symfony
diff --git a/‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/Fixtures/CustomUser.php‎
Lines changed: 13 additions & 19 deletions b/‎src/Symfony/Component/Security/Core/Tests/Authentication/Token/Fixtures/CustomUser.php‎
Lines changed: 13 additions & 19 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php‎
Lines changed: 5 additions & 2 deletions b/‎src/Symfony/Component/Security/Http/Firewall/ContextListener.php‎
Lines changed: 5 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php‎
Lines changed: 1 addition & 5 deletions b/‎src/Symfony/Component/Security/Http/Tests/Firewall/AccessListenerTest.php‎
Lines changed: 1 addition & 5 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php‎
Lines changed: 20 additions & 4 deletions b/‎src/Symfony/Component/Security/Http/Tests/Firewall/ContextListenerTest.php‎
Lines changed: 20 additions & 4 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Tests/Fixtures/CustomUser.php‎
Lines changed: 49 additions & 0 deletions b/‎src/Symfony/Component/Security/Http/Tests/Fixtures/CustomUser.php‎
Lines changed: 49 additions & 0 deletions
@@ -1,20 +1,24 @@
 <?php
 
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
 namespace Symfony\Component\Security\Core\Tests\Authentication\Token\Fixtures;
 
 use Symfony\Component\Security\Core\User\UserInterface;
 
 final class CustomUser implements UserInterface
 {
-    /** @var string */
-    private $username;
-    /** @var array */
-    private $roles;
-
-    public function __construct(string $username, array $roles)
-    {
-        $this->username = $username;
-        $this->roles = $roles;
+    public function __construct(
+        private string $username,
+        private array $roles,
+    ) {
     }
 
     public function getUserIdentifier(): string
@@ -27,16 +31,6 @@ public function getRoles(): array
         return $this->roles;
     }
 
-    public function getPassword(): ?string
-    {
-        return null;
-    }
-
-    public function getSalt(): ?string
-    {
-        return null;
-    }
-
     public function eraseCredentials(): void
     {
     }
 
@@ -187,7 +187,7 @@ public function onKernelResponse(ResponseEvent $event): void
      *
      * @throws \RuntimeException
      */
-    protected function refreshUser(TokenInterface $token): ?TokenInterface
+    private function refreshUser(TokenInterface $token): ?TokenInterface
     {
         $user = $token->getUser();
 
@@ -288,7 +288,10 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa
         }
 
         if ($originalUser instanceof PasswordAuthenticatedUserInterface || $refreshedUser instanceof PasswordAuthenticatedUserInterface) {
-            if (!$originalUser instanceof PasswordAuthenticatedUserInterface || !$refreshedUser instanceof PasswordAuthenticatedUserInterface || $originalUser->getPassword() !== $refreshedUser->getPassword()) {
+            if (!$originalUser instanceof PasswordAuthenticatedUserInterface
+                || !$refreshedUser instanceof PasswordAuthenticatedUserInterface
+                || $refreshedUser->getPassword() !== ($originalUser->getPassword() ?? $refreshedUser->getPassword())
+            ) {
                 return true;
             }
 
 
@@ -42,11 +42,7 @@ public function testHandleWhenTheAccessDecisionManagerDecidesToRefuseAccess()
             ->willReturn([['foo' => 'bar'], null])
         ;
 
-        $token = new class extends AbstractToken {
-            public function getCredentials(): mixed
-            {
-            }
-        };
+        $token = new class extends AbstractToken {};
 
         $tokenStorage = $this->createMock(TokenStorageInterface::class);
         $tokenStorage
 
@@ -36,6 +36,7 @@
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Firewall\ContextListener;
+use Symfony\Component\Security\Http\Tests\Fixtures\CustomUser;
 use Symfony\Contracts\Service\ServiceLocatorTrait;
 class ContextListenerTest extends TestCase
@@ -351,6 +352,25 @@ public function testOnKernelResponseRemoveListener()
         $this->assertEmpty($dispatcher->getListeners());
     }
 
+    public function testRemovingPasswordFromSessionDoesntInvalidateTheToken()
+    {
+        $user = new CustomUser('user', ['ROLE_USER'], 'pass');
+
+        $userProvider = $this->createMock(UserProviderInterface::class);
+        $userProvider->expects($this->once())
+            ->method('supportsClass')
+            ->with(CustomUser::class)
+            ->willReturn(true);
+        $userProvider->expects($this->once())
+            ->method('refreshUser')
+            ->willReturn($user);
+
+        $tokenStorage = $this->handleEventWithPreviousSession([$userProvider], $user);
+
+        $this->assertInstanceOf(UsernamePasswordToken::class, $tokenStorage->getToken());
+        $this->assertSame($user, $tokenStorage->getToken()->getUser());
+    }
+
     protected function runSessionOnKernelResponse($newToken, $original = null)
     {
         $session = new Session(new MockArraySessionStorage());
@@ -543,10 +563,6 @@ public function getRoleNames(): array
         return $this->roles;
     }
 
-    public function getCredentials()
-    {
-    }
-
     public function getUser(): UserInterface
     {
         return $this->user;
 
@@ -0,0 +1,49 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Security\Http\Tests\Fixtures;
+
+use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
+
+final class CustomUser implements UserInterface, PasswordAuthenticatedUserInterface
+{
+    public function __construct(
+        private string $username,
+        private array $roles,
+        private ?string $password = null,
+    ) {
+    }
+
+    public function getUserIdentifier(): string
+    {
+        return $this->username;
+    }
+
+    {
+        return $this->roles;
+    }
+
+    public function getPassword(): ?string
+    {
+        return $this->password ?? null;
+    }
+
+    public function eraseCredentials(): void
+    {
+    }
+
+    public function __serialize(): array
+    {
+        return [\sprintf("\0%s\0username", self::class) => $this->username];
+    }
+}
Original file line number	Diff line number	Diff line change
`@@ -187,7 +187,7 @@ public function onKernelResponse(ResponseEvent $event): void`
`187`	`187`	`*`
`188`	`188`	`* @throws \RuntimeException`
`189`	`189`	`*/`
`190`		`- protected function refreshUser(TokenInterface $token): ?TokenInterface`
	`190`	`+ private function refreshUser(TokenInterface $token): ?TokenInterface`
`191`	`191`	`{`
`192`	`192`	`$user = $token->getUser();`
`193`	`193`
`@@ -288,7 +288,10 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa`
`288`	`288`	`}`
`289`	`289`
`290`	`290`	`if ($originalUser instanceof PasswordAuthenticatedUserInterface \|\| $refreshedUser instanceof PasswordAuthenticatedUserInterface) {`
`291`		`- if (!$originalUser instanceof PasswordAuthenticatedUserInterface \|\| !$refreshedUser instanceof PasswordAuthenticatedUserInterface \|\| $originalUser->getPassword() !== $refreshedUser->getPassword()) {`
	`291`	`+ if (!$originalUser instanceof PasswordAuthenticatedUserInterface`
	`292`	`+ \|\| !$refreshedUser instanceof PasswordAuthenticatedUserInterface`
	`293`	`+ \|\| $refreshedUser->getPassword() !== ($originalUser->getPassword() ?? $refreshedUser->getPassword())`
	`294`	`+ ) {`
`292`	`295`	`return true;`
`293`	`296`	`}`
`294`	`297`