[Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials #42423
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
be5dd61 to
f1b28f4
Compare
f1b28f4 to
8cced53
Compare
|
Psalm disliking the old signatures in the legacy integrations/tests is to be expected, this PR is ready imho |
8cced53 to
b451883
Compare
derrabus
reviewed
Aug 8, 2021
src/Symfony/Bridge/Monolog/Tests/Processor/SwitchUserTokenProcessorTest.php
Outdated
Show resolved
Hide resolved
b451883 to
8554c93
Compare
chalasr
requested changes
Aug 8, 2021
src/Symfony/Component/Security/Core/Authentication/Token/PreAuthenticatedToken.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
Outdated
Show resolved
Hide resolved
src/Symfony/Component/Security/Core/Authentication/Token/TokenInterface.php
Outdated
Show resolved
Hide resolved
2 tasks
7cc109b to
ba70257
Compare
chalasr
approved these changes
Aug 12, 2021
Nyholm
reviewed
Aug 12, 2021
| $originalToken = new UsernamePasswordToken(new InMemoryUser('original_user', 'password', ['ROLE_SUPER_ADMIN']), 'provider', ['ROLE_SUPER_ADMIN']); | ||
| $switchUserToken = new SwitchUserToken(new InMemoryUser('user', 'passsword', ['ROLE_USER']), 'provider', ['ROLE_USER'], $originalToken); | ||
| } else { | ||
| $originalToken = new UsernamePasswordToken(new User('original_user', 'password', ['ROLE_SUPER_ADMIN']), null, 'provider', ['ROLE_SUPER_ADMIN']); |
There was a problem hiding this comment.
Maybe make a comment here so it is more easily found when we remove code in Symfony 6.0.
(or you maybe have added this code to your list of future PRs)
src/Symfony/Component/Security/Core/Authentication/Token/SwitchUserToken.php
Show resolved
Hide resolved
| @@ -49,6 +49,7 @@ public function supports(Request $request, ArgumentMetadata $argument): bool | ||
| $user = $token->getUser(); | ||
|
|
||
| // in case it's not an object we cannot do anything with it; E.g. "anon." | ||
| // @deprecated since 5.4 |
There was a problem hiding this comment.
Suggested change
| // @deprecated since 5.4 | |
| // @deprecated since 5.4, $user will always be an UserInterface in 6.0 |
There was a problem hiding this comment.
Suggested change
| // @deprecated since 5.4 | |
| // @deprecated since 5.4 , $user will always be a UserInterface in 6.0 |
:)
fabpot
approved these changes
Aug 13, 2021
ba70257 to
44b843a
Compare
|
Thank you @wouterj. |
fabpot
added a commit
that referenced
this pull request
Aug 14, 2021
This PR was merged into the 5.4 branch. Discussion ---------- [Security] Deprecate remaining anonymous checks | Q | A | ------------- | --- | Branch? | 5.4 | Bug fix? | no | New feature? | yes | Deprecations? | yes | Tickets | Ref #41613 | License | MIT | Doc PR | tbd Deprecates the remaining checks for anonymous found in #41613. It's WIP because the tests are failing until #42423 is merged and this PR is rebased (didn't update one test to avoid merge conflicts). Besides this, it also introduced `IS_AUTHENTICATED` and `AuthenticationTrustResolver::isAutenticated()`. Previously, `IS_AUTHENTICATED_ANONYMOUSLY` was considered to be the "bottom type" for authenticated requests. As this is no longer true, `IS_AUTHENTICATED_REMEMBERME` is now the new "bottom type". I suggest we use an explicit bottom type (the ones introduced) instead to avoid another such update if we change something with remember me. It's also more clear on the exact intent of the check. Commits ------- e3aca7f [Security] Deprecate remaining anonymous checks
This was referenced Nov 5, 2021
Merged
Merged
| */ | ||
| public function __construct($user, $credentials, string $firewallName, array $roles = []) | ||
| public function __construct($user, /*string*/ $firewallName, /*array*/ $roles = []) |
There was a problem hiding this comment.
Hi guys, I'm not sure how to use UsernamePasswordToken without $credentials as this change is not explained in documentation: https://symfony.com/doc/current/components/security/authentication.html
There was a problem hiding this comment.
You probably get faster answers if you use one of the support channels: https://symfony.com/support (e.g. GitHub discussions) Not a lot of people are watching already merged PRs.
The security component is refactored during Symfony 5. Tokens now only represent authenticated tokens/sessions, so they no longer have credentials. The "pre authentication tokens" are now called passports.
We haven't updated the components docs yet, but the framework docs are upgraded to the new system. Hopefully, you'll be able to figure stuff out using e.g. https://symfony.com/doc/current/security/custom_authenticator.html
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a continuation of @xabbuh's experiment in #34909 and @chalasr's work in #42050. This hopefully is the last cleanup of
TokenInterface:string|\Stringableunion fromToken::getUser()and other helper methods and require a user to be an instance ofUserInterface.Token::eraseCredentials()as this is still used to remove credentials fromUserInterface.AnonymousToken, which we forgot in 5.3. This token is not used anymore in the new system (anonymous does no longer exists). This was also the only token in core that didn't fulfill theUserInterfacerequirement for authenticated tokens.