Merge branch '7.4' into 8.0

nicolas-grekas · nicolas-grekas · commit 3713441b3810 · 2025-09-15T16:02:32.000+02:00
* 7.4:
  Fix .github/expected-missing-return-types.diff
  deprecate the FQCN properties of PersistentToken and RememberMeDetails
  [Serializer] Fix unknown type in denormalization errors when union type used in constructor
  fix tests
  drop the ability to configure a signer with the IsSignatureValid attribute
  make createTable() public again
  [FrameworkBundle] Add support for configuring workflow places with glob patterns matching consts/backed enums
  replace HTTP response status code constants with their values
  [JsonPath] Add `Nothing` enum to support special nothing value
  [HttpKernel] Handle an array vary header in the http cache store for write
  [Config] Add generics on the config builder API
  [Console] Fix handling of `\E` in Bash completion
diff --git a/RememberMe/PersistentRememberMeHandler.php b/RememberMe/PersistentRememberMeHandler.php
@@ -52,7 +52,11 @@ public function createRememberMeCookie(UserInterface $user): void
         $series = random_bytes(66);
         $tokenValue = strtr(base64_encode(substr($series, 33)), '+/=', '-_~');
         $series = strtr(base64_encode(substr($series, 0, 33)), '+/=', '-_~');
-        $token = new PersistentToken($user::class, $user->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable());
+        if (method_exists(PersistentToken::class, 'getClass')) {
+            $token = new PersistentToken($user::class, $user->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable(), false);
+        } else {
+            $token = new PersistentToken($user->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable());
+        }
 
         $this->tokenProvider->createNewToken($token);
         $this->createCookie(RememberMeDetails::fromPersistentToken($token, time() + $this->options['lifetime']));
@@ -92,14 +96,19 @@ public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): U
             method_exists($token, 'getClass') ? $token->getClass(false) : '',
             $token->getUserIdentifier(),
             $expires,
-            $token->getLastUsed()->getTimestamp().':'.$series.':'.$tokenValue.':'.(method_exists($token, 'getClass') ? $token->getClass(false) : '')
+            $token->getLastUsed()->getTimestamp().':'.$series.':'.$tokenValue.':'.(method_exists($token, 'getClass') ? $token->getClass(false) : ''),
+            false
         ));
     }
 
     public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void
     {
         [$lastUsed, $series, $tokenValue, $class] = explode(':', $rememberMeDetails->getValue(), 4);
-        $token = new PersistentToken($class, $rememberMeDetails->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable('@'.$lastUsed));
+        if (method_exists(PersistentToken::class, 'getClass')) {
+            $token = new PersistentToken($class, $rememberMeDetails->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable('@'.$lastUsed), false);
+        } else {
+            $token = new PersistentToken($rememberMeDetails->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable('@'.$lastUsed));
+        }
 
         // if a token was regenerated less than a minute ago, there is no need to regenerate it
         // if multiple concurrent requests reauthenticate a user we do not want to update the token several times
diff --git a/RememberMe/RememberMeDetails.php b/RememberMe/RememberMeDetails.php
@@ -21,34 +21,95 @@ class RememberMeDetails
 {
     public const COOKIE_DELIMITER = ':';
 
+    private ?string $userFqcn = null;
+    private string $userIdentifier;
+    private int $expires;
+    private string $value;
+
+    /**
+     * @param string $userIdentifier
+     * @param int    $expires
+     * @param string $value
+     */
     public function __construct(
-        private string $userFqcn,
-        private string $userIdentifier,
-        private int $expires,
-        private string $value,
+        $userIdentifier,
+        $expires,
+        $value,
     ) {
+        if (\func_num_args() > 3) {
+            if (\func_num_args() < 5 || func_get_arg(4)) {
+                trigger_deprecation('symfony/security-http', '7.4', 'Passing a user FQCN to %s() is deprecated. The user class will be removed from the remember-me cookie in 8.0.', __CLASS__, __NAMESPACE__);
+            }
+
+            if (!\is_string($userIdentifier)) {
+                throw new \TypeError(\sprintf('Argument 1 passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($userIdentifier)));
+            }
+
+            $this->userFqcn = $userIdentifier;
+            $userIdentifier = $expires;
+            $expires = $value;
+
+            if (\func_num_args() <= 3) {
+                throw new \TypeError(\sprintf('Argument 4 passed to "%s()" must be a string, the argument is missing.', __METHOD__));
+            }
+
+            $value = func_get_arg(3);
+        }
+
+        if (!\is_string($userIdentifier)) {
+            throw new \TypeError(\sprintf('The $userIdentifier argument passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($userIdentifier)));
+        }
+
+        if (!\is_int($expires) && !preg_match('/^\d+$/', $expires)) {
+            throw new \TypeError(\sprintf('$The $expires argument  passed to "%s()" must be an integer, "%s" given.', __METHOD__, get_debug_type($expires)));
+        }
+
+        if (!\is_string($value)) {
+            throw new \TypeError(\sprintf('The $value argument  passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($value)));
+        }
+
+        $this->userIdentifier = $userIdentifier;
+        $this->expires = $expires;
+        $this->value = $value;
     }
 
