symfony
diff --git a/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php
Lines changed: 2 additions & 3 deletions b/‎src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php
Lines changed: 2 additions & 3 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.xml
Lines changed: 0 additions & 2 deletions b/‎src/Symfony/Bundle/SecurityBundle/Resources/config/security_authenticator.xml
Lines changed: 0 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php
Lines changed: 5 additions & 24 deletions b/‎src/Symfony/Component/Security/Http/Authentication/AuthenticatorManager.php
Lines changed: 5 additions & 24 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
Lines changed: 2 additions & 8 deletions b/‎src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php
Lines changed: 2 additions & 8 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/HttpBasicAuthenticator.php
Lines changed: 1 addition & 4 deletions b/‎src/Symfony/Component/Security/Http/Authenticator/HttpBasicAuthenticator.php
Lines changed: 1 addition & 4 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php
Lines changed: 14 additions & 13 deletions b/‎src/Symfony/Component/Security/Http/Authenticator/RememberMeAuthenticator.php
Lines changed: 14 additions & 13 deletions
diff --git a/‎src/Symfony/Component/Security/Http/EventListener/PasswordMigratingListener.php
Lines changed: 3 additions & 3 deletions b/‎src/Symfony/Component/Security/Http/EventListener/PasswordMigratingListener.php
Lines changed: 3 additions & 3 deletions
diff --git a/‎src/Symfony/Component/Security/Http/EventListener/RememberMeListener.php
Lines changed: 12 additions & 4 deletions b/‎src/Symfony/Component/Security/Http/EventListener/RememberMeListener.php
Lines changed: 12 additions & 4 deletions
diff --git a/‎src/Symfony/Component/Security/Http/EventListener/UserCheckerListener.php
Lines changed: 8 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/EventListener/UserCheckerListener.php
Lines changed: 8 additions & 0 deletions
diff --git a/‎src/Symfony/Component/Security/Http/EventListener/VerifyAuthenticatorCredentialsListener.php
Lines changed: 4 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/EventListener/VerifyAuthenticatorCredentialsListener.php
Lines changed: 4 additions & 0 deletions
@@ -104,9 +104,8 @@ public function createAuthenticator(ContainerBuilder $container, string $id, arr
         $options = array_merge($defaultOptions, array_intersect_key($config, $defaultOptions));
         $container
             ->setDefinition($authenticatorId, new ChildDefinition('security.authenticator.form_login'))
-            ->replaceArgument(1, isset($config['csrf_token_generator']) ? new Reference($config['csrf_token_generator']) : null)
-            ->replaceArgument(2, new Reference($userProviderId))
-            ->replaceArgument(3, $options);
+            ->replaceArgument(1, new Reference($userProviderId))
+            ->replaceArgument(2, $options);
 
         return $authenticatorId;
     }
 
@@ -84,15 +84,13 @@
                  abstract="true">
             <argument type="abstract">realm name</argument>
             <argument type="abstract">user provider</argument>
-            <argument type="service" id="security.encoder_factory" />
             <argument type="service" id="logger" on-invalid="null" />
         </service>
 
         <service id="security.authenticator.form_login"
                  class="Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator"
                  abstract="true">
             <argument type="service" id="security.http_utils" />
-            <argument /> <!-- csrf token generator -->
             <argument type="abstract">user provider</argument>
             <argument type="abstract">options</argument>
         </service>
 
@@ -23,7 +23,6 @@
 use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
-use Symfony\Component\Security\Http\Authenticator\Token\PreAuthenticationToken;
 use Symfony\Component\Security\Http\Event\InteractiveLoginEvent;
 use Symfony\Component\Security\Http\Event\LoginFailureEvent;
 use Symfony\Component\Security\Http\Event\LoginSuccessEvent;
@@ -40,8 +39,6 @@
  */
 class AuthenticatorManager implements AuthenticatorManagerInterface, UserAuthenticatorInterface
 {
-    use AuthenticatorManagerTrait;
-
     private $authenticators;
     private $tokenStorage;
     private $eventDispatcher;
@@ -131,7 +128,9 @@ private function executeAuthenticators(array $authenticators, Request $request):
             // lazily (after initialization). This is important for e.g. the AnonymousAuthenticator
             // as its support is relying on the (initialized) token in the TokenStorage.
             if (false === $authenticator->supports($request)) {
-                $this->logger->debug('Skipping the "{authenticator}" authenticator as it did not support the request.', ['authenticator' => \get_class($authenticator)]);
+                if (null !== $this->logger) {
+                    $this->logger->debug('Skipping the "{authenticator}" authenticator as it did not support the request.', ['authenticator' => \get_class($authenticator)]);
+                }
                 continue;
             }
 
