[Security] Keep roles when serializing tokens

nicolas-grekas · nicolas-grekas · commit 8092ffd3a7e8 · 2025-06-04T14:31:13.000+02:00
diff --git a/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php b/src/Symfony/Component/Security/Core/Authentication/Token/AbstractToken.php
@@ -32,16 +32,12 @@ abstract class AbstractToken implements TokenInterface, \Serializable
      */
     public function __construct(array $roles = [])
     {
-        $this->roleNames = [];
-
-        foreach ($roles as $role) {
-            $this->roleNames[] = (string) $role;
-        }
+        $this->roleNames = $roles;
     }
 
     public function getRoleNames(): array
     {
-        return $this->roleNames ??= self::__construct($this->user->getRoles()) ?? $this->roleNames;
+        return $this->roleNames ??= $this->user?->getRoles() ?? [];
     }
 
     public function getUserIdentifier(): string
@@ -90,13 +86,7 @@ public function eraseCredentials(): void
      */
     public function __serialize(): array
     {
-        $data = [$this->user, true, null, $this->attributes];
-
-        if (!$this->user instanceof EquatableInterface) {
-            $data[] = $this->roleNames;
-        }
-
-        return $data;
+        return [$this->user, true, null, $this->attributes, $this->getRoleNames()];
     }
 
     /**
@@ -160,12 +150,7 @@ public function __toString(): string
         $class = static::class;
         $class = substr($class, strrpos($class, '\\') + 1);
 
-        $roles = [];
-        foreach ($this->roleNames as $role) {
-            $roles[] = $role;
-        }
-
-        return \sprintf('%s(user="%s", roles="%s")', $class, $this->getUserIdentifier(), implode(', ', $roles));
+        return \sprintf('%s(user="%s", roles="%s")', $class, $this->getUserIdentifier(), implode(', ', $this->getRoleNames()));
     }
 
     /**
