[Security] Replace message data in JSON security error response

src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php

@@ -126,10 +126,10 @@ class JsonLoginAuthenticator implements InteractiveAuthenticatorInterface
     public function onAuthenticationFailure(Request $request, AuthenticationException $exception): ?Response
     {
         if (null === $this->failureHandler) {
-            $errorMessage = $exception->getMessageKey();
-
             if (null !== $this->translator) {
                 $errorMessage = $this->translator->trans($exception->getMessageKey(), $exception->getMessageData(), 'security');
+            } else {
+                $errorMessage = strtr($exception->getMessageKey(), $exception->getMessageData());
             }
 
             return new JsonResponse(['error' => $errorMessage], JsonResponse::HTTP_UNAUTHORIZED);

src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php

@@ -147,6 +147,25 @@ class JsonLoginAuthenticatorTest extends TestCase
         $this->assertSame(['error' => 'foo'], json_decode($response->getContent(), true));
     }
 
+    public function testOnFailureReplacesMessageDataWithoutTranslator()
+    {
+        $this->setUpAuthenticator();
+
+        $response = $this->authenticator->onAuthenticationFailure(new Request(), new class() extends AuthenticationException {
+            public function getMessageData(): array
+            {
+                return ['%failed_attempts%' => 3];
+            }
+
+            public function getMessageKey(): string
+            {
+                return 'Session locked after %failed_attempts% failed attempts.';
+            }
+        });
+
+        $this->assertSame(['error' => 'Session locked after 3 failed attempts.'], json_decode($response->getContent(), true));
+    }
+
     private function setUpAuthenticator(array $options = [])
     {
         $this->authenticator = new JsonLoginAuthenticator(new HttpUtils(), $this->userProvider, null, null, $options);