@@ -215,21 +214,14 @@ private function authenticateViaAuthenticator(AuthenticatorInterface $authentica
             throw new UsernameNotFoundException(sprintf('Null returned from "%s::getUser()".', \get_class($authenticator)));
         }
 
-        if (!$user instanceof UserInterface) {
-            throw new \UnexpectedValueException(sprintf('The %s::getUser() method must return a UserInterface. You returned %s.', \get_class($authenticator), \is_object($user) ? \get_class($user) : \gettype($user)));
-        }
-
         $event = new VerifyAuthenticatorCredentialsEvent($authenticator, $credentials, $user);
         $this->eventDispatcher->dispatch($event);
         if (true !== $event->areCredentialsValid()) {
             throw new BadCredentialsException(sprintf('Authentication failed because "%s" did not approve the credentials.', \get_class($authenticator)));
         }
 
-//         turn the UserInterface into a TokenInterface
+        // turn the UserInterface into a TokenInterface
         $authenticatedToken = $authenticator->createAuthenticatedToken($user, $this->providerKey);
-        if (!$authenticatedToken instanceof TokenInterface) {
-            throw new \UnexpectedValueException(sprintf('The %s::createAuthenticatedToken() method must return a TokenInterface. You returned %s.', \get_class($authenticator), \is_object($authenticatedToken) ? \get_class($authenticatedToken) : \gettype($authenticatedToken)));
-        }
 
         if (true === $this->eraseCredentials) {
             $authenticatedToken->eraseCredentials();
@@ -259,21 +251,10 @@ private function handleAuthenticationSuccess(TokenInterface $token, Request $req
         return $loginSuccessEvent->getResponse();
     }
 
-    private function handleAuthenticationFailure(AuthenticationException $exception, TokenInterface $token)
-    {
-        if (null !== $this->eventDispatcher) {
-            $this->eventDispatcher->dispatch(new AuthenticationFailureEvent($token, $exception), AuthenticationEvents::AUTHENTICATION_FAILURE);
-        }
-
-        $exception->setToken($token);
-
-        throw $exception;
-    }
-
     /**
      * Handles an authentication failure and returns the Response for the authenticator.
      */
-    private function handleAuthenticatorFailure(AuthenticationException $authenticationException, Request $request, AuthenticatorInterface $authenticator): ?Response
+    private function handleAuthenticationFailure(AuthenticationException $authenticationException, Request $request, AuthenticatorInterface $authenticator): ?Response
     {
         $response = $authenticator->onAuthenticationFailure($request, $authenticationException);
 
 
@@ -20,7 +20,6 @@
 use Symfony\Component\Security\Core\Security;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
-use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\ParameterBagUtils;
 use Symfony\Component\Security\Http\Util\TargetPathTrait;
@@ -38,13 +37,11 @@ class FormLoginAuthenticator extends AbstractLoginFormAuthenticator implements P
 
     private $options;
     private $httpUtils;
-    private $csrfTokenManager;
     private $userProvider;
 
-    public function __construct(HttpUtils $httpUtils, ?CsrfTokenManagerInterface $csrfTokenManager, UserProviderInterface $userProvider, array $options)
+    public function __construct(HttpUtils $httpUtils, UserProviderInterface $userProvider, array $options)
     {
         $this->httpUtils = $httpUtils;
-        $this->csrfTokenManager = $csrfTokenManager;
         $this->options = array_merge([
             'username_parameter' => '_username',
             'password_parameter' => '_password',
@@ -75,10 +72,7 @@ public function supports(Request $request): bool
     public function getCredentials(Request $request): array
     {
         $credentials = [];
-
-        if (null !== $this->csrfTokenManager) {
-            $credentials['csrf_token'] = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
-        }
+        $credentials['csrf_token'] = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
         if ($this->options['post_only']) {
             $credentials['username'] = ParameterBagUtils::getParameterBagValue($request->request, $this->options['username_parameter']);
 
