From 527780a0482e592530174ca90e6189f64cdf6569 Mon Sep 17 00:00:00 2001
From: Abdelhakim ABOULHAJ <a.aboulhaj@consultants-dekuple.com>
Date: Wed, 28 May 2025 15:48:55 +0100
Subject: [PATCH 1/2] doc: update UserInterface header comments

---
 User/UserInterface.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/User/UserInterface.php b/User/UserInterface.php
index ef22340a..a543c35c 100644
--- a/User/UserInterface.php
+++ b/User/UserInterface.php
@@ -15,9 +15,7 @@
  * Represents the interface that all user classes must implement.
  *
  * This interface is useful because the authentication layer can deal with
- * the object through its lifecycle, using the object to get the hashed
- * password (for checking against a submitted password), assigning roles
- * and so on.
+ * the object through its lifecycle, assigning roles and so on.
  *
  * Regardless of how your users are loaded or where they come from (a database,
  * configuration, web service, etc.), you will have a class that implements

From 577a5a3693a7b4fc11057aa8fb235a95c9deebfd Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Wed, 4 Jun 2025 14:09:48 +0200
Subject: [PATCH 2/2] [Security] Keep roles when serializing tokens

---
 Authentication/Token/AbstractToken.php | 23 ++++-------------------
 1 file changed, 4 insertions(+), 19 deletions(-)

diff --git a/Authentication/Token/AbstractToken.php b/Authentication/Token/AbstractToken.php
index b2e18a29..683e46d4 100644
--- a/Authentication/Token/AbstractToken.php
+++ b/Authentication/Token/AbstractToken.php
@@ -32,16 +32,12 @@ abstract class AbstractToken implements TokenInterface, \Serializable
      */
     public function __construct(array $roles = [])
     {
-        $this->roleNames = [];
-
-        foreach ($roles as $role) {
-            $this->roleNames[] = (string) $role;
-        }
+        $this->roleNames = $roles;
     }
 
     public function getRoleNames(): array
     {
-        return $this->roleNames ??= self::__construct($this->user->getRoles()) ?? $this->roleNames;
+        return $this->roleNames ??= $this->user?->getRoles() ?? [];
     }
 
     public function getUserIdentifier(): string
@@ -90,13 +86,7 @@ public function eraseCredentials(): void
      */
     public function __serialize(): array
     {
-        $data = [$this->user, true, null, $this->attributes];
-
-        if (!$this->user instanceof EquatableInterface) {
-            $data[] = $this->roleNames;
-        }
-
-        return $data;
+        return [$this->user, true, null, $this->attributes, $this->getRoleNames()];
     }
 
     /**
@@ -160,12 +150,7 @@ public function __toString(): string
         $class = static::class;
         $class = substr($class, strrpos($class, '\\') + 1);
 
-        $roles = [];
-        foreach ($this->roleNames as $role) {
-            $roles[] = $role;
-        }
-
-        return \sprintf('%s(user="%s", roles="%s")', $class, $this->getUserIdentifier(), implode(', ', $roles));
+        return \sprintf('%s(user="%s", roles="%s")', $class, $this->getUserIdentifier(), implode(', ', $this->getRoleNames()));
     }
 
     /**