[Security] Deprecate AnonymousToken, non-UserInterface users, and token credentials

Author: wouterj

Authenticator/FormLoginAuthenticator.php

@@ -120,7 +120,7 @@ public function createAuthenticatedToken(PassportInterface $passport, string $fi
      */
     public function createToken(Passport $passport, string $firewallName): TokenInterface
     {
-        return new UsernamePasswordToken($passport->getUser(), null, $firewallName, $passport->getUser()->getRoles());
+        return new UsernamePasswordToken($passport->getUser(), $firewallName, $passport->getUser()->getRoles());
     }
 
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response

Authenticator/JsonLoginAuthenticator.php

@@ -122,7 +122,7 @@ public function createAuthenticatedToken(PassportInterface $passport, string $fi
 
     public function createToken(Passport $passport, string $firewallName): TokenInterface
     {
-        return new UsernamePasswordToken($passport->getUser(), null, $firewallName, $passport->getUser()->getRoles());
+        return new UsernamePasswordToken($passport->getUser(), $firewallName, $passport->getUser()->getRoles());
     }
 
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $firewallName): ?Response

Controller/UserValueResolver.php

@@ -49,6 +49,7 @@ public function supports(Request $request, ArgumentMetadata $argument): bool
         $user = $token->getUser();
 
         // in case it's not an object we cannot do anything with it; E.g. "anon."
+        // @deprecated since 5.4
         return $user instanceof UserInterface;
     }
 

EventListener/UserCheckerListener.php

@@ -46,6 +46,7 @@ public function preCheckCredentials(CheckPassportEvent $event): void
     public function postCheckCredentials(AuthenticationSuccessEvent $event): void
     {
         $user = $event->getAuthenticationToken()->getUser();
+        // @deprecated since 5.4, $user will always be an UserInterface instance
         if (!$user instanceof UserInterface) {
             return;
         }

Firewall/SwitchUserListener.php

@@ -190,7 +190,7 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
         $roles = $user->getRoles();
         $roles[] = 'ROLE_PREVIOUS_ADMIN';
         $originatedFromUri = str_replace('/&', '/?', preg_replace('#[&?]'.$this->usernameParameter.'=[^&]*#', '', $request->getRequestUri()));
-        $token = new SwitchUserToken($user, $user->getPassword(), $this->firewallName, $roles, $token, $originatedFromUri);
+        $token = new SwitchUserToken($user, $this->firewallName, $roles, $token, $originatedFromUri);
 
         if (null !== $this->dispatcher) {
             $switchEvent = new SwitchUserEvent($request, $token->getUser(), $token);

Logout/LogoutUrlGenerator.php

@@ -132,6 +132,7 @@ private function getListener(?string $key): array
         if (null !== $this->tokenStorage) {
             $token = $this->tokenStorage->getToken();
 
+            // @deprecated since 5.4
             if ($token instanceof AnonymousToken) {
                 throw new \InvalidArgumentException('Unable to generate a logout url for an anonymous token.');
             }

Tests/Authentication/AuthenticatorManagerTest.php

@@ -159,7 +159,7 @@ public function testAllRequiredBadgesPresent()
         $csrfBadge = new CsrfTokenBadge('csrfid', 'csrftoken');
         $csrfBadge->markResolved();
         $authenticator->expects($this->any())->method('authenticate')->willReturn(new SelfValidatingPassport(new UserBadge('wouter'), [$csrfBadge]));
-        $authenticator->expects($this->any())->method('createToken')->willReturn(new UsernamePasswordToken($this->user, null, 'main'));
+        $authenticator->expects($this->any())->method('createToken')->willReturn(new UsernamePasswordToken($this->user, 'main'));
 
         $authenticator->expects($this->once())->method('onAuthenticationSuccess');
 

Tests/Authenticator/RememberMeAuthenticatorTest.php

@@ -38,7 +38,7 @@ protected function setUp(): void
 
     public function testSupportsTokenStorageWithToken()
     {
-        $this->tokenStorage->setToken(new UsernamePasswordToken('username', 'credentials', 'main'));
+        $this->tokenStorage->setToken(new UsernamePasswordToken(new InMemoryUser('username', 'credentials'), 'main'));
 
         $this->assertFalse($this->authenticator->supports(Request::create('/')));
     }

Tests/Controller/UserValueResolverTest.php

@@ -18,6 +18,7 @@
 use Symfony\Component\HttpKernel\ControllerMetadata\ArgumentMetadata;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Attribute\CurrentUser;
 use Symfony\Component\Security\Http\Controller\UserValueResolver;
@@ -36,7 +37,7 @@ public function testResolveNoToken()
     public function testResolveNoUser()
     {
         $mock = $this->createMock(UserInterface::class);
-        $token = new UsernamePasswordToken('username', 'password', 'provider');
+        $token = new UsernamePasswordToken(new InMemoryUser('username', 'password'), 'provider');
         $tokenStorage = new TokenStorage();
         $tokenStorage->setToken($token);
 