     public static function fromRawCookie(string $rawCookie): self
     {
         if (!str_contains($rawCookie, self::COOKIE_DELIMITER)) {
             $rawCookie = base64_decode($rawCookie);
         }
-        $cookieParts = explode(self::COOKIE_DELIMITER, $rawCookie, 4);
-        if (4 !== \count($cookieParts)) {
-            throw new AuthenticationException('The cookie contains invalid data.');
-        }
-        if (false === $cookieParts[1] = base64_decode(strtr($cookieParts[1], '-_~', '+/='), true)) {
-            throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
+        $cookieParts = explode(self::COOKIE_DELIMITER, $rawCookie, 3);
+
+        if (isset($cookieParts[1]) && !preg_match('/^\d+$/', $cookieParts[1])) {
+            // legacy (Symfony < 8.0) cookie format
+            $cookieParts = explode(self::COOKIE_DELIMITER, $rawCookie, 4);
+
+            if (4 !== \count($cookieParts)) {
+                throw new AuthenticationException('The cookie contains invalid data.');
+            }
+
+            if (false === $cookieParts[1] = base64_decode(strtr($cookieParts[1], '-_~', '+/='), true)) {
+                throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
+            }
+
+            $cookieParts[0] = strtr($cookieParts[0], '.', '\\');
+            $cookieParts[4] = false;
+        } else {
+            if (3 !== \count($cookieParts)) {
+                throw new AuthenticationException('The cookie contains invalid data.');
+            }
+
+            if (false === $cookieParts[0] = base64_decode(strtr($cookieParts[0], '-_~', '+/='), true)) {
+                throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
+            }
         }
-        $cookieParts[0] = strtr($cookieParts[0], '.', '\\');
 
         return new static(...$cookieParts);
     }
 
     public static function fromPersistentToken(PersistentToken $token, int $expires): self
     {
-        return new static(method_exists($token, 'getClass') ? $token->getClass(false) : '', $token->getUserIdentifier(), $expires, $token->getSeries().':'.$token->getTokenValue());
+        return new static(method_exists($token, 'getClass') ? $token->getClass(false) : '', $token->getUserIdentifier(), $expires, $token->getSeries().':'.$token->getTokenValue(), false);
     }
 
     public function withValue(string $value): self
@@ -66,7 +127,7 @@ public function getUserFqcn(): string
     {
         trigger_deprecation('symfony/security-http', '7.4', 'The "%s()" method is deprecated: the user FQCN will be removed from the remember-me cookie in 8.0.', __METHOD__);
 
-        return $this->userFqcn;
+        return $this->userFqcn ?? '';
     }
 
     public function getUserIdentifier(): string
@@ -87,6 +148,6 @@ public function getValue(): string
     public function toString(): string
     {
         // $userIdentifier is encoded because it might contain COOKIE_DELIMITER, we assume other values don't
-        return implode(self::COOKIE_DELIMITER, [strtr($this->userFqcn, '\\', '.'), strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
+        return implode(self::COOKIE_DELIMITER, [strtr($this->userFqcn ?? '', '\\', '.'), strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
     }
 }
diff --git a/RememberMe/SignatureRememberMeHandler.php b/RememberMe/SignatureRememberMeHandler.php
@@ -47,7 +47,7 @@ public function createRememberMeCookie(UserInterface $user): void
         $expires = time() + $this->options['lifetime'];
         $value = $this->signatureHasher->computeSignatureHash($user, $expires);
 
-        $details = new RememberMeDetails($user::class, $user->getUserIdentifier(), $expires, $value);
+        $details = new RememberMeDetails($user::class, $user->getUserIdentifier(), $expires, $value, false);
         $this->createCookie($details);
     }
 
diff --git a/Tests/Authenticator/RememberMeAuthenticatorTest.php b/Tests/Authenticator/RememberMeAuthenticatorTest.php
@@ -68,7 +68,17 @@ public static function provideSupportsData()
 
     public function testAuthenticate()
     {
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 1, 'secret');
+        $rememberMeDetails = new RememberMeDetails('wouter', 1, 'secret');
+        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => implode(RememberMeDetails::COOKIE_DELIMITER, \array_slice(explode(RememberMeDetails::COOKIE_DELIMITER, $rememberMeDetails->toString()), 1))]);
+        $passport = $this->authenticator->authenticate($request);
+
+        $this->rememberMeHandler->expects($this->once())->method('consumeRememberMeCookie')->with($this->callback(fn ($arg) => $rememberMeDetails == $arg));
+        $passport->getUser(); // trigger the user loader
+    }
+
+    public function testAuthenticateLegacyCookieFormat()
+    {
+        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 1, 'secret', false);
         $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => $rememberMeDetails->toString()]);
         $passport = $this->authenticator->authenticate($request);
 
diff --git a/Tests/RememberMe/PersistentRememberMeHandlerTest.php b/Tests/RememberMe/PersistentRememberMeHandlerTest.php
diff --git a/Tests/RememberMe/SignatureRememberMeHandlerTest.php b/Tests/RememberMe/SignatureRememberMeHandlerTest.php

Original file line number	Diff line number	Diff line change
`@@ -47,7 +47,7 @@ public function createRememberMeCookie(UserInterface $user): void`
`47`	`47`	`$expires = time() + $this->options['lifetime'];`
`48`	`48`	`$value = $this->signatureHasher->computeSignatureHash($user, $expires);`
`49`	`49`
`50`		`- $details = new RememberMeDetails($user::class, $user->getUserIdentifier(), $expires, $value);`
	`50`	`+ $details = new RememberMeDetails($user::class, $user->getUserIdentifier(), $expires, $value, false);`
`51`	`51`	`$this->createCookie($details);`
`52`	`52`	`}`
`53`	`53`