Skip to content

[Security] Remove deprecated RememberMeToken::getSecret() and RememberMeToken's $secret property #61011

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: 8.0
Choose a base branch
from
Open

[Security] Remove deprecated RememberMeToken::getSecret() and RememberMeToken's $secret property #61011

wants to merge 5 commits into from
+10 −61

Conversation

ktherage
Copy link
Contributor

@ktherage ktherage commented Jul 1, 2025
edited by alexandre-daubois
Loading

Q A
Branch? 8.0
Bug fix? no
New feature? yes
Deprecations? no
Issues --
License MIT

@ktherage ktherage requested a review from chalasr as a code owner July 1, 2025 09:44
@carsonbot carsonbot added this to the 8.0 milestone Jul 1, 2025
@ktherage ktherage changed the title [Security] Removal deprecated RememberMeToken::getSecret() and RememberMeToken's secret property [Security] Removal deprecated RememberMeToken::getSecret() and RememberMeToken's $secret property Jul 1, 2025
OskarStark
OskarStark reviewed Jul 1, 2025
View reviewed changes
src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php Outdated
public function __serialize(): array
{
// $this->firewallName should be kept at index 1 for compatibility with payloads generated before Symfony 8
return [$this->secret, $this->firewallName, parent::__serialize()];
// Newly serialized data removes the secret deprecated since Symfony 7.2 and removed in Symfony 8.0
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

to be removed?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Maybe

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You mean the comment ? or the method ?

@ktherage ktherage force-pushed the RememberMeToken-bc-layer-removal branch 2 times, most recently from 002f9c9 to 63e71e7 Compare July 1, 2025 13:33
@alexandre-daubois alexandre-daubois changed the title [Security] Removal deprecated RememberMeToken::getSecret() and RememberMeToken's $secret property [Security] Remove deprecated RememberMeToken::getSecret() and RememberMeToken's $secret property Jul 2, 2025
alexandre-daubois
alexandre-daubois approved these changes Jul 2, 2025
View reviewed changes
Copy link
Member

@alexandre-daubois alexandre-daubois left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

After the discussion with Oskar is resolved 🙂

@welcoMattic welcoMattic added the BC Layer removal Used to track BC layer removals before a major release label Jul 4, 2025
welcoMattic
welcoMattic reviewed Jul 4, 2025
View reviewed changes
src/Symfony/Component/Security/Core/Authentication/Token/RememberMeToken.php
}

public function __unserialize(array $data): void
{
[$this->secret, $this->firewallName, $parentData] = $data;
// BC Layer with payloads generated before Symfony 8.0
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
// BC Layer with payloads generated before Symfony 8.0
// BC Layer with payloads generated before Symfony 8.0, to be removed in Symfony 9.0

Is it ok to keep such a BC Layer here? @OskarStark @stof

xabbuh
xabbuh requested changes Jul 6, 2025
View reviewed changes
Copy link
Member

@xabbuh xabbuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the constructor of the RememberMeAuthenticator class also has to be updated

@ktherage
Copy link
Contributor Author

ktherage commented Jul 7, 2025

I think the constructor of the RememberMeAuthenticator class also has to be updated

In which way ? I've removed the deprecation notice there : https://github.com/symfony/symfony/pull/61011/files#diff-8cdcb3fe63f51aca31c4a5869e39ffdfcc793d9d855df4498528a56e1bbd32cdL35-L39.

Is there something I missed updating this ?

@xabbuh
Copy link
Member

xabbuh commented Jul 7, 2025

@ktherage That's the token, but there also is an authenticator class.

@ktherage ktherage force-pushed the RememberMeToken-bc-layer-removal branch from 799ce91 to 9767a2a Compare July 7, 2025 09:38
@ktherage
Copy link
Contributor Author

ktherage commented Jul 7, 2025

@xabbuh I did it and rebased. Sorry for this forgetfulness.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@welcoMattic welcoMattic welcoMattic left review comments

@OskarStark OskarStark OskarStark left review comments

@xabbuh xabbuh xabbuh requested changes

@alexandre-daubois alexandre-daubois alexandre-daubois approved these changes

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
BC Layer removal Used to track BC layer removals before a major release Security Status: Needs Work
Projects
None yet
Milestone
8.0
Development

Successfully merging this pull request may close these issues.
6 participants
@ktherage @xabbuh @welcoMattic @OskarStark @alexandre-daubois @carsonbot