* 5.2:
[SecurityBundle] add missing type-hint
[SecurityBundle] Remove invalid unused service
[Security] [DataCollector] Remove allows anonymous information in datacollector
[Workflow] Remove dead call to `Defnition#addTag()`
add chinese translation
This PR was squashed before being merged into the 5.3-dev branch.
Discussion
----------
[Security] [RememberMe] Add support for parallel requests doing remember-me re-authentication
| Q | A
| ------------- | ---
| Branch? | 5.x
| Bug fix? | yes
| New feature? | yes ish <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#40971, Fix#28314, Fix#18384
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
This is a possible implementation to gather feedback mostly..
`TokenVerifierInterface` naming is kinda bad perhaps.. But my goal would be to merge it in TokenProviderInterface for 6.0 so it's not so important. Not sure if/how to best indicate this in terms of deprecation notices.
Anyway wondering if this would be an acceptable implementation (ideally in an application I would probably override the new methods from DoctrineTokenProvider to something like this which is less of a hack and does expiration properly:
```php
public function verifyToken(PersistentTokenInterface $token, string $tokenValue)
{
if (hash_equals($token->getTokenValue(), $tokenValue)) {
return true;
}
if (!$this->cache->hasItem('rememberme-' . $token->getSeries())) {
return false;
}
/** `@var` CacheItem $item */
$item = $this->cache->getItem('rememberme-' . $token->getSeries());
$oldToken = $item->get();
return hash_equals($oldToken, $tokenValue);
}
public function updateExistingToken(PersistentTokenInterface $token, string $tokenValue, \DateTimeInterface $lastUsed): void
{
$this->updateToken($token->getSeries(), $tokenValue, $lastUsed);
/** `@var` CacheItem $item */
$item = $this->cache->getItem('rememberme-'.$token->getSeries());
$item->set($token->getTokenValue());
$item->expiresAfter(60);
$this->cache->save($item);
}
```
If you think it'd be fine to require optionally the cache inside DoctrineTokenProvider to enable this feature instead of the hackish way I did it, that'd be ok for me too.
The current `DoctrineTokenProvider` implementation of `TokenVerifierInterface` relies on the lucky fact that series are generated using `base64_encode(random_bytes(64))` which always ends in the `==` padding of base64, so that allowed me to store an alternative token value temporarily by replacing `==` with `_`.
Alternative implementation options:
1. Inject cache in `DoctrineTokenProvider` and do a proper implementation (as shown above) that way
2. Do not implement at all in `DoctrineTokenProvider` and let users who care implement this themselves.
3. Implement as a new `token_verifier` option that could be configured on the `firewall->remember_me` key so you can pass an implementation if needed, and possibly ship a default one using cache that could be autoconfigured
4. Add events that allow modifying the token to be verified, and allow receiving the newly updated token incl series, instead of TokenVerifierInterface, but then we need to inject a dispatcher in RememberMeAuthenticator.
`@chalasr` `@wouterj` sorry for the long description but in the hope of getting this included in 5.3.0, if you can provide guidance I will happily work on this further tomorrow to try and wrap it up ASAP.
Commits
-------
1992337d87 [Security] [RememberMe] Add support for parallel requests doing remember-me re-authentication
This PR was merged into the 5.2 branch.
Discussion
----------
[SecurityBundle] Remove invalid unused service
| Q | A
| ------------- | ---
| Branch? | 5.2
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Leftover of a revisited experimental feature (the class defined on the service does not exist).
Commits
-------
1e6588a848 [SecurityBundle] Remove invalid unused service
This PR was merged into the 5.3-dev branch.
Discussion
----------
[Security] Deprecate the old authentication mechanisms
| Q | A
| ------------- | ---
| Branch? | 5.3
| Bug fix? | no
| New feature? | no
| Deprecations? | yes/
| Tickets | #39308
| License | MIT
| Doc PR | todo
Now that the authenticator system proven working well and is considered stable, we can deprecate the old authentication listeners as well as the Guard component (+ integrations).
Commits
-------
0bb3964a2d [Security] Deprecate the old authentication mechanisms
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Missing translations for Chinese (zh_TW & zh_CN)
| Q | A
| ------------- | ---
| Branch? | 4.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#41037 , Fix#41038 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
| Doc PR | no <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/releases):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch 5.x.
