RememberMeLogoutListener should depend on LogoutHandlerInterface #36806
Conversation
|
Hmm, the However, I agree with you and I see the problem here as well. What about this:
If I'm correct, this would make core work without deprecated usages and provide an upgrade path for your bundle and people creating their own remember me service. |
|
Would it be such a bad thing to depend on the deprecated I like that there is a I believe the long-term solution to this problem would be to move the method from public function autoLogin(Request $request);
public function loginFail(Request $request, \Exception $exception = null);
public function loginSuccess(Request $request, Response $response, TokenInterface $token);
public function logout(Request $request, Response $response, TokenInterface $token);For offering a migration path, you could treat the constructor argument in class RememberMeLogoutListener implements EventSubscriberInterface
{
private $rememberMeServices;
public function __construct(object $rememberMeServices)
{
if (!($rememberMeServices instanceof RememberMeServicesInterface && $rememberMeServices instanceof LogoutHandlerInterface)) {
throw new \InvalidArgumentException('Argument 0 must be instance of RememberMeServicesInterface and LogoutHandlerInterface');
}
$this->rememberMeServices = $rememberMeServices;
}You could also "softly" introduce the method on /**
* @method logout(Request $request, Response $response, TokenInterface $token)
*/
interface RememberMeServicesInterfaceThen, with the next major release, you could move the method, remove |
|
This change is fine technically to ease BC/FC. Updating the constructor in 6.0 can happen without any hard BC break. |
|
Thank you @scheb. |
|
Glad to help 👍 |
…rvices (wouterj) This PR was merged into the 5.1-dev branch. Discussion ---------- [Security] Improved upgrade path for custom remember me services | Q | A | ------------- | --- | Branch? | master | Bug fix? | no | New feature? | - | Deprecations? | - | Tickets | #36806 (comment) | License | MIT | Doc PR | This improves the upgrade path for custom remember me services now `LogoutHandlerInterface` has been deprecated. As suggested in #36806 (comment), the `logout()` method should be added to the `RememberMeServicesInterface` in Symfony 6. This patch allows developers to write a custom class implementing only `RememberMeServicesInterface` with a `logout()` method. Requiring them to implement `LogoutHandlerInterface` will mean they have to maintain 2 version of the class to support both Symfony 5.1+ and 6.0. Commits ------- c49d00f Added deprecation for RememberMe services without logout() method
RememberMeLogoutListener, which was introduced together with the new authenticator security in Symfony 5.1, depends onAbstractRememberMeServices. This forces people to always extend fromAbstractRememberMeServices, even when they're implementing the correct interface.I'd suggest to depend on the minimum interface, which is
LogoutHandlerInterface, instead.Example of the type errors you'd get otherwise:
Argument 1 passed to Symfony\Component\Security\Http\EventListener\RememberMeLogoutListener::__construct() must be an instance of Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices, instance of Scheb\TwoFactorBundle\Security\Authentication\RememberMe\RememberMeServicesDecorator given, called in var/cache/dev/Container3IpOCEd/getSecurity_Logout_Listener_RememberMe_MainService.php on line 22with