[Security] Deprecate UserInterface & TokenInterface's `eraseCrede…

…ntials()`
symfony · nicolas-grekas · Feb 4, 2025 · Dec 6, 2024 · Feb 3, 2025 · Feb 3, 2025
commit e5566065783546295f2ca34aeafdebb9b5fed9be
diff --git a/UPGRADE-7.3.md b/UPGRADE-7.3.md
@@ -6,7 +6,23 @@ backward compatibility breaks. Minor backward compatibility breaks are prefixed
 `[BC BREAK]`, make sure your code is compatible with these entries before upgrading.
 Read more about this in the [Symfony documentation](https://symfony.com/doc/7.3/setup/upgrade_minor.html).
 
-If you're upgrading from a version below 7.1, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.
+If you're upgrading from a version below 7.2, follow the [7.2 upgrade guide](UPGRADE-7.2.md) first.
+
+Ldap
+----
+
+ * Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead
+
+Security
+--------
+
+ * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
+   use a dedicated DTO or erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
+
+SecurityBundle
+--------------
+
+ * Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
 
 Console
 -------
@@ -115,3 +131,4 @@ VarDumper
 
  * Deprecate `ResourceCaster::castCurl()`, `ResourceCaster::castGd()` and `ResourceCaster::castOpensslX509()`
  * Mark all casters as `@internal`
+ * Deprecate the `CompiledClassMetadataFactory` and `CompiledClassMetadataCacheWarmer` classes
diff --git a/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md b/src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -8,6 +8,7 @@ CHANGELOG
  * Add encryption support to `OidcTokenHandler` (JWE)
  * Add `expose_security_errors` config option to display `AccountStatusException`
  * Deprecate the `security.hide_user_not_found` config option in favor of `security.expose_security_errors`
+ * Deprecate the `erase_credentials` config option, erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
 
 7.2
 ---

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LdapFactoryTrait.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/LdapFactoryTrait.php
@@ -16,6 +16,7 @@
 use Symfony\Component\DependencyInjection\Definition;
 use Symfony\Component\DependencyInjection\Reference;
 use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
+use Symfony\Component\Ldap\Security\EraseLdapUserCredentialsListener;
 use Symfony\Component\Ldap\Security\LdapAuthenticator;
 
 /**
@@ -42,6 +43,12 @@ public function createAuthenticator(ContainerBuilder $container, string $firewal
             ->addArgument(new Reference('security.ldap_locator'))
         ;
 
+        if (class_exists(EraseLdapUserCredentialsListener::class && !$container->getParameter('security.authentication.manager.erase_credentials'))) {
+            $container->setDefinition('security.listener.'.$key.'.'.$firewallName.'erase_ldap_credentials', new Definition(EraseLdapUserCredentialsListener::class))
+                ->addTag('kernel.event_subscriber', ['dispatcher' => 'security.event_dispatcher.'.$firewallName])
+            ;
+        }
+
         $ldapAuthenticatorId = 'security.authenticator.'.$key.'.'.$firewallName;
         $definition = $container->setDefinition($ldapAuthenticatorId, new Definition(LdapAuthenticator::class))
             ->setArguments([

diff --git a/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php b/src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
@@ -136,6 +136,9 @@ public function load(array $configs, ContainerBuilder $container): void
 
         // set some global scalars
         $container->setParameter('security.access.denied_url', $config['access_denied_url']);
+        if (true === $config['erase_credentials']) {
+            trigger_deprecation('symfony/security-bundle', '7.3', 'Setting the "security.erase_credentials" config option to true is deprecated and won\'t have any effect in 8.0, set it to false instead and use your own erasing logic if needed.');
+        }
         $container->setParameter('security.authentication.manager.erase_credentials', $config['erase_credentials']);
         $container->setParameter('security.authentication.session_strategy.strategy', $config['session_fixation_strategy']);
 

