['ROLE_FOO'])
diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/ExpressionLanguageTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/ExpressionLanguageTest.php
@@ -50,7 +50,7 @@ public static function provider()
         $user = new InMemoryUser('username', 'password', $roles);
 
         $noToken = null;
-        $rememberMeToken = new RememberMeToken($user, 'firewall-name', 'firewall');
+        $rememberMeToken = new RememberMeToken($user, 'firewall-name');
         $usernamePasswordToken = new UsernamePasswordToken($user, 'firewall-name', $roles);
 
         return [
diff --git a/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/AuthenticatedVoterTest.php b/src/Symfony/Component/Security/Core/Tests/Authorization/Voter/AuthenticatedVoterTest.php
@@ -101,7 +101,7 @@ public function getCredentials()
         }
 
         if ('remembered' === $authenticated) {
-            return new RememberMeToken($user, 'foo', 'bar');
+            return new RememberMeToken($user, 'foo');
         }
 
         if ('impersonated' === $authenticated) {
diff --git a/src/Symfony/Component/Security/Core/composer.json b/src/Symfony/Component/Security/Core/composer.json
@@ -17,6 +17,7 @@
     ],
     "require": {
         "php": ">=8.2",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/event-dispatcher-contracts": "^2.5|^3",
         "symfony/service-contracts": "^2.5|^3",
         "symfony/password-hasher": "^6.4|^7.0"
diff --git a/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php b/src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php
@@ -19,7 +19,6 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\CookieTheftException;
-use Symfony\Component\Security\Core\Exception\InvalidArgumentException;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
@@ -50,14 +49,23 @@ class RememberMeAuthenticator implements InteractiveAuthenticatorInterface
     private string $cookieName;
     private ?LoggerInterface $logger;
 
-    public function __construct(RememberMeHandlerInterface $rememberMeHandler, #[\SensitiveParameter] string $secret, TokenStorageInterface $tokenStorage, string $cookieName, ?LoggerInterface $logger = null)
+    /**
+     * @param TokenStorageInterface $tokenStorage
+     * @param string                $cookieName
+     * @param ?LoggerInterface      $logger
+     */
+    public function __construct(RememberMeHandlerInterface $rememberMeHandler, #[\SensitiveParameter] TokenStorageInterface|string $tokenStorage, string|TokenStorageInterface $cookieName, LoggerInterface|string|null $logger = null)
     {
-        if (!$secret) {
-            throw new InvalidArgumentException('A non-empty secret is required.');
+        if (\is_string($tokenStorage)) {
+            trigger_deprecation('symfony/security-core', '7.2', 'The "$secret" argument of "%s()" is deprecated.', __METHOD__);
+
+            $this->secret = $tokenStorage;
+            $tokenStorage = $cookieName;
+            $cookieName = $logger;
+            $logger = \func_num_args() > 4 ? func_get_arg(4) : null;
         }
 
         $this->rememberMeHandler = $rememberMeHandler;
-        $this->secret = $secret;
         $this->tokenStorage = $tokenStorage;
         $this->cookieName = $cookieName;
         $this->logger = $logger;
@@ -99,7 +107,11 @@ public function authenticate(Request $request): Passport
 
     public function createToken(Passport $passport, string $firewallName): TokenInterface
     {
-        return new RememberMeToken($passport->getUser(), $firewallName, $this->secret);
+        if (isset($this->secret)) {
+            return new RememberMeToken($passport->getUser(), $firewallName, $this->secret);
+        }
+
+        return new RememberMeToken($passport->getUser(), $firewallName);
     }
 
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response
diff --git a/src/Symfony/Component/Security/Http/CHANGELOG.md b/src/Symfony/Component/Security/Http/CHANGELOG.md
@@ -1,6 +1,11 @@
 CHANGELOG
 =========
 
+7.2
+---
+
+ * Deprecate argument `$secret` of `RememberMeAuthenticator`
+
 7.1
 ---
 
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/RememberMeAuthenticatorTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/RememberMeAuthenticatorTest.php
@@ -34,7 +34,7 @@ protected function setUp(): void
     {
         $this->rememberMeHandler = $this->createMock(RememberMeHandlerInterface::class);
         $this->tokenStorage = new TokenStorage();
-        $this->authenticator = new RememberMeAuthenticator($this->rememberMeHandler, 's3cr3t', $this->tokenStorage, '_remember_me_cookie');
+        $this->authenticator = new RememberMeAuthenticator($this->rememberMeHandler, $this->tokenStorage, '_remember_me_cookie');
     }
 
     public function testSupportsTokenStorageWithToken()
diff --git a/src/Symfony/Component/Security/Http/composer.json b/src/Symfony/Component/Security/Http/composer.json
@@ -22,7 +22,7 @@
         "symfony/http-kernel": "^6.4|^7.0",
         "symfony/polyfill-mbstring": "~1.0",
         "symfony/property-access": "^6.4|^7.0",
-        "symfony/security-core": "^6.4|^7.0",
+        "symfony/security-core": "^7.2",
         "symfony/service-contracts": "^2.5|^3"
     },
     "require-dev": {

