symfony · fabpot · Jul 20, 2022 · Apr 24, 2022
diff --git a/UPGRADE-6.2.md b/UPGRADE-6.2.md
@@ -20,6 +20,7 @@ Security
  * Add maximum username length enforcement of 4096 characters in `UserBadge` to
    prevent [session storage flooding](https://symfony.com/blog/cve-2016-4423-large-username-storage-in-session)
  * Deprecate the `Symfony\Component\Security\Core\Security` class and service, use `Symfony\Bundle\SecurityBundle\Security\Security` instead
+ * Passing empty username or password parameter when using `JsonLoginAuthenticator` is not supported anymore
 
 Validator
 ---------

@@ -161,6 +161,10 @@ private function getCredentials(Request $request)
             throw new BadRequestHttpException(sprintf('The key "%s" must be provided.', $this->options['password_path']), $e);
         }
 
+        if ('' === $credentials['username'] || '' === $credentials['password']) {
+            trigger_deprecation('symfony/security', '6.2', 'Passing an empty string as username or password parameter is deprecated.');
+        }
+
         return $credentials;
     }
 }
@@ -6,6 +6,7 @@ CHANGELOG
 
  * Add maximum username length enforcement of 4096 characters in `UserBadge`
  * Add `#[IsGranted()]`
+ * Deprecate empty username or password when using when using `JsonLoginAuthenticator`
 
 6.0
 ---

@@ -12,6 +12,7 @@
 namespace Symfony\Component\Security\Http\Tests\Authenticator;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpKernel\Exception\BadRequestHttpException;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
@@ -26,6 +27,8 @@
 
 class JsonLoginAuthenticatorTest extends TestCase
 {
+    use ExpectDeprecationTrait;
+
     private $userProvider;
     /** @var JsonLoginAuthenticator */
     private $authenticator;
@@ -126,6 +129,26 @@ public function provideInvalidAuthenticateData()
         yield [$request, 'Username too long.', BadCredentialsException::class];
     }
 
+    /**
+     * @dataProvider provideEmptyAuthenticateData
+     *
+     * @group legacy
+     */
+    public function testAuthenticationForEmptyCredentialDeprecation($request)
+    {
+        $this->expectDeprecation('Since symfony/security 6.2: Passing empty string for username or password is deprecated and will be removed in 7.0');
+        $this->setUpAuthenticator();
+
+        $this->authenticator->authenticate($request);
+    }
+
+    public function provideEmptyAuthenticateData()
+    {
+        $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "", "password": "notempty"}');
+        yield [$request];
+
+    }
+
     public function testAuthenticationFailureWithoutTranslator()
     {
         $this->setUpAuthenticator();
-Original file line number
+Diff line change
@@ Expand Up / @@ -6,6 +6,7 @@ CHANGELOG @@
      * Add maximum username length enforcement of 4096 characters in `UserBadge`
      * Add `#[IsGranted()]`
+     * Deprecate empty username or password when using when using `JsonLoginAuthenticator`
 .0
     ---
@@ Expand Down @@