feature symfony#57773 [Security] pass the current token to the checkPostAuth() method of user checkers (xabbuh)

This PR was merged into the 7.2 branch.

Discussion
----------

[Security] pass the current token to the `checkPostAuth()` method of user checkers

| Q             | A
| ------------- | ---
| Branch?       | 7.2
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Issues        | Fix symfony#50650
| License       | MIT

Commits
-------

35b97b9 pass the current token to the checkPostAuth() method of user checkers

Author: fabpot

UPGRADE-7.2.md

@@ -16,6 +16,7 @@ FrameworkBundle
 Security
 --------
 
+ * Add `$token` argument to `UserCheckerInterface::checkPostAuth()`
  * Deprecate argument `$secret` of `RememberMeToken` and `RememberMeAuthenticator`
 
 String

src/Symfony/Component/Security/Core/CHANGELOG.md

@@ -4,6 +4,7 @@ CHANGELOG
 7.2
 ---
 
+ * Add `$token` argument to `UserCheckerInterface::checkPostAuth()`
  * Deprecate argument `$secret` of `RememberMeToken`
 
 7.0

src/Symfony/Component/Security/Core/User/ChainUserChecker.php

@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\User;
 
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+
 final class ChainUserChecker implements UserCheckerInterface
 {
     /**
@@ -27,10 +29,16 @@ public function checkPreAuth(UserInterface $user): void
         }
     }
 
-    public function checkPostAuth(UserInterface $user): void
+    public function checkPostAuth(UserInterface $user /*, TokenInterface $token*/): void
     {
+        $token = 1 < \func_num_args() ? func_get_arg(1) : null;
+
         foreach ($this->checkers as $checker) {
-            $checker->checkPostAuth($user);
+            if ($token instanceof TokenInterface) {
+                $checker->checkPostAuth($user, $token);
+            } else {
+                $checker->checkPostAuth($user);
+            }
         }
     }
 }

src/Symfony/Component/Security/Core/User/UserCheckerInterface.php

@@ -35,5 +35,5 @@ public function checkPreAuth(UserInterface $user): void;
      *
      * @throws AccountStatusException
      */
-    public function checkPostAuth(UserInterface $user): void;
+    public function checkPostAuth(UserInterface $user /*, TokenInterface $token*/): void;
 }

src/Symfony/Component/Security/Http/CHANGELOG.md

@@ -4,6 +4,7 @@ CHANGELOG
 7.2
 ---
 
+ * Pass the current token to the `checkPostAuth()` method of user checkers
  * Deprecate argument `$secret` of `RememberMeAuthenticator`
 
 7.1

src/Symfony/Component/Security/Http/EventListener/UserCheckerListener.php

@@ -47,7 +47,7 @@ public function postCheckCredentials(AuthenticationSuccessEvent $event): void
             return;
         }
 
-        $this->userChecker->checkPostAuth($user);
+        $this->userChecker->checkPostAuth($user, $event->getAuthenticationToken());
     }
 
     public static function getSubscribedEvents(): array

src/Symfony/Component/Security/Http/Firewall/SwitchUserListener.php

@@ -163,7 +163,7 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
 
         $this->logger?->info('Attempting to switch to user.', ['username' => $username]);
 
-        $this->userChecker->checkPostAuth($user);
+        $this->userChecker->checkPostAuth($user, $token);
 
         $roles = $user->getRoles();
         $originatedFromUri = str_replace('/&', '/?', preg_replace('#[&?]'.$this->usernameParameter.'=[^&]*#', '', $request->getRequestUri()));

src/Symfony/Component/Security/Http/Tests/EventListener/UserCheckerListenerTest.php

@@ -58,6 +58,14 @@ public function testPostAuthValidCredentials()
         $this->listener->postCheckCredentials(new AuthenticationSuccessEvent(new PostAuthenticationToken($this->user, 'main', [])));
     }
 
+    public function testTokenIsPassedToPost()
+    {
+        $token = new PostAuthenticationToken($this->user, 'main', []);
+        $this->userChecker->expects($this->once())->method('checkPostAuth')->with($this->user, $token);
+
+        $this->listener->postCheckCredentials(new AuthenticationSuccessEvent($token));
+    }
+
     private function createCheckPassportEvent($passport = null)
     {
         $passport ??= new SelfValidatingPassport(new UserBadge('test', fn () => $this->user));

src/Symfony/Component/Security/Http/Tests/Firewall/SwitchUserListenerTest.php

@@ -184,7 +184,7 @@ public function testSwitchUser()
             ->willReturn(true);
 
         $this->userChecker->expects($this->once())
-            ->method('checkPostAuth')->with($this->callback(fn ($user) => 'kuba' === $user->getUserIdentifier()));
+            ->method('checkPostAuth')->with($this->callback(fn ($user) => 'kuba' === $user->getUserIdentifier()), $token);
 
         $listener = new SwitchUserListener($this->tokenStorage, $this->userProvider, $this->userChecker, 'provider123', $this->accessDecisionManager);
         $listener($this->event);