@@ -16,7 +16,6 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
-use Symfony\Component\Security\Core\Encoder\EncoderFactoryInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
@@ -33,14 +32,12 @@ class HttpBasicAuthenticator implements AuthenticatorInterface, AuthenticationEn
 {
     private $realmName;
     private $userProvider;
-    private $encoderFactory;
     private $logger;
 
-    public function __construct(string $realmName, UserProviderInterface $userProvider, EncoderFactoryInterface $encoderFactory, ?LoggerInterface $logger = null)
+    public function __construct(string $realmName, UserProviderInterface $userProvider, ?LoggerInterface $logger = null)
     {
         $this->realmName = $realmName;
         $this->userProvider = $userProvider;
-        $this->encoderFactory = $encoderFactory;
         $this->logger = $logger;
     }
 
 
@@ -9,7 +9,7 @@
  * file that was distributed with this source code.
  */
 
-namespace Symfony\Component\Security\Http\Authenticator\Token;
+namespace Symfony\Component\Security\Http\Authenticator;
 
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
@@ -18,9 +18,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\User\UserInterface;
-use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices;
-use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
 
 /**
  * The RememberMe *Authenticator* performs remember me authentication.
@@ -35,21 +33,22 @@
  *
  * @final
  */
-class RememberMeAuthenticator implements AuthenticatorInterface
+class RememberMeAuthenticator implements AuthenticatorInterface, CustomAuthenticatedInterface
 {
     private $rememberMeServices;
     private $secret;
     private $tokenStorage;
-    private $options;
-    private $sessionStrategy;
+    private $options = [
+        'secure' => false,
+        'httponly' => true,
+    ];
 
-    public function __construct(AbstractRememberMeServices $rememberMeServices, string $secret, TokenStorageInterface $tokenStorage, array $options, ?SessionAuthenticationStrategy $sessionStrategy = null)
+    public function __construct(AbstractRememberMeServices $rememberMeServices, string $secret, TokenStorageInterface $tokenStorage, array $options)
     {
         $this->rememberMeServices = $rememberMeServices;
         $this->secret = $secret;
         $this->tokenStorage = $tokenStorage;
-        $this->options = $options;
-        $this->sessionStrategy = $sessionStrategy;
+        $this->options = array_merge($this->options, $options);
     }
 
     public function supports(Request $request): ?bool
@@ -87,6 +86,12 @@ public function getUser($credentials): ?UserInterface
         return $this->rememberMeServices->performLogin($credentials['cookie_parts'], $credentials['request']);
     }
 
+    public function checkCredentials($credentials, UserInterface $user): bool
+    {
+        // remember me always is valid (if a user could be found)
+        return true;
+    }
+
     public function createAuthenticatedToken(UserInterface $user, string $providerKey): TokenInterface
     {
         return new RememberMeToken($user, $providerKey, $this->secret);
@@ -101,10 +106,6 @@ public function onAuthenticationFailure(Request $request, AuthenticationExceptio
 
     public function onAuthenticationSuccess(Request $request, TokenInterface $token, string $providerKey): ?Response
     {
-        if ($request->hasSession() && $request->getSession()->isStarted()) {
-            $this->sessionStrategy->onAuthentication($request, $token);
-        }
-
         return null;
     }
 }
@@ -36,7 +36,7 @@ public function onCredentialsVerification(VerifyAuthenticatorCredentialsEvent $e
             return;
         }
 
-        if (null !== $password = $authenticator->getPassword($event->getCredentials())) {
+        if (null === $password = $authenticator->getPassword($event->getCredentials())) {
             return;
         }
 
@@ -46,11 +46,11 @@ public function onCredentialsVerification(VerifyAuthenticatorCredentialsEvent $e
         }
 
         $passwordEncoder = $this->encoderFactory->getEncoder($user);
-        if (!method_exists($passwordEncoder, 'needsRehash') || !$passwordEncoder->needsRehash($user)) {
+        if (!$passwordEncoder->needsRehash($user->getPassword())) {
             return;
         }
 
