remove the user FQCN from remember me cookies

Author: xabbuh

CHANGELOG.md

@@ -4,6 +4,7 @@ CHANGELOG
 8.0
 ---
 
+ * Remove `RememberMeDetails::getUserFqcn()`
  * Remove callable firewall listeners support, extend `AbstractListener` or implement `FirewallListenerInterface` instead
  * Remove `AbstractListener::__invoke`
  * Throw a `BadCredentialsException` when passing an empty string as `$userIdentifier` argument to `UserBadge` constructor

RememberMe/PersistentRememberMeHandler.php

@@ -93,11 +93,9 @@ public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): U
         }
 
         return parent::consumeRememberMeCookie(new RememberMeDetails(
-            method_exists($token, 'getClass') ? $token->getClass(false) : '',
             $token->getUserIdentifier(),
             $expires,
             $token->getLastUsed()->getTimestamp().':'.$series.':'.$tokenValue.':'.(method_exists($token, 'getClass') ? $token->getClass(false) : ''),
-            false
         ));
     }
 

RememberMe/RememberMeDetails.php

@@ -21,56 +21,11 @@ class RememberMeDetails
 {
     public const COOKIE_DELIMITER = ':';
 
-    private ?string $userFqcn = null;
-    private string $userIdentifier;
-    private int $expires;
-    private string $value;
-
-    /**
-     * @param string $userIdentifier
-     * @param int    $expires
-     * @param string $value
-     */
     public function __construct(
-        $userIdentifier,
-        $expires,
-        $value,
+        private string $userIdentifier,
+        private int $expires,
+        private string $value,
     ) {
-        if (\func_num_args() > 3) {
-            if (\func_num_args() < 5 || func_get_arg(4)) {
-                trigger_deprecation('symfony/security-http', '7.4', 'Passing a user FQCN to %s() is deprecated. The user class will be removed from the remember-me cookie in 8.0.', __CLASS__, __NAMESPACE__);
-            }
-
-            if (!\is_string($userIdentifier)) {
-                throw new \TypeError(\sprintf('Argument 1 passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($userIdentifier)));
-            }
-
-            $this->userFqcn = $userIdentifier;
-            $userIdentifier = $expires;
-            $expires = $value;
-
-            if (\func_num_args() <= 3) {
-                throw new \TypeError(\sprintf('Argument 4 passed to "%s()" must be a string, the argument is missing.', __METHOD__));
-            }
-
-            $value = func_get_arg(3);
-        }
-
-        if (!\is_string($userIdentifier)) {
-            throw new \TypeError(\sprintf('The $userIdentifier argument passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($userIdentifier)));
-        }
-
-        if (!\is_int($expires) && !preg_match('/^\d+$/', $expires)) {
-            throw new \TypeError(\sprintf('$The $expires argument  passed to "%s()" must be an integer, "%s" given.', __METHOD__, get_debug_type($expires)));
-        }
-
-        if (!\is_string($value)) {
-            throw new \TypeError(\sprintf('The $value argument  passed to "%s()" must be a string, "%s" given.', __METHOD__, get_debug_type($value)));
-        }
-
-        $this->userIdentifier = $userIdentifier;
-        $this->expires = $expires;
-        $this->value = $value;
     }
 
     public static function fromRawCookie(string $rawCookie): self
@@ -89,19 +44,14 @@ public static function fromRawCookie(string $rawCookie): self
             throw new AuthenticationException('The user identifier contains a character from outside the base64 alphabet.');
         }
 
-        if ('' === $cookieParts[0]) {
-            unset($cookieParts[0]);
-        } else {
-            $cookieParts[0] = strtr($cookieParts[0], '.', '\\');
-            $cookieParts[4] = false;
-        }
+        unset($cookieParts[0]);
 
         return new static(...$cookieParts);
     }
 
     public static function fromPersistentToken(PersistentToken $token, int $expires): self
     {
-        return new static(method_exists($token, 'getClass') ? $token->getClass(false) : '', $token->getUserIdentifier(), $expires, $token->getSeries().':'.$token->getTokenValue(), false);
+        return new static($token->getUserIdentifier(), $expires, $token->getSeries().':'.$token->getTokenValue());
     }
 
     public function withValue(string $value): self
@@ -112,16 +62,6 @@ public function withValue(string $value): self
         return $details;
     }
 
-    /**
-     * @deprecated since Symfony 7.4, the user FQCN will be removed from the remember-me cookie in 8.0
-     */
-    public function getUserFqcn(): string
-    {
-        trigger_deprecation('symfony/security-http', '7.4', 'The "%s()" method is deprecated: the user FQCN will be removed from the remember-me cookie in 8.0.', __METHOD__);
-
-        return $this->userFqcn ?? '';
-    }
-
     public function getUserIdentifier(): string
     {
         return $this->userIdentifier;
@@ -140,6 +80,6 @@ public function getValue(): string
     public function toString(): string
     {
         // $userIdentifier is encoded because it might contain COOKIE_DELIMITER, we assume other values don't
-        return implode(self::COOKIE_DELIMITER, [strtr($this->userFqcn ?? '', '\\', '.'), strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
+        return implode(self::COOKIE_DELIMITER, ['', strtr(base64_encode($this->userIdentifier), '+/=', '-_~'), $this->expires, $this->value]);
     }
 }

RememberMe/SignatureRememberMeHandler.php

@@ -47,7 +47,7 @@ public function createRememberMeCookie(UserInterface $user): void
         $expires = time() + $this->options['lifetime'];
         $value = $this->signatureHasher->computeSignatureHash($user, $expires);
 
-        $details = new RememberMeDetails($user::class, $user->getUserIdentifier(), $expires, $value, false);
+        $details = new RememberMeDetails($user->getUserIdentifier(), $expires, $value);
         $this->createCookie($details);
     }
 

Tests/Authenticator/RememberMeAuthenticatorTest.php

@@ -69,9 +69,7 @@ public static function provideSupportsData()
     public function testAuthenticate()
     {
         $rememberMeDetails = new RememberMeDetails('wouter', 1, 'secret');
-        $cookieData = explode(RememberMeDetails::COOKIE_DELIMITER, $rememberMeDetails->toString());
-        $cookieData[0] = '';
-        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => implode(RememberMeDetails::COOKIE_DELIMITER, $cookieData)]);
+        $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => $rememberMeDetails->toString()]);
         $passport = $this->authenticator->authenticate($request);
 
         $this->rememberMeHandler->expects($this->once())->method('consumeRememberMeCookie')->with($this->callback(fn ($arg) => $rememberMeDetails == $arg));
@@ -80,7 +78,7 @@ public function testAuthenticate()
 
     public function testAuthenticateLegacyCookieFormat()
     {
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 1, 'secret', false);
+        $rememberMeDetails = new RememberMeDetails('wouter', 1, 'secret');
         $request = Request::create('/', 'GET', [], ['_remember_me_cookie' => $rememberMeDetails->toString()]);
         $passport = $this->authenticator->authenticate($request);
 

Tests/RememberMe/PersistentRememberMeHandlerTest.php

@@ -61,7 +61,7 @@ public function testClearRememberMeCookie()
             ->method('deleteTokenBySeries')
             ->with('series1');
 
-        $this->request->cookies->set('REMEMBERME', (new RememberMeDetails(InMemoryUser::class, 'wouter', 0, 'series1:tokenvalue', false))->toString());
+        $this->request->cookies->set('REMEMBERME', (new RememberMeDetails('wouter', 0, 'series1:tokenvalue'))->toString());
 
         $this->handler->clearRememberMeCookie();
 
@@ -104,7 +104,7 @@ public function testConsumeRememberMeCookieValid()
 
         $this->tokenProvider->expects($this->once())->method('updateToken')->with('series1');
 
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue', false);
+        $rememberMeDetails = new RememberMeDetails('wouter', 360, 'series1:tokenvalue');
         $this->handler->consumeRememberMeCookie($rememberMeDetails);
 
         // assert that the cookie has been updated with a new base64 encoded token value
@@ -136,7 +136,7 @@ public function testConsumeRememberMeCookieInvalidOwner()
             ->willReturn($persistentToken)
         ;
 
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'jeremy', 360, 'series1:tokenvalue', false);
+        $rememberMeDetails = new RememberMeDetails('jeremy', 360, 'series1:tokenvalue');
 
         $this->expectException(AuthenticationException::class);
         $this->expectExceptionMessage('The cookie\'s hash is invalid.');
@@ -157,7 +157,7 @@ public function testConsumeRememberMeCookieInvalidValue()
             ->willReturn($persistentToken)
         ;
 
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue:somethingelse', false);
+        $rememberMeDetails = new RememberMeDetails('wouter', 360, 'series1:tokenvalue:somethingelse');
 
         $this->expectException(AuthenticationException::class);
         $this->expectExceptionMessage('This token was already used. The account is possibly compromised.');
@@ -187,7 +187,7 @@ public function testConsumeRememberMeCookieValidByValidatorWithoutUpdate()
             ->willReturn(true)
         ;
 
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:oldTokenValue', false);
+        $rememberMeDetails = new RememberMeDetails('wouter', 360, 'series1:oldTokenValue');
         $handler->consumeRememberMeCookie($rememberMeDetails);
 
         $this->assertFalse($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
@@ -210,7 +210,7 @@ public function testConsumeRememberMeCookieInvalidToken()
 
         $this->expectException(CookieTheftException::class);
 
-        $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue', false));
+        $this->handler->consumeRememberMeCookie(new RememberMeDetails('wouter', 360, 'series1:tokenvalue'));
     }
 
     public function testConsumeRememberMeCookieExpired()
@@ -231,7 +231,7 @@ public function testConsumeRememberMeCookieExpired()
         $this->expectException(AuthenticationException::class);
         $this->expectExceptionMessage('The cookie has expired.');
 
-        $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue', false));
+        $this->handler->consumeRememberMeCookie(new RememberMeDetails('wouter', 360, 'series1:tokenvalue'));
     }
 
     public function testBase64EncodedTokens()
@@ -250,7 +250,7 @@ public function testBase64EncodedTokens()
 
         $this->tokenProvider->expects($this->once())->method('updateToken')->with('series1');
 
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue', false);
+        $rememberMeDetails = new RememberMeDetails('wouter', 360, 'series1:tokenvalue');
         $cookieData = explode(RememberMeDetails::COOKIE_DELIMITER, $rememberMeDetails->toString());
         $cookieData[0] = '';
         $rememberMeDetails = RememberMeDetails::fromRawCookie(base64_encode(implode(RememberMeDetails::COOKIE_DELIMITER, $cookieData)));
@@ -273,7 +273,7 @@ public function testBase64EncodedTokensLegacyFormat()
 
         $this->tokenProvider->expects($this->once())->method('updateToken')->with('series1');
 
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue', false);
+        $rememberMeDetails = new RememberMeDetails('wouter', 360, 'series1:tokenvalue');
         $rememberMeDetails = RememberMeDetails::fromRawCookie(base64_encode($rememberMeDetails->toString()));
         $this->handler->consumeRememberMeCookie($rememberMeDetails);
     }

Tests/RememberMe/SignatureRememberMeHandlerTest.php

@@ -56,7 +56,7 @@ public function testCreateRememberMeCookie()
 
         /** @var Cookie $cookie */
         $cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
-        $this->assertEquals(strtr(InMemoryUser::class, '\\', '.').':d291dGVy:'.$expire.':'.$signature, $cookie->getValue());
+        $this->assertEquals(':d291dGVy:'.$expire.':'.$signature, $cookie->getValue());
     }
 
     public function testClearRememberMeCookie()
@@ -76,21 +76,21 @@ public function testConsumeRememberMeCookieValid()
         $signature = $this->signatureHasher->computeSignatureHash($user, $expire = time() + 3600);
         $this->userProvider->createUser(new InMemoryUser('wouter', null));
 
-        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', $expire, $signature, false);
+        $rememberMeDetails = new RememberMeDetails('wouter', $expire, $signature);
         $this->handler->consumeRememberMeCookie($rememberMeDetails);
 
         $this->assertTrue($this->request->attributes->has(ResponseListener::COOKIE_ATTR_NAME));
 
         /** @var Cookie $cookie */
         $cookie = $this->request->attributes->get(ResponseListener::COOKIE_ATTR_NAME);
-        $this->assertNotEquals((new RememberMeDetails(InMemoryUser::class, 'wouter', $expire, $signature, false))->toString(), $cookie->getValue());
+        $this->assertNotEquals((new RememberMeDetails('wouter', $expire, $signature))->toString(), $cookie->getValue());
     }
 
     public function testConsumeRememberMeCookieInvalidHash()
     {
         $this->expectException(AuthenticationException::class);
         $this->expectExceptionMessage('The cookie\'s hash is invalid.');
-        $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', time() + 600, 'badsignature', false));
+        $this->handler->consumeRememberMeCookie(new RememberMeDetails('wouter', time() + 600, 'badsignature'));
     }
 
     public function testConsumeRememberMeCookieExpired()
@@ -100,6 +100,6 @@ public function testConsumeRememberMeCookieExpired()
 
         $this->expectException(AuthenticationException::class);
         $this->expectExceptionMessage('The cookie has expired.');
-        $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', 360, $signature, false));
+        $this->handler->consumeRememberMeCookie(new RememberMeDetails('wouter', 360, $signature));
     }
 }