@@ -57,8 +58,8 @@ public function testResolveWrongType()
 
     public function testResolve()
     {
-        $user = $this->createMock(UserInterface::class);
-        $token = new UsernamePasswordToken($user, 'password', 'provider');
+        $user = new InMemoryUser('username', 'password');
+        $token = new UsernamePasswordToken($user, 'provider');
         $tokenStorage = new TokenStorage();
         $tokenStorage->setToken($token);
 
@@ -71,8 +72,8 @@ public function testResolve()
 
     public function testResolveWithAttribute()
     {
-        $user = $this->createMock(UserInterface::class);
-        $token = new UsernamePasswordToken($user, 'password', 'provider');
+        $user = new InMemoryUser('username', 'password');
+        $token = new UsernamePasswordToken($user, 'provider');
         $tokenStorage = new TokenStorage();
         $tokenStorage->setToken($token);
 
@@ -87,7 +88,6 @@ public function testResolveWithAttribute()
     public function testResolveWithAttributeAndNoUser()
     {
         $tokenStorage = new TokenStorage();
-        $tokenStorage->setToken(new UsernamePasswordToken('username', 'password', 'provider'));
 
         $resolver = new UserValueResolver($tokenStorage);
         $metadata = new ArgumentMetadata('foo', null, false, false, null, false, [new CurrentUser()]);
@@ -97,8 +97,8 @@ public function testResolveWithAttributeAndNoUser()
 
     public function testIntegration()
     {
-        $user = $this->createMock(UserInterface::class);
-        $token = new UsernamePasswordToken($user, 'password', 'provider');
+        $user = new InMemoryUser('username', 'password');
+        $token = new UsernamePasswordToken($user, 'provider');
         $tokenStorage = new TokenStorage();
         $tokenStorage->setToken($token);
 
@@ -108,9 +108,7 @@ public function testIntegration()
 
     public function testIntegrationNoUser()
     {
-        $token = new UsernamePasswordToken('username', 'password', 'provider');
         $tokenStorage = new TokenStorage();
-        $tokenStorage->setToken($token);
 
         $argumentResolver = new ArgumentResolver(null, [new UserValueResolver($tokenStorage), new DefaultValueResolver()]);
         $this->assertSame([null], $argumentResolver->getArguments(Request::create('/'), function (UserInterface $user = null) {}));

Tests/EventListener/UserCheckerListenerTest.php

@@ -66,11 +66,14 @@ public function testPostAuthValidCredentials()
         $this->listener->postCheckCredentials(new AuthenticationSuccessEvent(new PostAuthenticationToken($this->user, 'main', [])));
     }
 
+    /**
+     * @group legacy
+     */
     public function testPostAuthNoUser()
     {
         $this->userChecker->expects($this->never())->method('checkPostAuth');
 
-        $this->listener->postCheckCredentials(new AuthenticationSuccessEvent(new PreAuthenticatedToken('nobody', null, 'main')));
+        $this->listener->postCheckCredentials(new AuthenticationSuccessEvent(new PreAuthenticatedToken('nobody', 'main')));
     }
 
     private function createCheckPassportEvent($passport = null)

Tests/Firewall/AccessListenerTest.php

@@ -307,7 +307,7 @@ public function testHandleWhenPublicAccessIsAllowed()
 
     public function testHandleWhenPublicAccessWhileAuthenticated()
     {
-        $token = new UsernamePasswordToken(new InMemoryUser('Wouter', null, ['ROLE_USER']), null, 'main', ['ROLE_USER']);
+        $token = new UsernamePasswordToken(new InMemoryUser('Wouter', null, ['ROLE_USER']), 'main', ['ROLE_USER']);
         $tokenStorage = new TokenStorage();
         $tokenStorage->setToken($token);
         $request = new Request();
@@ -347,7 +347,7 @@ public function testHandleMWithultipleAttributesShouldBeHandledAsAnd()
             ->willReturn([['foo' => 'bar', 'bar' => 'baz'], null])
         ;
 
-        $authenticatedToken = new UsernamePasswordToken('test', 'test', 'test', ['ROLE_USER']);
+        $authenticatedToken = new UsernamePasswordToken(new InMemoryUser('test', 'test', ['ROLE_USER']), 'test', ['ROLE_USER']);
 
         $tokenStorage = new TokenStorage();
         $tokenStorage->setToken($authenticatedToken);