-        $authenticator->upgradePassword($user, $passwordEncoder->encodePassword($user, $password));
+        $authenticator->upgradePassword($user, $passwordEncoder->encodePassword($password, $user->getSalt()));
     }
 
     public static function getSubscribedEvents(): array
 
@@ -39,7 +39,15 @@ public function __construct(RememberMeServicesInterface $rememberMeServices, str
 
     public function onSuccessfulLogin(LoginSuccessEvent $event): void
     {
-        if (!$this->isRememberMeEnabled($event->getAuthenticator(), $event->getProviderKey())) {
+        if (!$this->isRememberMeEnabled($event->getProviderKey(), $event->getAuthenticator())) {
+            return;
+        }
+
+        if (null === $event->getResponse()) {
+            if (null !== $this->logger) {
+                $this->logger->debug('Remember me skipped: the authenticator did not set a success response.', ['authenticator' => \get_class($event->getAuthenticator())]);
+            }
+
             return;
         }
 
@@ -48,21 +56,21 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void
 
     public function onFailedLogin(LoginFailureEvent $event): void
     {
-        if (!$this->isRememberMeEnabled($event->getAuthenticator(), $event->getProviderKey())) {
+        if (!$this->isRememberMeEnabled($event->getProviderKey())) {
             return;
         }
 
         $this->rememberMeServices->loginFail($event->getRequest(), $event->getException());
     }
 
-    private function isRememberMeEnabled(AuthenticatorInterface $authenticator, string $providerKey): bool
+    private function isRememberMeEnabled(string $providerKey, ?AuthenticatorInterface $authenticator = null): bool
     {
         if ($providerKey !== $this->providerKey) {
             // This listener is created for a different firewall.
             return false;
         }
 
-        if (!$authenticator instanceof RememberMeAuthenticatorInterface || !$authenticator->supportsRememberMe()) {
+        if (null !== $authenticator && (!$authenticator instanceof RememberMeAuthenticatorInterface || !$authenticator->supportsRememberMe())) {
             if (null !== $this->logger) {
                 $this->logger->debug('Remember me skipped: your authenticator does not support it.', ['authenticator' => \get_class($authenticator)]);
             }
 
@@ -23,11 +23,19 @@ public function __construct(UserCheckerInterface $userChecker)
 
     public function preCredentialsVerification(VerifyAuthenticatorCredentialsEvent $event): void
     {
+        if (null === $event->getUser()) {
+            return;
+        }
+
         $this->userChecker->checkPreAuth($event->getUser());
     }
 
     public function postCredentialsVerification(VerifyAuthenticatorCredentialsEvent $event): void
     {
+        if (null === $event->getUser() || !$event->areCredentialsValid()) {
+            return;
+        }
+
         $this->userChecker->checkPostAuth($event->getUser());
     }
 
 
@@ -31,6 +31,10 @@ public function __construct(EncoderFactoryInterface $encoderFactory)
 
