From a412f30e7786bc00cd0353800bd80824a772e010 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=A9r=C3=A9my=20Deruss=C3=A9?= <jeremy@derusse.com>
Date: Fri, 11 Mar 2022 09:39:49 +0100
Subject: [PATCH] [SecurityBundle] Use config's secret in remember-me
 signatures

---
 .../Security/Factory/RememberMeFactory.php    |  7 ++-
 .../SecurityExtensionTest.php                 | 43 ++++++++++++++++++-
 2 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
index 0ecc6df4ef250..735b08744a0ad 100644
--- a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
+++ b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/RememberMeFactory.php
@@ -128,6 +128,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             $tokenVerifier = $this->createTokenVerifier($container, $firewallName, $config['token_verifier'] ?? null);
             $container->setDefinition($rememberMeHandlerId, new ChildDefinition('security.authenticator.persistent_remember_me_handler'))
                 ->replaceArgument(0, new Reference($tokenProviderId))
+                ->replaceArgument(1, $config['secret'])
                 ->replaceArgument(2, new Reference($userProviderId))
                 ->replaceArgument(4, $config)
                 ->replaceArgument(6, $tokenVerifier)
@@ -136,6 +137,7 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             $signatureHasherId = 'security.authenticator.remember_me_signature_hasher.'.$firewallName;
             $container->setDefinition($signatureHasherId, new ChildDefinition('security.authenticator.remember_me_signature_hasher'))
                 ->replaceArgument(1, $config['signature_properties'])
+                ->replaceArgument(2, $config['secret'])
             ;
 
             $container->setDefinition($rememberMeHandlerId, new ChildDefinition('security.authenticator.signature_remember_me_handler'))
@@ -205,7 +207,10 @@ public function addConfiguration(NodeDefinition $node)
         ;
 
         $builder
-            ->scalarNode('secret')->isRequired()->cannotBeEmpty()->end()
+            ->scalarNode('secret')
+                ->cannotBeEmpty()
+                ->defaultValue('%kernel.secret%')
+            ->end()
             ->scalarNode('service')->end()
             ->arrayNode('user_providers')
                 ->beforeNormalization()
diff --git a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
index 3b69d2a91fe8d..684e43e28a503 100644
--- a/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
+++ b/src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
@@ -419,7 +419,7 @@ public function testRememberMeCookieInheritFrameworkSessionCookie($config, $same
             'firewalls' => [
                 'default' => [
                     'form_login' => null,
-                    'remember_me' => ['secret' => 'baz'],
+                    'remember_me' => [],
                 ],
             ],
         ]);
@@ -433,6 +433,7 @@ public function testRememberMeCookieInheritFrameworkSessionCookie($config, $same
 
         $this->assertEquals($samesite, $definition->getArgument(3)['samesite']);
         $this->assertEquals($secure, $definition->getArgument(3)['secure']);
+        $this->assertSame('%kernel.secret%', $definition->getArgument(1));
     }
 
     /**
@@ -484,6 +485,46 @@ public function testCustomRememberMeHandler()
         $this->assertEquals([['firewall' => 'default']], $handler->getTag('security.remember_me_handler'));
     }
 
+    public function testSecretRememberMeHasher()
+    {
+        $container = $this->getRawContainer();
+
+        $container->register('custom_remember_me', \stdClass::class);
+        $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
+            'firewalls' => [
+                'default' => [
+                    'remember_me' => ['secret' => 'very'],
+                ],
+            ],
+        ]);
+
+        $container->compile();
+
+        $handler = $container->getDefinition('security.authenticator.remember_me_signature_hasher.default');
+        $this->assertSame('very', $handler->getArgument(2));
+    }
+
+    public function testSecretRememberMeHandler()
+    {
+        $container = $this->getRawContainer();
+
+        $container->register('custom_remember_me', \stdClass::class);
+        $container->loadFromExtension('security', [
+            'enable_authenticator_manager' => true,
+            'firewalls' => [
+                'default' => [
+                    'remember_me' => ['secret' => 'very', 'token_provider' => 'token_provider_id'],
+                ],
+            ],
+        ]);
+
+        $container->compile();
+
+        $handler = $container->getDefinition('security.authenticator.remember_me_handler.default');
+        $this->assertSame('very', $handler->getArgument(1));
+    }
+
     public function sessionConfigurationProvider()
     {
         return [