symfony
diff --git a/‎UPGRADE-5.3.md
Lines changed: 82 additions & 0 deletions b/‎UPGRADE-5.3.md
Lines changed: 82 additions & 0 deletions
diff --git a/‎UPGRADE-6.0.md
Lines changed: 84 additions & 0 deletions b/‎UPGRADE-6.0.md
Lines changed: 84 additions & 0 deletions
diff --git a/‎src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php
Lines changed: 7 additions & 0 deletions b/‎src/Symfony/Bridge/Doctrine/Security/User/EntityUserProvider.php
Lines changed: 7 additions & 0 deletions
diff --git a/‎src/Symfony/Bridge/Doctrine/Tests/Fixtures/User.php
Lines changed: 2 additions & 1 deletion b/‎src/Symfony/Bridge/Doctrine/Tests/Fixtures/User.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Symfony/Bridge/Doctrine/Tests/Security/User/EntityUserProviderTest.php
Lines changed: 2 additions & 0 deletions b/‎src/Symfony/Bridge/Doctrine/Tests/Security/User/EntityUserProviderTest.php
Lines changed: 2 additions & 0 deletions
diff --git a/‎src/Symfony/Bridge/Doctrine/composer.json
Lines changed: 2 additions & 2 deletions b/‎src/Symfony/Bridge/Doctrine/composer.json
Lines changed: 2 additions & 2 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Lines changed: 8 additions & 0 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityTest.php
Lines changed: 3 additions & 2 deletions b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityTest.php
Lines changed: 3 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Ldap/Security/CheckLdapCredentialsListener.php
Lines changed: 8 additions & 2 deletions b/‎src/Symfony/Component/Ldap/Security/CheckLdapCredentialsListener.php
Lines changed: 8 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Ldap/Security/LdapUser.php
Lines changed: 2 additions & 1 deletion b/‎src/Symfony/Component/Ldap/Security/LdapUser.php
Lines changed: 2 additions & 1 deletion
@@ -80,6 +80,88 @@ Routing
 Security
 --------
 
+ * Deprecate `UserInterface::getPassword()`
+   If your `getPassword()` method does not return `null` (i.e. you are using password-based authentication),
+   you should implement `PasswordAuthenticatedUserInterface`.
+
+   Before:
+   ```php
+   use Symfony\Component\Security\Core\User\UserInterface;
+
+   class User implements UserInterface
+   {
+       // ...
+
+       public function getPassword()
+       {
+           return $this->password;
+       }
+   }
+   ```
+
+   After:
+   ```php
+   use Symfony\Component\Security\Core\User\UserInterface;
+   use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
+
+   class User implements UserInterface, PasswordAuthenticatedUserInterface
+   {
+       // ...
+
+       public function getPassword(): ?string
+       {
+           return $this->password;
+       }
+   }
+   ```
+
+ * Deprecate `UserInterface::getSalt()`
+   If your `getSalt()` method does not return `null` (i.e. you are using password-based authentication with an old password hash algorithm that requires user-provided salts),
+   implement `LegacyPasswordAuthenticatedUserInterface`.
+
+   Before:
+   ```php
+   use Symfony\Component\Security\Core\User\UserInterface;
+
+   class User implements UserInterface
+   {
+       // ...
+
+       public function getPassword()
+       {
+           return $this->password;
+       }
+
+       public function getSalt()
+       {
+           return $this->salt;
+       }
+   }
+   ```
+
+   After:
+   ```php
+   use Symfony\Component\Security\Core\User\UserInterface;
+   use Symfony\Component\Security\Core\User\LegacyPasswordAuthenticatedUserInterface;
+
+   class User implements UserInterface, LegacyPasswordAuthenticatedUserInterface
+   {
+       // ...
+
+       public function getPassword(): ?string
+       {
+           return $this->password;
+       }
+
+       public function getSalt(): ?string
+       {
+           return $this->salt;
+       }
+   }
+   ```
+
+ * Deprecate calling `PasswordUpgraderInterface::upgradePassword()` with a `UserInterface` instance that does not implement `PasswordAuthenticatedUserInterface`
+ * Deprecate calling methods `hashPassword()`, `isPasswordValid()` and `needsRehash()` on `UserPasswordHasherInterface` with a `UserInterface` instance that does not implement `PasswordAuthenticatedUserInterface`
  * Deprecate all classes in the `Core\Encoder\`  sub-namespace, use the `PasswordHasher` component instead
  * Deprecated voters that do not return a valid decision when calling the `vote` method
 