- Changelog entry should follow https://symfony.com/doc/current/contributing/code/conventions.html#writing-a-changelog-entry
-->
Added missing translation for Chinese (zh_TW & zh_CN).
Commits
-------
26d156f17f add chinese translation
This PR was submitted for the 5.x branch but it was squashed and merged into the 5.2 branch instead.
Discussion
----------
[Security] [DataCollector] Remove allows anonymous information in datacollector
| Q | A
| ------------- | ---
| Branch? | 5.2
| Bug fix? | no
| New feature? | yes/no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | yes/no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#40907
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
As mentioned In https://github.com/symfony/symfony/issues/40907 there is no longer anonymous users no longer in the new authentication system. This PR remove this information **if the new system is used** as it always a red cross
With `enable_authenticator_manager` at `false`
With `enable_authenticator_manager` at `true`
Commits
-------
92cd096763 [Security] [DataCollector] Remove allows anonymous information in datacollector
This PR was merged into the 5.3-dev branch.
Discussion
----------
[Security\Http] Fix handling `secure: auto` using the new RememberMeAuthenticator
| Q | A
| ------------- | ---
| Branch? | 5.x
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
The created cookie was always secure when using `auto` because of some missing config normalization that should have been copied from the legacy rememberme implementation.
Commits
-------
3fdc15474c [Security\Http] Fix handling `secure: auto` using the new RememberMeAuthenticator
This PR was merged into the 5.2 branch.
Discussion
----------
[Workflow] Remove useless call to `Definition#addTag()`
| Q | A
| ------------- | ---
| Branch? | 5.2
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
324dc750de [Workflow] Remove dead call to `Defnition#addTag()`
This PR was merged into the 5.3-dev branch.
Discussion
----------
[FrameworkBundle] Fix missing unused known tag
| Q | A
| ------------- | ---
| Branch? | 5.x
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Commits
-------
b8f20f646c [FrameworkBundle] Fix missing unused known tag
This PR was merged into the 4.4 branch.
Discussion
----------
[FrameworkBundle][Validator] Fix deprecations from Doctrine Annotations+Cache
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | N/A
| License | MIT
| Doc PR | N/A
* Doctrine Annotations' `CachedReader` is deprecated. Let's not use it if we don't have to.
* Doctrine Cache 2 has been released. Since we're mostly only using the interfaces, we can indicate compatibility.
Paslm is going to complain about missing classes, which is kind-of expected here. 🙂
Commits
-------
ec51c21a9d Fix deprecations from Doctrine Annotations+Cache
* 5.2:
[Finder] Fix gitignore regex build with "**"
Fixed deprecation warnings about passing null as parameter
[Security] Keep Bulgarian wording consistent across all texts.
Migrate configuration file for PHP CS Fixer 2.19/3.0
[Form] Replace broken ServerParams mock
[Mailer] Fix SES API call with UTF-8 Addresses
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Keep Bulgarian wording consistent across all texts
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets |
| License | MIT
| Doc PR |
Keep wording consistent across all texts in translations:
Trans unit id=17:
Too many === Твърде много
Trans unit id=19:
Too many === Прекалено много
I put word "Твърде", because it was used before.
Commits
-------
4f1b4f993e [Security] Keep Bulgarian wording consistent across all texts.
This PR was merged into the 4.4 branch.
Discussion
----------
Migrate configuration file for PHP CS Fixer 2.19/3.0
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | N/A
| License | MIT
| Doc PR | N/A
This PR suggests to rename the PHP CS Fixer configuration file as expected by version 2.19 and 3.0. I don't know what version Fabbot is currently running, but as soon as it is updated to 2.19, we can merge this PR.
Commits
-------
1462a3215e Migrate configuration file for PHP CS Fixer 2.19/3.0
This PR was merged into the 5.2 branch.
Discussion
----------
[Mailer] Fix SES API call with UTF-8 Addresses
| Q | A
| ------------- | ---
| Branch? | 5.2
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
The address (including email and name) used in Amazon SES API (`ses+api://`) must not contain unicode chars (https://docs.aws.amazon.com/ses/latest/APIReference-V2/API_Destination.html)
This PR encodes name with base64 as suggested by issues in Official AWS SDKs (https://github.com/aws/aws-sdk-php/issues/1196, https://github.com/aws/aws-sdk-js/issues/1585)
note: I did not use the Base64Encoder, because the address could not be chunked (API Call failed) and it looks like addresses wider than 64 chars are allowed.
