This PR was merged into the 5.2-dev branch.
Discussion
----------
[HttpClient] change piority of RetryableHttpClient
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | /
| License | MIT
| Doc PR | /
This make the RetryableHttpClient decorated the TraceableHttpClient.
User will be able to check content of each sub-request
Commits
-------
9568d437f9 Change priority of RetryableHttpClient
* 5.1:
Added Stopwatch example to the README
Bump Symfony version to 5.1.8
Update VERSION for 5.1.7
Update CHANGELOG for 5.1.7
Bump Symfony version to 4.4.16
Update VERSION for 4.4.15
Update CHANGELOG for 4.4.15
This PR was merged into the 4.4 branch.
Discussion
----------
[Stopwatch] Added example to the README
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/14333
Commits
-------
e2461c90d2 Added Stopwatch example to the README
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Validator] Use comparison constraints as attributes
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | yes
| Tickets | #38096
| License | MIT
| Doc PR | TODO, let's add it to symfony/symfony-docs#14305
This PR enables all child classes of `AbstractComparison` to be used as attributes.
Some of those constraints used a trait called `NumberConstraintTrait` for a shared implementation. After my changes, that trait did not fit well anymore, so I've added a new `ZeroComparisonConstraintTrait` as a replacement. Although I don't expect `NumberConstraintTrait` to provide much value outside of the Symfony codebase, I think we cannot safely change it because it was not labelled as `@internal`. This is basically why I went for the deprecation.
Commits
-------
b5bdf8288f [Validator] Use comparison constraints as attributes.
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[HttpFoundation] Expired cookies string representation consistency & tests
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
These changes add consistent behavior when converting expired cookies back and forth from string representation into `Symfony\Component\HttpFoundation\Cookie` instances in `Cookie::fromString`:
- When `Max-Age` is zero and `expires` is in the past, the `expires` date is kept as is (previous behavior: `expires` is overwritten with current timestamp because it is reset to current timestamp + `Max-Age`)
- When `Max-Age` is zero and `expires` is in the future, expires is reset to current timestamp, as `Max-Age` is the preferred "source of truth" (same as previous behavior)
- Add tests for how the Cookie class handles `Max-Age` in a cookie string and how `expires` and `Max-Age` interact
- Extract helper function `expiresTimestamp` so converting to a unix timestamp can be reused in `Cookie::fromString`
This is more a new feature than a bug fix in my mind, therefore I would include it in 5.1+.
Commits
-------
4f5d5eceb0 [HttpFoundation] Expired cookies string representation consistency & tests
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Mime] Prefer .jpg instead of .jpeg
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#38364 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
| Doc PR |
Commits
-------
89adb2133b [Mime] Prefer .jpg instead of .jpeg
This PR was merged into the 5.2-dev branch.
Discussion
----------
[lock] Prevent user serializing the key when store does not support it.
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | /
| License | MIT
| Doc PR | /
Some store relies on connection with the running process. ie. kernel relaease flock/semaphore, or zookeeper neeeds a connection to the database.
When the users tries to serialize the key to send it to another process, they are not aware that they lose the lock.
This PR throws an exception in that situation.
Commits
-------
1ec0630262 Prevent user serializing the key
This PR was merged into the 5.2-dev branch.
Discussion
----------
Remove array return type from Request::toArray()
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#38400
| License | MIT
| Doc PR | -
Laravel already extends Symfony's `Request` class and defines it's own `toArray` method. https://github.com/symfony/symfony/pull/38224 added a new `toArray` method to this class with a different signature to the one that is in Laravel, causing fatal errors (https://github.com/laravel/framework/issues/34660). I think the best course of action here is to remove the return type for now, and only add it in Symfony 6. This will allow Symfony 6.0 and Laravel 11 to synchronize adding the return type.
Older versions of Laravel can't just change their signature to add an array return type to them, because that would be a breaking change for Laravel users extending Laravel's request class. I'm thinking, in particular, API packages and the like, or just straight up application code.
Commits
-------
8b291a49a6 Remove array return type from Request::toArray()
This PR was submitted for the master branch but it was merged into the 3.4 branch instead.
Discussion
----------
Update security.he.xlf
Update Hebrew translation
Commits
-------
8d4c2f052d Update security.he.xlf
This PR was merged into the 5.1 branch.