Tests/Firewall/ContextListenerTest.php

@@ -63,7 +63,7 @@ public function testUserProvidersNeedToImplementAnInterface()
     public function testOnKernelResponseWillAddSession()
     {
         $session = $this->runSessionOnKernelResponse(
-            new UsernamePasswordToken('test1', 'pass1', 'phpunit'),
+            new UsernamePasswordToken(new InMemoryUser('test1', 'pass1'), 'phpunit'),
             null
         );
 
@@ -75,7 +75,7 @@ public function testOnKernelResponseWillAddSession()
     public function testOnKernelResponseWillReplaceSession()
     {
         $session = $this->runSessionOnKernelResponse(
-            new UsernamePasswordToken('test1', 'pass1', 'phpunit'),
+            new UsernamePasswordToken(new InMemoryUser('test1', 'pass1'), 'phpunit'),
             'C:10:"serialized"'
         );
 
@@ -94,6 +94,9 @@ public function testOnKernelResponseWillRemoveSession()
         $this->assertFalse($session->has('_security_session'));
     }
 
+    /**
+     * @group legacy
+     */
     public function testOnKernelResponseWillRemoveSessionOnAnonymousToken()
     {
         $session = $this->runSessionOnKernelResponse(new AnonymousToken('secret', 'anon.'), 'C:10:"serialized"');
@@ -104,7 +107,7 @@ public function testOnKernelResponseWillRemoveSessionOnAnonymousToken()
     public function testOnKernelResponseWithoutSession()
     {
         $tokenStorage = new TokenStorage();
-        $tokenStorage->setToken(new UsernamePasswordToken('test1', 'pass1', 'phpunit'));
+        $tokenStorage->setToken(new UsernamePasswordToken(new InMemoryUser('test1', 'pass1'), 'phpunit'));
         $request = new Request();
         $request->attributes->set('_security_firewall_run', '_security_session');
         $session = new Session(new MockArraySessionStorage());
@@ -299,7 +302,7 @@ public function testDeauthenticatedEvent()
 
         $user = new InMemoryUser('foo', 'bar');
         $session = new Session(new MockArraySessionStorage());
-        $session->set('_security_context_key', serialize(new UsernamePasswordToken($user, '', 'context_key', ['ROLE_USER'])));
+        $session->set('_security_context_key', serialize(new UsernamePasswordToken($user, 'context_key', ['ROLE_USER'])));
 
         $request = new Request();
         $request->setSession($session);
@@ -403,7 +406,7 @@ private function handleEventWithPreviousSession($userProviders, UserInterface $u
     {
         $tokenUser = $user ?? new InMemoryUser('foo', 'bar');
         $session = new Session(new MockArraySessionStorage());
-        $session->set('_security_context_key', serialize(new UsernamePasswordToken($tokenUser, '', 'context_key', ['ROLE_USER'])));
+        $session->set('_security_context_key', serialize(new UsernamePasswordToken($tokenUser, 'context_key', ['ROLE_USER'])));
 
         $request = new Request();
         $request->setSession($session);

Tests/Logout/LogoutUrlGeneratorTest.php

@@ -17,6 +17,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
 use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorage;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 
 /**
@@ -57,12 +58,15 @@ public function testGetLogoutPathWithoutLogoutListenerRegisteredForKeyThrowsExce
 
     public function testGuessFromToken()
     {
-        $this->tokenStorage->setToken(new UsernamePasswordToken('user', 'password', 'secured_area'));
+        $this->tokenStorage->setToken(new UsernamePasswordToken(new InMemoryUser('user', 'password'), 'secured_area'));
         $this->generator->registerListener('secured_area', '/logout', null, null);
 
         $this->assertSame('/logout', $this->generator->getLogoutPath());
     }
 
+    /**
+     * @group legacy
+     */
     public function testGuessFromAnonymousTokenThrowsException()
     {
         $this->expectException(\InvalidArgumentException::class);
@@ -90,7 +94,7 @@ public function testGuessFromCurrentFirewallContext()
 
     public function testGuessFromTokenWithoutFirewallNameFallbacksToCurrentFirewall()
     {
-        $this->tokenStorage->setToken(new UsernamePasswordToken('username', 'password', 'provider'));
+        $this->tokenStorage->setToken(new UsernamePasswordToken(new InMemoryUser('username', 'password'), 'provider'));
         $this->generator->registerListener('secured_area', '/logout', null, null);
         $this->generator->setCurrentFirewall('secured_area');
 

composer.json

@@ -18,7 +18,7 @@
     "require": {
         "php": ">=7.2.5",
         "symfony/deprecation-contracts": "^2.1",
-        "symfony/security-core": "^5.3|^6.0",
+        "symfony/security-core": "^5.4|^6.0",
         "symfony/http-foundation": "^5.3|^6.0",
         "symfony/http-kernel": "^5.3|^6.0",
         "symfony/polyfill-mbstring": "~1.0",