     public function onAuthenticating(VerifyAuthenticatorCredentialsEvent $event): void
     {
+        if ($event->areCredentialsValid()) {
+            return;
+        }
+
         $authenticator = $event->getAuthenticator();
         if ($authenticator instanceof PasswordAuthenticatedInterface) {
             // Use the password encoder to validate the credentials
Original file line number	Diff line number	Diff line change
`@@ -36,7 +36,7 @@ public function onCredentialsVerification(VerifyAuthenticatorCredentialsEvent $e`
`36`	`36`	`return;`
`37`	`37`	`}`
`38`	`38`
`39`		`- if (null !== $password = $authenticator->getPassword($event->getCredentials())) {`
	`39`	`+ if (null === $password = $authenticator->getPassword($event->getCredentials())) {`
`40`	`40`	`return;`
`41`	`41`	`}`
`42`	`42`
`@@ -46,11 +46,11 @@ public function onCredentialsVerification(VerifyAuthenticatorCredentialsEvent $e`
`46`	`46`	`}`
`47`	`47`
`48`	`48`	`$passwordEncoder = $this->encoderFactory->getEncoder($user);`
`49`		`- if (!method_exists($passwordEncoder, 'needsRehash') \|\| !$passwordEncoder->needsRehash($user)) {`
	`49`	`+ if (!$passwordEncoder->needsRehash($user->getPassword())) {`
`50`	`50`	`return;`
`51`	`51`	`}`
`52`	`52`
`53`		`- $authenticator->upgradePassword($user, $passwordEncoder->encodePassword($user, $password));`
	`53`	`+ $authenticator->upgradePassword($user, $passwordEncoder->encodePassword($password, $user->getSalt()));`
`54`	`54`	`}`
`55`	`55`
`56`	`56`	`public static function getSubscribedEvents(): array`
Original file line number	Diff line number	Diff line change
`@@ -39,7 +39,15 @@ public function __construct(RememberMeServicesInterface $rememberMeServices, str`
`39`	`39`
`40`	`40`	`public function onSuccessfulLogin(LoginSuccessEvent $event): void`
`41`	`41`	`{`
`42`		`- if (!$this->isRememberMeEnabled($event->getAuthenticator(), $event->getProviderKey())) {`
	`42`	`+ if (!$this->isRememberMeEnabled($event->getProviderKey(), $event->getAuthenticator())) {`
	`43`	`+ return;`
	`44`	`+ }`
	`45`	`+`
	`46`	`+ if (null === $event->getResponse()) {`
	`47`	`+ if (null !== $this->logger) {`
	`48`	`+ $this->logger->debug('Remember me skipped: the authenticator did not set a success response.', ['authenticator' => \get_class($event->getAuthenticator())]);`
	`49`	`+ }`
	`50`	`+`
`43`	`51`	`return;`
`44`	`52`	`}`
`45`	`53`
`@@ -48,21 +56,21 @@ public function onSuccessfulLogin(LoginSuccessEvent $event): void`
`48`	`56`
`49`	`57`	`public function onFailedLogin(LoginFailureEvent $event): void`
`50`	`58`	`{`
`51`		`- if (!$this->isRememberMeEnabled($event->getAuthenticator(), $event->getProviderKey())) {`
	`59`	`+ if (!$this->isRememberMeEnabled($event->getProviderKey())) {`
`52`	`60`	`return;`
`53`	`61`	`}`
`54`	`62`
`55`	`63`	`$this->rememberMeServices->loginFail($event->getRequest(), $event->getException());`
`56`	`64`	`}`
`57`	`65`
`58`		`- private function isRememberMeEnabled(AuthenticatorInterface $authenticator, string $providerKey): bool`
	`66`	`+ private function isRememberMeEnabled(string $providerKey, ?AuthenticatorInterface $authenticator = null): bool`
`59`	`67`	`{`
`60`	`68`	`if ($providerKey !== $this->providerKey) {`
`61`	`69`	`// This listener is created for a different firewall.`
`62`	`70`	`return false;`
`63`	`71`	`}`
`64`	`72`
`65`		`- if (!$authenticator instanceof RememberMeAuthenticatorInterface \|\| !$authenticator->supportsRememberMe()) {`
	`73`	`+ if (null !== $authenticator && (!$authenticator instanceof RememberMeAuthenticatorInterface \|\| !$authenticator->supportsRememberMe())) {`
`66`	`74`	`if (null !== $this->logger) {`
`67`	`75`	`$this->logger->debug('Remember me skipped: your authenticator does not support it.', ['authenticator' => \get_class($authenticator)]);`
`68`	`76`	`}`
Original file line number	Diff line number	Diff line change
`@@ -23,11 +23,19 @@ public function __construct(UserCheckerInterface $userChecker)`
`23`	`23`
`24`	`24`	`public function preCredentialsVerification(VerifyAuthenticatorCredentialsEvent $event): void`
`25`	`25`	`{`
	`26`	`+ if (null === $event->getUser()) {`
	`27`	`+ return;`
	`28`	`+ }`
	`29`	`+`
`26`	`30`	`$this->userChecker->checkPreAuth($event->getUser());`
`27`	`31`	`}`
`28`	`32`
`29`	`33`	`public function postCredentialsVerification(VerifyAuthenticatorCredentialsEvent $event): void`
`30`	`34`	`{`
	`35`	`+ if (null === $event->getUser() \|\| !$event->areCredentialsValid()) {`
	`36`	`+ return;`
	`37`	`+ }`
	`38`	`+`
`31`	`39`	`$this->userChecker->checkPostAuth($event->getUser());`
`32`	`40`	`}`
`33`	`41`