[Security] Return null instead of empty username to fix deprecation notice #59640
Conversation
| @@ -45,6 +45,6 @@ protected function extractUsername(Request $request): ?string | |||
| throw new BadCredentialsException(sprintf('User key was not found: "%s".', $this->userKey)); | |||
| } | |||
|
|
|||
| return $request->server->get($this->userKey); | |||
| return $request->server->get($this->userKey) ?: null; | |||
There was a problem hiding this comment.
Looking at how the method is used I wonder if we shouldn’t throw a BadCredentialsException here then.
(xabbuh's comment on previous PR)
There was a problem hiding this comment.
Throwing an exception would be consistent with the FormLoginAuthenticator's behaviour :
OTOH the base class' abstract extractUsername() returns a nullable string and the null check in supports() indicates this is due to being unable to extract a username. Other users who've extended the base class may expect that behaviour, so throwing an exception (in a reference implementation) may be confusing.
|
Apologies; I ran into some trouble rebasing the commit for a test case from my previous PR so I created a new branch/PR to be safe. |
|
Thank you @phasdev. |
RemoteUserAuthenticatormay return an empty string when extracting a username from the configured$_SERVERparameter (e.g.REMOTE_USER).An empty username triggers the
User Deprecated: Since symfony/security-http 7.2: Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.Return
nullinstead of empty username to skip authenticator when username is empty and fix Symfony 8 deprecation notice.