Commits
-------
05a9497230 [Mailer] Fix SES API call with UTF-8 Addresses
This PR was merged into the 4.4 branch.
Discussion
----------
Fixed deprecation warnings about passing null as parameter
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | N/A
| License | MIT
| Doc PR | N/A
Various built-in PHP functions will trigger a deprecation warning if `null` is passed as parameter. This PR attempts to fix all warnings that our test suite currently picks up.
Commits
-------
7d9bdf5734 Fixed deprecation warnings about passing null as parameter
This PR was squashed before being merged into the 4.4 branch.
Discussion
----------
[Finder] Fix gitignore regex build with "**"
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#41223
| License | MIT
| Doc PR | no
covered with tests, also faster, we do not have to explode the rule at all :)
ping `@lindelius` `@OskarStark`
Commits
-------
ce22d5ddd7 [Finder] Fix gitignore regex build with "**"
This PR was merged into the 4.4 branch.
Discussion
----------
[Form] Replace broken ServerParams mock
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | N/A
| License | MIT
| Doc PR | N/A
`AbstractRequestHandlerTest` creates a mocked version of the `ServerParams` class. Since `getNormalizedIniPostMaxSize()` does not have a return type declaration, PHPUnit will by default create an implementation that always returns `null`. However, the real implementation of that method guarantees to always return a string.
This becomes problematic in PHP 8.1 because the return value is sometimes passed as-is into functions like `strtolower()` which trigger a deprecation warning on `null` now.
This PR proposes to replace the mock with a dummy implementation that returns an empty string by default.
Commits
-------
77c2d69f19 [Form] Replace broken ServerParams mock
* 5.2:
Update .github/workflows/tests.yml
Don't call class_exists() on null
Added and improved Bulgarian translations
PHP 8.1 must not cause the build to fail (yet)
Add _run_tests bash function
Add a GitHub Action for tests against PHP 8.1
[HttpClient] fix adding query string to relative URLs with scoped clients
[Security] Added Ukrainian translations
* 4.4:
Update .github/workflows/tests.yml
Don't call class_exists() on null
Added and improved Bulgarian translations
PHP 8.1 must not cause the build to fail (yet)
Add _run_tests bash function
Add a GitHub Action for tests against PHP 8.1
[HttpClient] fix adding query string to relative URLs with scoped clients
[Security] Added Ukrainian translations
This PR was merged into the 4.4 branch.
Discussion
----------
Add a GitHub Action for tests against PHP 8.1
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | N/A
| License | MIT
| Doc PR | N/A
I'd like to monitor our compatibility with the upcoming PHP 8.1 release. Because I failed miserably at convincing Travis to run our tests with PHP 8.1 (see #40532), I tried to do the same with GitHub Actions.
Commits
-------
6a328ae01e Update .github/workflows/tests.yml
6f1c4b8c58 PHP 8.1 must not cause the build to fail (yet)
b0b45105d7 Add _run_tests bash function
de4f0170e2 Add a GitHub Action for tests against PHP 8.1
This PR was merged into the 4.4 branch.
Discussion
----------
[DependencyInjection][ProxyManagerBridge] Don't call class_exists() on null
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | N/A
| License | MIT
| Doc PR | N/A
PHP 8.1 complains if we pass `null` to `class_exists()` or `interface_exists()`:
> class_exists(): Passing null to parameter `#1` ($class) of type string is deprecated
Commits
-------
88520e53b2 Don't call class_exists() on null
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Added Ukrainian translations
| Q | A
| ------------- | ---
| Branch? | 4.4 <!-- see below -->
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#41088 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
| Doc PR | <!-- required for new features -->
Added some missing Ukrainian translations.
Commits
-------
8f34572a65 [Security] Added Ukrainian translations
This PR was merged into the 4.4 branch.
Discussion
----------
[Security] Added and improved Bulgarian translations
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? |no
| Tickets | Fix#41035
| License | MIT
| Doc PR | n/a
Added missing translations for id 19 and 20.
Replaced the word "incorrect" with "unsuccessful"/"failed" for id 17.
Replaced the phonetic use of "cookie" with the word for "cookie" in Bulgarian for id 5 and 10.
Fixed grammatical error, now use the definite article ("the") instead of the indefinine for id 11, 13, 15 and 16.
Commits
-------
b79962b676 Added and improved Bulgarian translations