@@ -103,7 +103,9 @@ public function testOnKernelRequestRecordsAuthenticatorsInfo()
             [new TraceableAuthenticator($notSupportingAuthenticator), new TraceableAuthenticator($supportingAuthenticator)],
             $tokenStorage,
             $dispatcher,
-            'main'
+            'main',
+            null,
+            false
         );
 
         $listener = new TraceableAuthenticatorManagerListener(new AuthenticatorManagerListener($authenticatorManager));

@@ -250,6 +250,7 @@ public function isEnabled(): bool
         return $this->enabled;
     }
 
+    #[\Deprecated]
     public function eraseCredentials(): void
     {
     }

diff --git a/src/Symfony/Bundle/SecurityBundle/composer.json b/src/Symfony/Bundle/SecurityBundle/composer.json
@@ -22,6 +22,7 @@
         "symfony/clock": "^6.4|^7.0",
         "symfony/config": "^6.4|^7.0",
         "symfony/dependency-injection": "^6.4.11|^7.1.4",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/event-dispatcher": "^6.4|^7.0",
         "symfony/http-kernel": "^6.4|^7.0",
         "symfony/http-foundation": "^6.4|^7.0",

diff --git a/src/Symfony/Component/Ldap/CHANGELOG.md b/src/Symfony/Component/Ldap/CHANGELOG.md
@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+7.3
+---
+
+ * Deprecate `LdapUser::eraseCredentials()`, use `LdapUser::setPassword(null)` instead
+ * Add `EraseLdapUserCredentialsListener`
+
 7.2
 ---
 

diff --git a/src/Symfony/Component/Ldap/Security/EraseLdapUserCredentialsListener.php b/src/Symfony/Component/Ldap/Security/EraseLdapUserCredentialsListener.php
@@ -0,0 +1,48 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Ldap\Security;
+
+use Psr\Container\ContainerInterface;
+use Symfony\Component\EventDispatcher\EventSubscriberInterface;
+use Symfony\Component\Ldap\Exception\InvalidCredentialsException;
+use Symfony\Component\Ldap\Exception\InvalidSearchCredentialsException;
+use Symfony\Component\Ldap\LdapInterface;
+use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Exception\LogicException;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
+use Symfony\Component\Security\Http\Event\AuthenticationTokenCreatedEvent;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+
+/**
+ * Erases credentials from LdapUser instances upon successful authentication.
+ *
+ * @author Robin Chalas <robin.chalas@gmail.com>
+ */
+class EraseLdapUserCredentialsListener implements EventSubscriberInterface
+{
+    public function onAuthenticationSuccess(AuthenticationSuccessEvent $event): void
+    {
+        $user = $event->getAuthenticationToken()->getUser();
+
+        if (!$user instanceof LdapUser) {
+            return;
+        }
+
+        $user->setPassword(null);
+    }
+
+    public static function getSubscribedEvents(): array
+    {
+        return [AuthenticationSuccessEvent::class => ['onAuthenticationSuccess', 256]];
+    }
+}
@@ -62,6 +62,8 @@ public function getUserIdentifier(): string
 
     public function eraseCredentials(): void
     {
+        trigger_deprecation('symfony/security-core', '7.3', sprintf('The "%s()" method is deprecated and will be removed in 8.0, call "setPassword(null)" instead.', __METHOD__));
+
         $this->password = null;
     }
 
@@ -70,7 +72,7 @@ public function getExtraFields(): array
         return $this->extraFields;
     }
 
-    public function setPassword(#[\SensitiveParameter] string $password): void
+    public function setPassword(#[\SensitiveParameter] ?string $password): void
     {
         $this->password = $password;
     }
@@ -95,4 +97,14 @@ public function isEqualTo(UserInterface $user): bool
 
