Skip to content

[Security] Remove deprecated RememberMeToken::getSecret() #61011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Jul 8, 2025
Merged

[Security] Remove deprecated RememberMeToken::getSecret() #61011

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions UPGRADE-8.0.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -388,6 +388,7 @@ Security
* Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
* Remove `AbstractListener::__invoke`
* Remove `LazyFirewallContext::__invoke()`
* Remove `RememberMeToken::getSecret()`

SecurityBundle
--------------
Expand Down
22 changes: 2 additions & 20 deletions src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,8 +21,6 @@
*/
class RememberMeToken extends AbstractToken
{
private ?string $secret = null;

/**
* @throws \InvalidArgumentException
*/
Expand All @@ -32,11 +30,6 @@ public function __construct(
) {
parent::__construct($user->getRoles());

if (\func_num_args() > 2) {
trigger_deprecation('symfony/security-core', '7.2', 'The "$secret" argument of "%s()" is deprecated.', __METHOD__);
$this->secret = func_get_arg(2);
}

if (!$firewallName) {
throw new InvalidArgumentException('$firewallName must not be empty.');
}
Expand All @@ -49,25 +42,14 @@ public function getFirewallName(): string
return $this->firewallName;
}

/**
* @deprecated since Symfony 7.2
*/
public function getSecret(): string
{
trigger_deprecation('symfony/security-core', '7.2', 'The "%s()" method is deprecated.', __METHOD__);

return $this->secret ??= base64_encode(random_bytes(8));
}

public function __serialize(): array
{
// $this->firewallName should be kept at index 1 for compatibility with payloads generated before Symfony 8
return [$this->secret, $this->firewallName, parent::__serialize()];
return [null, $this->firewallName, parent::__serialize()];
}

public function __unserialize(array $data): void
{
[$this->secret, $this->firewallName, $parentData] = $data;
[, $this->firewallName, $parentData] = $data;
$parentData = \is_array($parentData) ? $parentData : unserialize($parentData);
parent::__unserialize($parentData);
}
Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Component/Security/Core/CHANGELOG.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,6 +4,7 @@ CHANGELOG
8.0
---

* Remove `RememberMeToken::getSecret()`
* Remove `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
erase credentials e.g. using `__serialize()` instead

Expand Down
11 changes: 0 additions & 11 deletions src/Symfony/Component/Security/Core/Tests/Authentication/Token/RememberMeTokenTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -27,17 +27,6 @@ public function testConstructor()
$this->assertSame($user, $token->getUser());
}

/**
* @group legacy
*/
public function testSecret()
{
$user = $this->getUser();
$token = new RememberMeToken($user, 'fookey', 'foo');

$this->assertEquals('foo', $token->getSecret());
}

protected function getUser($roles = ['ROLE_FOO'])
{
$user = $this->createMock(UserInterface::class);
Expand Down
1 change: 0 additions & 1 deletion src/Symfony/Component/Security/Core/composer.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,7 +17,6 @@
],
"require": {
"php": ">=8.4",
"symfony/deprecation-contracts": "^2.5|^3",
"symfony/event-dispatcher-contracts": "^2.5|^3",
"symfony/password-hasher": "^7.4|^8.0",
"symfony/service-contracts": "^2.5|^3"
Expand Down
32 changes: 3 additions & 29 deletions src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -43,34 +43,12 @@
*/
class RememberMeAuthenticator implements InteractiveAuthenticatorInterface
{
private string $secret;
private TokenStorageInterface $tokenStorage;
private string $cookieName;
private ?LoggerInterface $logger;

/**
* @param TokenStorageInterface $tokenStorage
* @param string $cookieName
* @param ?LoggerInterface $logger
*/
public function __construct(
private RememberMeHandlerInterface $rememberMeHandler,
#[\SensitiveParameter] TokenStorageInterface|string $tokenStorage,
string|TokenStorageInterface $cookieName,
LoggerInterface|string|null $logger = null,
private TokenStorageInterface $tokenStorage,
private string $cookieName,
private ?LoggerInterface $logger = null,
) {
if (\is_string($tokenStorage)) {
trigger_deprecation('symfony/security-http', '7.2', 'The "$secret" argument of "%s()" is deprecated.', __METHOD__);

$this->secret = $tokenStorage;
$tokenStorage = $cookieName;
$cookieName = $logger;
$logger = \func_num_args() > 4 ? func_get_arg(4) : null;
}

$this->tokenStorage = $tokenStorage;
$this->cookieName = $cookieName;
$this->logger = $logger;
}

public function supports(Request $request): ?bool
Expand Down Expand Up @@ -109,10 +87,6 @@ public function authenticate(Request $request): Passport

public function createToken(Passport $passport, string $firewallName): TokenInterface
{
if (isset($this->secret)) {
return new RememberMeToken($passport->getUser(), $firewallName, $this->secret);
}

return new RememberMeToken($passport->getUser(), $firewallName);
}

Expand Down
Loading
pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy