Merge branch '7.4' into 8.0

* 7.4:
  [SecurityBundle] Fix semantic configuration for singulars/plurals in XML
  [JsonPath] Make the component RFC compliant
  [Security] Add `$tokenSource` argument to `#[IsCsrfTokenValid]` to support reading tokens from the query string or headers
  [Config] Fix generics on TreeBuilder and ArrayNodeDefinition
  Fix `#[IsCsrfTokenValid]` to ensure `$tokenKey` is non-nullable
  [Security] Deprecate `PersistentToken::getClass()` and `RememberMeDetails::getUserFqcn()` in order to remove the user FQCN from the remember-me cookie in 8.0
  [Serializer] Add `#[ExtendsSerializationFor]` to declare new serialization attributes for a class
  [Validator] Add `#[ExtendsValidationFor]` to declare new constraints for a class
  [WebProfilerBundle] Show `EventStream`s in debug toolbar

Author: nicolas-grekas

Attribute/IsCsrfTokenValid.php

@@ -16,6 +16,10 @@
 #[\Attribute(\Attribute::IS_REPEATABLE | \Attribute::TARGET_CLASS | \Attribute::TARGET_METHOD | \Attribute::TARGET_FUNCTION)]
 final class IsCsrfTokenValid
 {
+    public const SOURCE_PAYLOAD = 0b0001;
+    public const SOURCE_QUERY = 0b0010;
+    public const SOURCE_HEADER = 0b0100;
+
     public function __construct(
         /**
          * Sets the id, or an Expression evaluated to the id, used when generating the token.
@@ -25,13 +29,20 @@ public function __construct(
         /**
          * Sets the key of the request that contains the actual token value that should be validated.
          */
-        public ?string $tokenKey = '_token',
+        public string $tokenKey = '_token',
 
         /**
          * Sets the available http methods that can be used to validate the token.
          * If not set, the token will be validated for all methods.
          */
         public array|string $methods = [],
+
+        /**
+         * Sets the source targeted to read the tokenKey.
+         *
+         * @var int-mask-of<self::SOURCE_*>
+         */
+        public int $tokenSource = self::SOURCE_PAYLOAD,
     ) {
     }
 }

CHANGELOG.md

@@ -19,6 +19,8 @@ CHANGELOG
  * Deprecate `AbstractListener::__invoke`
  * Add `$methods` argument to `#[IsGranted]` to restrict validation to specific HTTP methods
  * Allow subclassing `#[IsGranted]`
+ * Add `$tokenSource` argument to `#[IsCsrfTokenValid]` to support reading tokens from the query string or headers
+ * Deprecate `RememberMeDetails::getUserFqcn()`, the user FQCN will be removed from the remember-me cookie in 8.0
 
 7.3
 ---

EventListener/IsCsrfTokenValidAttributeListener.php

@@ -50,7 +50,11 @@ public function onKernelControllerArguments(ControllerArgumentsEvent $event): vo
                 continue;
             }
 
-            if (!$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $request->getPayload()->getString($attribute->tokenKey)))) {
+            $tokenValue = $this->getTokenValue($request, $attribute->tokenSource, $attribute->tokenKey);
+            if (
+                null === $tokenValue
+                || !$this->csrfTokenManager->isTokenValid(new CsrfToken($id, $tokenValue))
+            ) {
                 throw new InvalidCsrfTokenException('Invalid CSRF token.');
             }
         }
@@ -74,4 +78,25 @@ private function getTokenId(string|Expression $id, Request $request, array $argu
             'args' => $arguments,
         ]);
     }
+
+    private function getTokenValue(Request $request, int $tokenSource, string $tokenKey): ?string
+    {
+        $sources = [
+            IsCsrfTokenValid::SOURCE_PAYLOAD => static fn () => $request->getPayload()->get($tokenKey),
+            IsCsrfTokenValid::SOURCE_QUERY => static fn () => $request->query->get($tokenKey),
+            IsCsrfTokenValid::SOURCE_HEADER => static fn () => $request->headers->get($tokenKey),
+        ];
+
+        foreach ($sources as $source => $getter) {
+            if (!($tokenSource & $source)) {
+                continue;
+            }
+
+            if (null !== $token = $getter()) {
+                return $token;
+            }
+        }
+
+        return null;
+    }
 }

RememberMe/PersistentRememberMeHandler.php

@@ -65,51 +65,51 @@ public function consumeRememberMeCookie(RememberMeDetails $rememberMeDetails): U
         }
 
         [$series, $tokenValue] = explode(':', $rememberMeDetails->getValue(), 2);
-        $persistentToken = $this->tokenProvider->loadTokenBySeries($series);
+        $token = $this->tokenProvider->loadTokenBySeries($series);
 
-        if ($persistentToken->getUserIdentifier() !== $rememberMeDetails->getUserIdentifier() || $persistentToken->getClass() !== $rememberMeDetails->getUserFqcn()) {
+        if ($token->getUserIdentifier() !== $rememberMeDetails->getUserIdentifier()) {
             throw new AuthenticationException('The cookie\'s hash is invalid.');
         }
 
         // content of $rememberMeDetails is not trustable. this prevents use of this class
         unset($rememberMeDetails);
 
         if ($this->tokenVerifier) {
-            $isTokenValid = $this->tokenVerifier->verifyToken($persistentToken, $tokenValue);
+            $isTokenValid = $this->tokenVerifier->verifyToken($token, $tokenValue);
         } else {
-            $isTokenValid = hash_equals($persistentToken->getTokenValue(), $tokenValue);
+            $isTokenValid = hash_equals($token->getTokenValue(), $tokenValue);
         }
         if (!$isTokenValid) {
             throw new CookieTheftException('This token was already used. The account is possibly compromised.');
         }
 
-        $expires = $persistentToken->getLastUsed()->getTimestamp() + $this->options['lifetime'];
+        $expires = $token->getLastUsed()->getTimestamp() + $this->options['lifetime'];
         if ($expires < time()) {
             throw new AuthenticationException('The cookie has expired.');
         }
 
         return parent::consumeRememberMeCookie(new RememberMeDetails(
-            $persistentToken->getClass(),
-            $persistentToken->getUserIdentifier(),
+            method_exists($token, 'getClass') ? $token->getClass(false) : '',
+            $token->getUserIdentifier(),
             $expires,
-            $persistentToken->getLastUsed()->getTimestamp().':'.$series.':'.$tokenValue.':'.$persistentToken->getClass()
+            $token->getLastUsed()->getTimestamp().':'.$series.':'.$tokenValue.':'.(method_exists($token, 'getClass') ? $token->getClass(false) : '')
         ));
     }
 
     public function processRememberMe(RememberMeDetails $rememberMeDetails, UserInterface $user): void
     {
         [$lastUsed, $series, $tokenValue, $class] = explode(':', $rememberMeDetails->getValue(), 4);
-        $persistentToken = new PersistentToken($class, $rememberMeDetails->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable('@'.$lastUsed));
+        $token = new PersistentToken($class, $rememberMeDetails->getUserIdentifier(), $series, $tokenValue, new \DateTimeImmutable('@'.$lastUsed));
 
         // if a token was regenerated less than a minute ago, there is no need to regenerate it
         // if multiple concurrent requests reauthenticate a user we do not want to update the token several times
-        if ($persistentToken->getLastUsed()->getTimestamp() + 60 >= time()) {
+        if ($token->getLastUsed()->getTimestamp() + 60 >= time()) {
             return;
         }
 
         $tokenValue = strtr(base64_encode(random_bytes(33)), '+/=', '-_~');
         $tokenLastUsed = new \DateTime();
-        $this->tokenVerifier?->updateExistingToken($persistentToken, $tokenValue, $tokenLastUsed);
+        $this->tokenVerifier?->updateExistingToken($token, $tokenValue, $tokenLastUsed);
         $this->tokenProvider->updateToken($series, $tokenValue, $tokenLastUsed);
 
         $this->createCookie($rememberMeDetails->withValue($series.':'.$tokenValue));

RememberMe/RememberMeDetails.php

@@ -46,9 +46,9 @@ public static function fromRawCookie(string $rawCookie): self
         return new static(...$cookieParts);
     }
 
-    public static function fromPersistentToken(PersistentToken $persistentToken, int $expires): self
+    public static function fromPersistentToken(PersistentToken $token, int $expires): self
     {
-        return new static($persistentToken->getClass(), $persistentToken->getUserIdentifier(), $expires, $persistentToken->getSeries().':'.$persistentToken->getTokenValue());
+        return new static(method_exists($token, 'getClass') ? $token->getClass(false) : '', $token->getUserIdentifier(), $expires, $token->getSeries().':'.$token->getTokenValue());
     }
 
     public function withValue(string $value): self
@@ -59,8 +59,13 @@ public function withValue(string $value): self
         return $details;
     }
 
+    /**
+     * @deprecated since Symfony 7.4, the user FQCN will be removed from the remember-me cookie in 8.0
+     */
     public function getUserFqcn(): string
     {
+        trigger_deprecation('symfony/security-http', '7.4', 'The "%s()" method is deprecated: the user FQCN will be removed from the remember-me cookie in 8.0.', __METHOD__);
+
         return $this->userFqcn;
     }
 

Tests/EventListener/IsCsrfTokenValidAttributeListenerTest.php

@@ -11,6 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Tests\EventListener;
 
+use PHPUnit\Framework\Attributes\DataProvider;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\ExpressionLanguage\Expression;
 use Symfony\Component\ExpressionLanguage\ExpressionLanguage;
@@ -90,7 +91,7 @@ public function testIsCsrfTokenValidCalledCorrectly()
 
     public function testIsCsrfTokenValidCalledCorrectlyInPayload()
     {
-        $request = new Request(server: ['headers' => ['content-type' => 'application/json']], content: json_encode(['_token' => 'bar']));
+        $request = new Request(server: ['CONTENT_TYPE' => 'application/json'], content: json_encode(['_token' => 'bar']));
 
         $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
         $csrfTokenManager->expects($this->once())
@@ -163,15 +164,15 @@ public function testIsCsrfTokenValidCalledCorrectlyWithCustomTokenKey()
         $listener->onKernelControllerArguments($event);
     }
 
-    public function testIsCsrfTokenValidCalledCorrectlyWithInvalidTokenKey()
+    public function testIsCsrfTokenValidThrowExceptionWhenInvalidMatchingToken()
     {
+        $this->expectException(InvalidCsrfTokenException::class);
+
         $request = new Request(request: ['_token' => 'bar']);
 
         $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
-        $csrfTokenManager->expects($this->once())
-            ->method('isTokenValid')
-            ->with(new CsrfToken('foo', ''))
-            ->willReturn(true);
+        $csrfTokenManager->expects($this->never())
+            ->method('isTokenValid');
 
         $event = new ControllerArgumentsEvent(
             $this->createMock(HttpKernelInterface::class),
@@ -185,15 +186,13 @@ public function testIsCsrfTokenValidCalledCorrectlyWithInvalidTokenKey()
         $listener->onKernelControllerArguments($event);
     }
 
-    public function testExceptionWhenInvalidToken()
+    public function testIsCsrfTokenValidThrowExceptionWhenMissingRequestToken()
     {
         $this->expectException(InvalidCsrfTokenException::class);
 
         $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
-        $csrfTokenManager->expects($this->once())
-            ->method('isTokenValid')
-            ->withAnyParameters()
-            ->willReturn(false);
+        $csrfTokenManager->expects($this->never())
+            ->method('isTokenValid');
 
         $event = new ControllerArgumentsEvent(
             $this->createMock(HttpKernelInterface::class),
@@ -237,8 +236,7 @@ public function testIsCsrfTokenValidIgnoredWithNonMatchingMethod()
 
         $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
         $csrfTokenManager->expects($this->never())
-            ->method('isTokenValid')
-            ->with(new CsrfToken('foo', 'bar'));
+            ->method('isTokenValid');
 
         $event = new ControllerArgumentsEvent(
             $this->createMock(HttpKernelInterface::class),
@@ -275,15 +273,14 @@ public function testIsCsrfTokenValidCalledCorrectlyWithGetOrPostMethodWithGetMet
         $listener->onKernelControllerArguments($event);
     }
 
-    public function testIsCsrfTokenValidNoIgnoredWithGetOrPostMethodWithPutMethod()
+    public function testIsCsrfTokenValidIgnoredWithGetOrPostMethodWithPutMethod()
     {
         $request = new Request(request: ['_token' => 'bar']);
         $request->setMethod('PUT');
 
         $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
         $csrfTokenManager->expects($this->never())
-            ->method('isTokenValid')
-            ->with(new CsrfToken('foo', 'bar'));
+            ->method('isTokenValid');
 
         $event = new ControllerArgumentsEvent(
             $this->createMock(HttpKernelInterface::class),
@@ -297,18 +294,16 @@ public function testIsCsrfTokenValidNoIgnoredWithGetOrPostMethodWithPutMethod()
         $listener->onKernelControllerArguments($event);
     }
 
-    public function testIsCsrfTokenValidCalledCorrectlyWithInvalidTokenKeyAndPostMethod()
+    public function testIsCsrfTokenValidThrowExceptionWithInvalidTokenKeyAndPostMethod()
     {
         $this->expectException(InvalidCsrfTokenException::class);
 
         $request = new Request(request: ['_token' => 'bar']);
         $request->setMethod('POST');
 
         $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
-        $csrfTokenManager->expects($this->once())
-            ->method('isTokenValid')
-            ->withAnyParameters()
-            ->willReturn(false);
+        $csrfTokenManager->expects($this->never())
+            ->method('isTokenValid');
 