Original file line number	Diff line number	Diff line change
`@@ -107,7 +107,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal`
`107`	`107`	`$container`
`108`	`108`	`->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.remember_me'))`
`109`	`109`	`->replaceArgument(0, new Reference($rememberMeHandlerId))`
`110`		`- ->replaceArgument(3, $config['name'] ?? $this->options['name'])`
	`110`	`+ ->replaceArgument(2, $config['name'] ?? $this->options['name'])`
`111`	`111`	`;`
`112`	`112`
`113`	`113`	`return $authenticatorId;`
Original file line number	Diff line number	Diff line change
`@@ -21,28 +21,26 @@`
`21`	`21`	`*/`
`22`	`22`	`class RememberMeToken extends AbstractToken`
`23`	`23`	`{`
`24`		`- private string $secret;`
	`24`	`+ private ?string $secret = null;`
`25`	`25`	`private string $firewallName;`
`26`	`26`
`27`	`27`	`/**`
`28`		`- * @param string $secret A secret used to make sure the token is created by the app and not by a malicious client`
`29`		`- *`
`30`	`28`	`* @throws \InvalidArgumentException`
`31`	`29`	`*/`
`32`		`- public function __construct(UserInterface $user, string $firewallName, #[\SensitiveParameter] string $secret)`
	`30`	`+ public function __construct(UserInterface $user, string $firewallName)`
`33`	`31`	`{`
`34`	`32`	`parent::__construct($user->getRoles());`
`35`	`33`
`36`		`- if (!$secret) {`
`37`		`- throw new InvalidArgumentException('A non-empty secret is required.');`
	`34`	`+ if (\func_num_args() > 2) {`
	`35`	`+ trigger_deprecation('symfony/security-core', '7.2', 'The "$secret" argument of "%s()" is deprecated.', __METHOD__);`
	`36`	`+ $this->secret = func_get_arg(2);`
`38`	`37`	`}`
`39`	`38`
`40`	`39`	`if (!$firewallName) {`
`41`	`40`	`throw new InvalidArgumentException('$firewallName must not be empty.');`
`42`	`41`	`}`
`43`	`42`
`44`	`43`	`$this->firewallName = $firewallName;`
`45`		`- $this->secret = $secret;`
`46`	`44`
`47`	`45`	`$this->setUser($user);`
`48`	`46`	`}`
`@@ -52,13 +50,19 @@ public function getFirewallName(): string`
`52`	`50`	`return $this->firewallName;`
`53`	`51`	`}`
`54`	`52`
	`53`	`+ /**`
	`54`	`+ * @deprecated since Symfony 7.2`
	`55`	`+ */`
`55`	`56`	`public function getSecret(): string`
`56`	`57`	`{`
`57`		`- return $this->secret;`
	`58`	`+ trigger_deprecation('symfony/security-core', '7.2', 'The "%s()" method is deprecated.', __METHOD__);`
	`59`	`+`
	`60`	`+ return $this->secret ??= base64_encode(random_bytes(8));`
`58`	`61`	`}`
`59`	`62`
`60`	`63`	`public function __serialize(): array`
`61`	`64`	`{`
	`65`	`+ // $this->firewallName should be kept at index 1 for compatibility with payloads generated before Symfony 8`
`62`	`66`	`return [$this->secret, $this->firewallName, parent::__serialize()];`
`63`	`67`	`}`
`64`	`68`
Original file line number	Diff line number	Diff line change
`@@ -72,7 +72,7 @@ protected function getRememberMeToken()`
`72`	`72`	`{`
`73`	`73`	`$user = new InMemoryUser('wouter', '', ['ROLE_USER']);`
`74`	`74`
`75`		`- return new RememberMeToken($user, 'main', 'secret');`
	`75`	`+ return new RememberMeToken($user, 'main');`
`76`	`76`	`}`
`77`	`77`	`}`
`78`	`78`
Original file line number	Diff line number	Diff line change
`@@ -101,7 +101,7 @@ public function getCredentials()`
`101`	`101`	`}`
`102`	`102`
`103`	`103`	`if ('remembered' === $authenticated) {`
`104`		`- return new RememberMeToken($user, 'foo', 'bar');`
	`104`	`+ return new RememberMeToken($user, 'foo');`
`105`	`105`	`}`
`106`	`106`
`107`	`107`	`if ('impersonated' === $authenticated) {`