         return true;
     }
+
+    public function __serialize(): array
+    {
+        return [$this->entry, $this->identifier, null, $this->roles, $this->extraFields];
+    }
+
+    public function __unserialize(array $data): void
+    {
+        [$this->entry, $this->identifier, $this->password, $this->roles, $this->extraFields] = $data;
+    }
 }
diff --git a/src/Symfony/Component/Ldap/Tests/Security/EraseLdapUserCredentialsListenerTest.php b/src/Symfony/Component/Ldap/Tests/Security/EraseLdapUserCredentialsListenerTest.php
@@ -0,0 +1,53 @@
+<?php
+
+/*
+ * This file is part of the Symfony package.
+ *
+ * (c) Fabien Potencier <fabien@symfony.com>
+ *
+ * For the full copyright and license information, please view the LICENSE
+ * file that was distributed with this source code.
+ */
+
+namespace Symfony\Component\Ldap\Tests\Security;
+
+use PHPUnit\Framework\MockObject\MockObject;
+use PHPUnit\Framework\TestCase;
+use Psr\Container\ContainerInterface;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Ldap\Adapter\CollectionInterface;
+use Symfony\Component\Ldap\Adapter\QueryInterface;
+use Symfony\Component\Ldap\Entry;
+use Symfony\Component\Ldap\Exception\InvalidCredentialsException;
+use Symfony\Component\Ldap\LdapInterface;
+use Symfony\Component\Ldap\Security\CheckLdapCredentialsListener;
+use Symfony\Component\Ldap\Security\EraseLdapUserCredentialsListener;
+use Symfony\Component\Ldap\Security\LdapBadge;
+use Symfony\Component\Ldap\Security\LdapUser;
+use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Core\Authentication\Token\UsernamePasswordToken;
+use Symfony\Component\Security\Core\Event\AuthenticationSuccessEvent;
+use Symfony\Component\Security\Core\Exception\AuthenticationException;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\User\InMemoryUser;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
+use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
+use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
+use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Contracts\Service\ServiceLocatorTrait;
+
+class EraseLdapUserCredentialsListenerTest extends TestCase
+{
+    public function testPasswordIsErasedOnAuthenticationSuccess()
+    {
+        $user = new LdapUser(new Entry(''), 'chalasr', 'password');
+        $listener = new EraseLdapUserCredentialsListener();
+
+        $listener->onAuthenticationSuccess(new AuthenticationSuccessEvent(new UsernamePasswordToken($user, 'main')));
+
+        $this->assertSame(null, $user->getPassword());
+    }
+}
diff --git a/src/Symfony/Component/Ldap/composer.json b/src/Symfony/Component/Ldap/composer.json
@@ -18,6 +18,7 @@
     "require": {
         "php": ">=8.2",
         "ext-ldap": "*",
+        "symfony/deprecation-contracts": "^2.5|^3",
         "symfony/options-resolver": "^6.4|^7.0"
     },
     "require-dev": {

@@ -59,8 +59,15 @@ public function setUser(UserInterface $user): void
         $this->user = $user;
     }
 
+    /**
+     * Removes sensitive information from the token.
+     *
+     * @deprecated since Symfony 7.3
+     */
     public function eraseCredentials(): void
     {
+        trigger_deprecation('symfony/security-core', '7.3', sprintf('The "%s()" method is deprecated and will be removed in 8.0, use a DTO instead or implement your own erasing logic if needed.', __METHOD__));
+
         if ($this->getUser() instanceof UserInterface) {
             $this->getUser()->eraseCredentials();
         }

@@ -43,6 +43,11 @@ public function getUserIdentifier(): string
         return '';
     }
 
+    /**
+     * Removes sensitive information from the token.
+     *
+     * @deprecated since Symfony 7.3
+     */
     public function eraseCredentials(): void
     {
     }

@@ -56,6 +56,9 @@ public function setUser(UserInterface $user): void;
 
     /**
      * Removes sensitive information from the token.
+     *
+     * @deprecated since Symfony 7.3, use a dedicated DTO instead or implement your
+     *             own erasing logic instead
      */
     public function eraseCredentials(): void;
 