Discussion
----------
Handle consecutive supports() calls in the RememberMeAuthenticator
| Q | A
| ------------- | ---
| Branch? | 5.1
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#38206
| License | MIT
| Doc PR | -
If I read the issue correctly, the problem is not so much that `autoLogin()` is called in supports, but that it is called multiple times in the same request (in lazy firewalls). This is fixed by this issue.
@qurben or @fancyweb do you have an application with this error, and can you please test the patch in this PR? Please let me know if this actually fixed the issue. (if you can't, I'll create a small demo app to test this one)
Commits
-------
e0d1867b54 Handle consecutive supports() calls in the RememberMeAuthenticator
This PR was merged into the 5.2-dev branch.
Discussion
----------
[HttpClient] Minor fix of type and message in ExponentialBackOff
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | -
Make the type consistent and fix an error message
Commits
-------
6149a0c04b [HttpClient] Minor fix of type and message in ExponentialBackOff
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Console] Remove "php" invokation from help messages.
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
Discusstion started here:
https://github.com/symfony/symfony/pull/38349
I was a bit puzzled to find that the help for the list and help commands suggests that you call the console application by prefixing it with `php myconsoleapp`.
As suggested in the PR above I am removing the `php ` prefix from the help.
I am providing a script with a shebang like the first example suggested in the following link:
https://symfony.com/doc/current/components/console.html
Eventually I want to distribute my console app as docker image so there is no need for php installed or the users even knowing is written in php.
The script name is easy to override by just setting a different value to `$_SERVER['PHP_SELF']` but this php prefix is hardcoded into the help strings for the the two default commands available.
Slightly related to #38347 as I am trying to improve the console help output.
Commits
-------
e036c30e7a [Console] Remove "php" invokation from help messages.
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Form] Implement Twig helpers to get field variables
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | -
| License | MIT
| Doc PR | https://github.com/symfony/symfony-docs/pull/14308
Designing Symfony Forms has always been difficult, especially for developers not comfortable with Symfony or Twig. The reason behind this difficulty is that the current `form_*` helper functions, while providing a way to quickly render a form, are hiding the generated HTML behind a notation specific to Symfony.
HTML standards introduced many new attributes since the Form component was created, from new constraints to how should inputs be displayed, treated by screen readers, etc.
I propose to introduce a series of new Twig functions to help create more flexible forms without the hurdle of having to use `form_*` functions. I called these methods `field_*` because they aim at rendering only the tiny bits of strings necessary to map forms to the Symfony backend.
The functions introduced are:
* `field_name` returns the name of the given field
* `field_value` returns the current value of the given field
* `field_label` returns the label of the given field, translated if possible
* `field_help` returns the help of the given field, translated if possible
* `field_errors` returns an iterator of strings for each of the errors of the given field
* `field_choices` returns an iterator of choices (the structure depending on whether the field uses or doesn't use optgroup) with translated labels if possible as keys and values as values
A quick example of usage of these functions could be the following:
``` twig
<input
name="{{ field_name(form.username) }}"
value="{{ field_value(form.username) }}"
placeholder="{{ field_label(form.username) }}"
class="form-control"
/>
<select name="{{ field_name(form.country) }}" class="form-control">
<option value="">{{ field_label(form.country) }}</option>
{% for label, value in field_choices(form.country) %}
<option value="{{ value }}">{{ label }}</option>
{% endfor %}
</select>
<select name="{{ field_name(form.stockStatus) }}" class="form-control">
<option value="">{{ field_label(form.stockStatus) }}</option>
{% for groupLabel, groupChoices in field_choices(form.stockStatus) %}
<optgroup label="{{ groupLabel }}">
{% for label, value in groupChoices %}
<option value="{{ value }}">{{ label }}</option>
{% endfor %}
</optgroup>
{% endfor %}
</select>
{% for error in field_errors(form.country) %}
<div class="text-danger mb-2">
{{ error }}
</div>
{% endfor %}
```
There are several advantages to using these functions instead of their `form_*` equivalents:
* they are much easier to use for developers not knowing Symfony: they rely on native HTML with bits of logic inside, instead of relying on specific tools needing to be configured to display proper HTML
* they allow for better integration with CSS frameworks or Javascript libraries as adding a new HTML attribute is trivial (no need to look at the documentation)
* they are easier to use in contexts where one would like to customize the rendering of a input in details: having the label as placeholder, displaying a select empty field, ...