 
@@ -172,6 +172,90 @@ Routing
 Security
 --------
 
+ * Remove `UserInterface::getPassword()`
+   If your `getPassword()` method does not return `null` (i.e. you are using password-based authentication),
+   you should implement `PasswordAuthenticatedUserInterface`.
+
+   Before:
+   ```php
+   use Symfony\Component\Security\Core\User\UserInterface;
+
+   class User implements UserInterface
+   {
+       // ...
+
+       public function getPassword()
+       {
+           return $this->password;
+       }
+   }
+   ```
+
+   After:
+   ```php
+   use Symfony\Component\Security\Core\User\UserInterface;
+   use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
+
+   class User implements UserInterface, PasswordAuthenticatedUserInterface
+   {
+       // ...
+
+       public function getPassword(): ?string
+       {
+           return $this->password;
+       }
+   }
+   ```
+
+ * Remove `UserInterface::getSalt()`
+   If your `getSalt()` method does not return `null` (i.e. you are using password-based authentication with an old password hash algorithm that requires user-provided salts),
+   implement `LegacyPasswordAuthenticatedUserInterface`.
+
+   Before:
+   ```php
+   use Symfony\Component\Security\Core\User\UserInterface;
+
+   class User implements UserInterface
+   {
+       // ...
+
+       public function getPassword()
+       {
+           return $this->password;
+       }
+
+       public function getSalt()
+       {
+           return $this->salt;
+       }
+   }
+   ```
+
+   After:
+   ```php
+   use Symfony\Component\Security\Core\User\UserInterface;
+   use Symfony\Component\Security\Core\User\LegacyPasswordAuthenticatedUserInterface;
+
+   class User implements UserInterface, LegacyPasswordAuthenticatedUserInterface
+   {
+       // ...
+
+       public function getPassword(): ?string
+       {
+           return $this->password;
+       }
+
+       public function getSalt(): ?string
+       {
+           return $this->salt;
+       }
+   }
+   ```
+
+ * Calling `PasswordUpgraderInterface::upgradePassword()` with a `UserInterface` instance that
+   does not implement `PasswordAuthenticatedUserInterface` now throws a `\TypeError`.
+ * Calling methods `hashPassword()`, `isPasswordValid()` and `needsRehash()` on `UserPasswordHasherInterface`
+   with a `UserInterface` instance that does not implement `PasswordAuthenticatedUserInterface` now throws a `\TypeError`
  * Drop all classes in the `Core\Encoder\`  sub-namespace, use the `PasswordHasher` component instead
  * Drop support for `SessionInterface $session` as constructor argument of `SessionTokenStorage`, inject a `\Symfony\Component\HttpFoundation\RequestStack $requestStack` instead
  * Drop support for `session` provided by the ServiceLocator injected in `UsageTrackingTokenStorage`, provide a `request_stack` service instead
 
@@ -17,6 +17,7 @@
 use Doctrine\Persistence\ObjectRepository;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -115,9 +116,15 @@ public function supportsClass(string $class)
 
     /**
      * {@inheritdoc}
+     *
+     * @final
      */
     public function upgradePassword(UserInterface $user, string $newEncodedPassword): void
     {
+        if (!$user instanceof PasswordAuthenticatedUserInterface) {
+            trigger_deprecation('symfony/doctrine-bridge', '5.3', 'The "%s::upgradePassword()" method expects an instance of "%s" as first argument, the "%s" class should implement it.', PasswordUpgraderInterface::class, PasswordAuthenticatedUserInterface::class, get_debug_type($user));
+        }
+
         $class = $this->getClass();
         if (!$user instanceof $class) {
             throw new UnsupportedUserException(sprintf('Instances of "%s" are not supported.', get_debug_type($user)));
 
@@ -14,10 +14,11 @@
 use Doctrine\ORM\Mapping\Column;
 use Doctrine\ORM\Mapping\Entity;
 use Doctrine\ORM\Mapping\Id;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 /** @Entity */
-class User implements UserInterface
+class User implements UserInterface, PasswordAuthenticatedUserInterface
 {
     /** @Id @Column(type="integer") */
     protected $id1;
 
@@ -22,6 +22,7 @@
 use Symfony\Bridge\Doctrine\Tests\DoctrineTestHelper;
 use Symfony\Bridge\Doctrine\Tests\Fixtures\User;
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 
@@ -234,4 +235,5 @@ abstract class UserLoaderRepository implements ObjectRepository, UserLoaderInter
 
 abstract class PasswordUpgraderRepository implements ObjectRepository, PasswordUpgraderInterface
 {
+    abstract public function upgradePassword(PasswordAuthenticatedUserInterface $user, string $newHashedPassword): void;
 }
@@ -38,7 +38,7 @@
         "symfony/property-access": "^4.4|^5.0",
         "symfony/property-info": "^5.0",
         "symfony/proxy-manager-bridge": "^4.4|^5.0",
-        "symfony/security-core": "^5.0",
+        "symfony/security-core": "^5.3",
         "symfony/expression-language": "^4.4|^5.0",
         "symfony/uid": "^5.1",
         "symfony/validator": "^5.2",
@@ -60,7 +60,7 @@
         "symfony/messenger": "<4.4",
         "symfony/property-info": "<5",
         "symfony/security-bundle": "<5",
-        "symfony/security-core": "<5",
+        "symfony/security-core": "<5.3",
         "symfony/validator": "<5.2"
     },
     "suggest": {
 