         $event = new ControllerArgumentsEvent(
             $this->createMock(HttpKernelInterface::class),
@@ -329,8 +324,7 @@ public function testIsCsrfTokenValidIgnoredWithInvalidTokenKeyAndUnavailableMeth
 
         $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
         $csrfTokenManager->expects($this->never())
-            ->method('isTokenValid')
-            ->withAnyParameters();
+            ->method('isTokenValid');
 
         $event = new ControllerArgumentsEvent(
             $this->createMock(HttpKernelInterface::class),
@@ -343,4 +337,63 @@ public function testIsCsrfTokenValidIgnoredWithInvalidTokenKeyAndUnavailableMeth
         $listener = new IsCsrfTokenValidAttributeListener($csrfTokenManager);
         $listener->onKernelControllerArguments($event);
     }
+
+    #[DataProvider('provideTokenSourceScenarios')]
+    public function testIsCsrfTokenValidCalledCorrectlyWithCustomTokenSource(Request $request, string $attributeMethod, string $expectedTokenValue)
+    {
+        $csrfTokenManager = $this->createMock(CsrfTokenManagerInterface::class);
+        $csrfTokenManager->expects($this->once())
+            ->method('isTokenValid')
+            ->with(new CsrfToken('foo', $expectedTokenValue))
+            ->willReturn(true);
+
+        $event = new ControllerArgumentsEvent(
+            $this->createMock(HttpKernelInterface::class),
+            [new IsCsrfTokenValidAttributeMethodsController(), $attributeMethod],
+            [],
+            $request,
+            null
+        );
+
+        $listener = new IsCsrfTokenValidAttributeListener($csrfTokenManager);
+        $listener->onKernelControllerArguments($event);
+    }
+
+    public static function provideTokenSourceScenarios(): \Generator
+    {
+        yield 'tokenSource Payload (default)' => [
+            new Request(
+                request: ['_token' => 'bar_payload'],
+                query: ['_token' => 'bar_query']
+            ),
+            'withDefaultTokenKey',
+            'bar_payload',
+        ];
+        yield 'tokenSource Query' => [
+            new Request(
+                request: ['_token' => 'bar_payload'],
+                query: ['_token' => 'bar_query']
+            ),
+            'withCustomTokenSourceQuery',
+            'bar_query',
+        ];
+        yield 'tokenSource Query|Payload' => [
+            new Request(
+                server: ['CONTENT_TYPE' => 'application/json'],
+                content: json_encode(['_token' => 'bar_payload']),
+                query: ['_token' => 'bar_query']
+            ),
+            'withCustomTokenSourceQueryPayload',
+            'bar_payload',
+        ];
+        yield 'tokenSource Header and custom sourceToken' => [
+            new Request(
+                server: ['HTTP_MY_TOKEN_KEY' => 'bar_header'],
+                request: ['my_token_key' => 'bar_payload'],
+                query: ['my_token_key' => 'bar_query']
+            ),
+            'withCustomTokenSourceHeaderAndCustomSourceToken',
+            'bar_header',
+        ];
+    }
 }

Tests/Fixtures/IsCsrfTokenValidAttributeMethodsController.php

@@ -59,4 +59,19 @@ public function withGetOrPostMethod()
     public function withPostMethodAndInvalidTokenKey()
     {
     }
+
+    #[IsCsrfTokenValid('foo', tokenSource: IsCsrfTokenValid::SOURCE_QUERY)]
+    public function withCustomTokenSourceQuery()
+    {
+    }
+
+    #[IsCsrfTokenValid('foo', tokenSource: IsCsrfTokenValid::SOURCE_QUERY | IsCsrfTokenValid::SOURCE_PAYLOAD)]
+    public function withCustomTokenSourceQueryPayload()
+    {
+    }
+
+    #[IsCsrfTokenValid('foo', tokenKey: 'my_token_key', tokenSource: IsCsrfTokenValid::SOURCE_HEADER)]
+    public function withCustomTokenSourceHeaderAndCustomSourceToken()
+    {
+    }
 }

Tests/RememberMe/PersistentRememberMeHandlerTest.php

@@ -50,9 +50,7 @@ public function testCreateRememberMeCookie()
     {
         $this->tokenProvider->expects($this->once())
             ->method('createNewToken')
-            ->with($this->callback(fn ($persistentToken) => $persistentToken instanceof PersistentToken
-                && 'wouter' === $persistentToken->getUserIdentifier()
-                && InMemoryUser::class === $persistentToken->getClass()));
+            ->with($this->callback(fn ($token) => $token instanceof PersistentToken && 'wouter' === $token->getUserIdentifier()));
 
         $this->handler->createRememberMeCookie(new InMemoryUser('wouter', null));
     }