The `form_*` functions are still usable of course, but I'd argue this technique is actually easier to read and understand.
Commits
-------
3941d70928 [Form] Implement Twig helpers to get field variables
This PR was squashed before being merged into the 4.4 branch.
Discussion
----------
[Lock] Fix StoreFactory to accept same DSN syntax as AbstractAdapter
| Q | A
| ------------- | ---
| Branch? | 4.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Fix#35350
| License | MIT
| Doc PR |
Updates `Symfony\Component\Lock\Store\StoreFactory` to accept same DSN syntax as `Symfony\Component\Cache\Adapter\AbstractAdapter` which is used to create Redis class instance.
Commits
-------
4ebbe3d86b [Lock] Fix StoreFactory to accept same DSN syntax as AbstractAdapter
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[Security] Magic login link authentication
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | none
| License | MIT
| Doc PR | TODO
Hi!
This adds a Slack-style "magic link" login authenticator to the new login system: (A) enter your email into a form, (B) receive an email with a link in it (C) click that link and you are authenticated!
For most users, implementing this would require:
A) Create a [controller](https://github.com/weaverryan/symfony-magic-login-link-example/blob/master/src/Controller/MagicLinkLoginController.php) with the "enter your email" form and a route for the "check" functionality (similar to `form_login`)
B) Activate in `security.yaml`:
```yml
security:
enable_authenticator_manager: true
# ...
firewalls:
# ...
main:
# ...
login_link:
check_route: 'magic_link_verify'
# this is an important and powerful option
# An array of properties on your User that are used to sign the link.
# If any of these change, all existing links will become invalid
# tl;dr If you want the modification of ANY field to invalidate ALL existing magic links immediately,
# then you can add it to this list. You could even add a "lastLoginLinkSentAt" to invalid
# all existing login links when a new one is sent.
signature_properties: [id, password, email]
# optional - by default, links can be reused but have a 10 minute lifetime
#max_uses: 3
#used_link_cache: cache.app
```
Done! This will generate a URL that looks something like this:
> https://127.0.0.1:9033/login/verify?user=weaverryan@gmail.com&expires=1601342578&hash=YzE1ZDJlYjM3YTMyMjgwZDdkYzg2ZjFlMjZhN2E5ZWRmMzk3NjAxNjRjYThiMjMzNmIxYzAzYzQ4NmQ2Zjk4NA%3D%3D
We would implement a Maker command this config + login/controller. The implementation is done via a "signed URL" and an optional cache pool to "expire" links. The hash of the signed URL can contain any user fields you want, which give you a powerful mechanism to invalidate magic tokens on user data changes. See `signature_properties` above.
#### Security notes:
There is a LOT of variability about how secure these need to be:
* A) Many/most implementation only allow links to be used ONE time. That is *possible* with this implementation, but is not the *default*. You CAN add a `max_uses` config which stores the expired links in a cache so they cannot be re-used. However, to make this work, you need to do more work by adding some "page" between the link the users clicks and *actually* using the login link. Why? Because unless you do this, email clients may follow the link to "preview" it and will "consume" the link.
* B) Many implementations will invalidate all other login links for a user when a new one is created. We do *not* do that, but that IS possible (and we could even generate the code for it) by adding a `lastLoginLinkSentAt` field to `User` and including this in `signature_properties`.
* C) We *do* invalidate all links if the user's email address is changed (assuming the `email` is included in `signature_properties`, which it should be). You can also invalidate on password change or whatever you want.
* D) Some implementations add a "state" so that you can only use the link on the same device that created it. That is, in many cases, quite annoying. We do not currently support that, but we could in the future (and the user could add it themselves).
Thanks!
#### TODOS:
* [x] A) more tests: functional (?) traits
* [ ] B) documentation
* [ ] C) MakerBundle PR
* [ ] D) Make sure we have what we need to allow that "in between" page
* [ ] E) Create a new cache pool instead of relying on cache.app?
Commits
-------
a8afe109d8 [Security] Magic login link authentication