@@ -7,6 +7,8 @@ CHANGELOG
  * Add `UserAuthorizationChecker::isGrantedForUser()` to test user authorization without relying on the session.
    For example, users not currently logged in, or while processing a message from a message queue.
  * Add `OfflineTokenInterface` to mark tokens that do not represent the currently logged-in user
+ * Deprecate `UserInterface::eraseCredentials()` and `TokenInterface::eraseCredentials()`,
+   use a dedicated DTO or erase credentials on your own e.g. upon `AuthenticationTokenCreatedEvent` instead
 
 7.2
 ---

@@ -12,12 +12,15 @@
 namespace Symfony\Component\Security\Core\Tests\Authentication\Token;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
 use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 class AbstractTokenTest extends TestCase
 {
+    use ExpectDeprecationTrait;
+
     /**
      * @dataProvider provideUsers
      */
@@ -33,13 +36,17 @@ public static function provideUsers()
         yield [new InMemoryUser('fabien', null), 'fabien'];
     }
 
+    /**
+     * @group legacy
+     */
     public function testEraseCredentials()
     {
         $token = new ConcreteToken(['ROLE_FOO']);
 
         $user = $this->createMock(UserInterface::class);
         $user->expects($this->once())->method('eraseCredentials');
         $token->setUser($user);
+        $this->expectDeprecation('The Symfony\Component\Security\Core\User\UserInterface::eraseCredentials method is deprecated (since Symfony 7.3, use a dedicated DTO instead or implement your own erasing logic instead).');
 
         $token->eraseCredentials();
     }

@@ -53,6 +53,9 @@ public function testIsEnabled()
         $this->assertFalse($user->isEnabled());
     }
 
+    /**
+     * @group legacy
+     */
     public function testEraseCredentials()
     {
         $user = new InMemoryUser('fabien', 'superpass');

@@ -76,6 +76,7 @@ public function isEnabled(): bool
 
     public function eraseCredentials(): void
     {
+        trigger_deprecation('symfony/security-core', '7.3', sprintf('The "%s()" method is deprecated and will be removed in 8.0, use a DTO instead or implement your own erasing logic if needed.', __METHOD__));
     }
 
     public function isEqualTo(UserInterface $user): bool

@@ -46,18 +46,22 @@ interface UserInterface
      */
     public function getRoles(): array;
 
+    /**
+     * Returns the identifier for this user (e.g. username or email address).
+     *
+     * @return non-empty-string
+     */
+    public function getUserIdentifier(): string;
+
     /**
      * Removes sensitive data from the user.
      *
      * This is important if, at any given point, sensitive information like
      * the plain-text password is stored on this object.
+     *
+     * @deprecated since Symfony 7.3, use a dedicated DTO instead or implement your
+     *             own erasing logic instead
      */
     public function eraseCredentials(): void;
 
-    /**
-     * Returns the identifier for this user (e.g. username or email address).
-     *
-     * @return non-empty-string
-     */
-    public function getUserIdentifier(): string;
 }
@@ -69,6 +69,10 @@ public function __construct(
         }
 
         $this->exposeSecurityErrors = $exposeSecurityErrors;
+
+        if ($eraseCredentials) {
+            trigger_deprecation('symfony/security-http', '7.3', sprintf('Passing true as "$eraseCredentials" argument to "%s::__construct()" is deprecated and won\'t have any effect in 8.0, pass "false" instead and use your own erasing logic if needed.', __CLASS__));
+        }
     }
 
     /**
@@ -208,6 +212,7 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
             // announce the authentication token
             $authenticatedToken = $this->eventDispatcher->dispatch(new AuthenticationTokenCreatedEvent($authenticatedToken, $passport))->getAuthenticatedToken();
 
+            // @deprecated since Symfony 7.3, remove the if statement in 8.0
             if (true === $this->eraseCredentials) {
                 $authenticatedToken->eraseCredentials();
             }
-Original file line number
+Diff line change
@@ Expand Up / @@ -250,6 +250,7 @@ public function isEnabled(): bool @@
             return $this->enabled;
         }
+        #[\Deprecated]
         public function eraseCredentials(): void
         {
         }
@@ Expand Down @@