@@ -42,6 +42,7 @@
 use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;
 use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;
 use Symfony\Component\Security\Core\User\ChainUserProvider;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
 
@@ -664,6 +665,9 @@ private function createEncoders(array $encoders, ContainerBuilder $container)
     {
         $encoderMap = [];
         foreach ($encoders as $class => $encoder) {
+            if (class_exists($class) && !is_a($class, PasswordAuthenticatedUserInterface::class, true)) {
+                trigger_deprecation('symfony/security-bundle', '5.3', 'Configuring an encoder for a user class that does not implement "%s" is deprecated, class "%s" should implement it.', PasswordAuthenticatedUserInterface::class, $class);
+            }
             $encoderMap[$class] = $this->createEncoder($encoder);
         }
 
@@ -775,6 +779,10 @@ private function createHashers(array $hashers, ContainerBuilder $container)
     {
         $hasherMap = [];
         foreach ($hashers as $class => $hasher) {
+            // @deprecated since Symfony 5.3, remove the check in 6.0
+            if (class_exists($class) && !is_a($class, PasswordAuthenticatedUserInterface::class, true)) {
+                trigger_deprecation('symfony/security-bundle', '5.3', 'Configuring a password hasher for a user class that does not implement "%s" is deprecated, class "%s" should implement it.', PasswordAuthenticatedUserInterface::class, $class);
+            }
             $hasherMap[$class] = $this->createHasher($hasher);
         }
 
 
@@ -13,6 +13,7 @@
 
 use Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\SecuredPageBundle\Security\Core\User\ArrayUserProvider;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Core\User\UserInterface;
 
@@ -78,7 +79,7 @@ public function testUserWillBeMarkedAsChangedIfRolesHasChanged(UserInterface $us
     }
 }
 
-final class UserWithoutEquatable implements UserInterface
+final class UserWithoutEquatable implements UserInterface, PasswordAuthenticatedUserInterface
 {
     private $username;
     private $password;
@@ -119,7 +120,7 @@ public function getRoles()
     /**
      * {@inheritdoc}
      */
-    public function getPassword()
+    public function getPassword(): ?string
     {
         return $this->password;
     }
 
@@ -17,6 +17,7 @@
 use Symfony\Component\Ldap\LdapInterface;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\LogicException;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\Authenticator\Passport\UserPassportInterface;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
@@ -68,6 +69,11 @@ public function onCheckPassport(CheckPassportEvent $event)
             throw new BadCredentialsException('The presented password cannot be empty.');
         }
 
+        $user = $passport->getUser();
+        if (!$user instanceof PasswordAuthenticatedUserInterface) {
+            trigger_deprecation('symfony/ldap', '5.3', 'Not implementing the "%s" interface in class "%s" while using password-based authenticators is deprecated.', PasswordAuthenticatedUserInterface::class, get_debug_type($user));
+        }
+
         /** @var LdapInterface $ldap */
         $ldap = $this->ldapLocator->get($ldapBadge->getLdapServiceId());
         try {
@@ -77,7 +83,7 @@ public function onCheckPassport(CheckPassportEvent $event)
                 } else {
                     throw new LogicException('Using the "query_string" config without using a "search_dn" and a "search_password" is not supported.');
                 }
-                $username = $ldap->escape($passport->getUser()->getUsername(), '', LdapInterface::ESCAPE_FILTER);
+                $username = $ldap->escape($user->getUsername(), '', LdapInterface::ESCAPE_FILTER);
                 $query = str_replace('{username}', $username, $ldapBadge->getQueryString());
                 $result = $ldap->query($ldapBadge->getDnString(), $query)->execute();
                 if (1 !== $result->count()) {
@@ -86,7 +92,7 @@ public function onCheckPassport(CheckPassportEvent $event)
 
                 $dn = $result[0]->getDn();
             } else {
-                $username = $ldap->escape($passport->getUser()->getUsername(), '', LdapInterface::ESCAPE_DN);
+                $username = $ldap->escape($user->getUsername(), '', LdapInterface::ESCAPE_DN);
                 $dn = str_replace('{username}', $username, $ldapBadge->getDnString());
             }
 
 
@@ -13,14 +13,15 @@
 
 use Symfony\Component\Ldap\Entry;
 use Symfony\Component\Security\Core\User\EquatableInterface;
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 /**
  * @author Robin Chalas <robin.chalas@gmail.com>
  *
  * @final
  */
-class LdapUser implements UserInterface, EquatableInterface
+class LdapUser implements UserInterface, PasswordAuthenticatedUserInterface, EquatableInterface
 {
     private $entry;
     private $username;
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@`
`22`	`22`	`use Symfony\Bridge\Doctrine\Tests\DoctrineTestHelper;`
`23`	`23`	`use Symfony\Bridge\Doctrine\Tests\Fixtures\User;`
`24`	`24`	`use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;`
	`25`	`+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;`
`25`	`26`	`use Symfony\Component\Security\Core\User\PasswordUpgraderInterface;`
`26`	`27`	`use Symfony\Component\Security\Core\User\UserInterface;`
`27`	`28`
`@@ -234,4 +235,5 @@ abstract class UserLoaderRepository implements ObjectRepository, UserLoaderInter`
`234`	`235`
`235`	`236`	`abstract class PasswordUpgraderRepository implements ObjectRepository, PasswordUpgraderInterface`
`236`	`237`	`{`
	`238`	`+ abstract public function upgradePassword(PasswordAuthenticatedUserInterface $user, string $newHashedPassword): void;`
`237`	`239`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,6 +42,7 @@`
`42`	`42`	`use Symfony\Component\Security\Core\Encoder\NativePasswordEncoder;`
`43`	`43`	`use Symfony\Component\Security\Core\Encoder\SodiumPasswordEncoder;`
`44`	`44`	`use Symfony\Component\Security\Core\User\ChainUserProvider;`
	`45`	`+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;`
`45`	`46`	`use Symfony\Component\Security\Core\User\UserProviderInterface;`
`46`	`47`	`use Symfony\Component\Security\Http\Event\CheckPassportEvent;`
`47`	`48`
`@@ -664,6 +665,9 @@ private function createEncoders(array $encoders, ContainerBuilder $container)`
`664`	`665`	`{`
`665`	`666`	`$encoderMap = [];`
`666`	`667`	`foreach ($encoders as $class => $encoder) {`
	`668`	`+ if (class_exists($class) && !is_a($class, PasswordAuthenticatedUserInterface::class, true)) {`
	`669`	`+ trigger_deprecation('symfony/security-bundle', '5.3', 'Configuring an encoder for a user class that does not implement "%s" is deprecated, class "%s" should implement it.', PasswordAuthenticatedUserInterface::class, $class);`
	`670`	`+ }`
`667`	`671`	`$encoderMap[$class] = $this->createEncoder($encoder);`
`668`	`672`	`}`
`669`	`673`
`@@ -775,6 +779,10 @@ private function createHashers(array $hashers, ContainerBuilder $container)`
`775`	`779`	`{`
`776`	`780`	`$hasherMap = [];`
`777`	`781`	`foreach ($hashers as $class => $hasher) {`
	`782`	`+ // @deprecated since Symfony 5.3, remove the check in 6.0`
	`783`	`+ if (class_exists($class) && !is_a($class, PasswordAuthenticatedUserInterface::class, true)) {`
	`784`	`+ trigger_deprecation('symfony/security-bundle', '5.3', 'Configuring a password hasher for a user class that does not implement "%s" is deprecated, class "%s" should implement it.', PasswordAuthenticatedUserInterface::class, $class);`
	`785`	`+ }`
`778`	`786`	`$hasherMap[$class] = $this->createHasher($hasher);`
`779`	`787`	`}`
`780`	`788`
Original file line number	Diff line number	Diff line change
`@@ -13,6 +13,7 @@`
`13`	`13`
`14`	`14`	`use Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\SecuredPageBundle\Security\Core\User\ArrayUserProvider;`
`15`	`15`	`use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;`
	`16`	`+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;`
`16`	`17`	`use Symfony\Component\Security\Core\User\User;`
`17`	`18`	`use Symfony\Component\Security\Core\User\UserInterface;`
`18`	`19`
`@@ -78,7 +79,7 @@ public function testUserWillBeMarkedAsChangedIfRolesHasChanged(UserInterface $us`
`78`	`79`	`}`
`79`	`80`	`}`
`80`	`81`
`81`		`-final class UserWithoutEquatable implements UserInterface`
	`82`	`+final class UserWithoutEquatable implements UserInterface, PasswordAuthenticatedUserInterface`
`82`	`83`	`{`
`83`	`84`	`private $username;`
`84`	`85`	`private $password;`
`@@ -119,7 +120,7 @@ public function getRoles()`
`119`	`120`	`/**`
`120`	`121`	`* {@inheritdoc}`
`121`	`122`	`*/`
`122`		`- public function getPassword()`
	`123`	`+ public function getPassword(): ?string`
`123`	`124`	`{`
`124`	`125`	`return $this->password;`
`125`	`126`	`}`