This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
38737 add missing dutch translation
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#38737
| License | MIT
| Doc PR | No, not needed
Update dutch translation
Commits
-------
7cf4ca6f83 38737 add missing dutch translation
This PR was merged into the 3.4 branch.
Discussion
----------
Missing swedish translations for Form, Security and Validator components
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#38765
| License | MIT
| Doc PR |
Added missing swedish translations for Form, Security and Validator components
Commits
-------
1044b1e852Fix#38765 Added missing swedish translations for Form, Security and Validator components
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
Added missing translations for Russian
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#38759
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Hello!
I added missing translations for Russian.
Commits
-------
6a9e274a10 Added missing translations for Russian
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Add missing Latvian translations
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Part of #34710, #34749
| License | MIT
| Doc PR | N/A
Commits
-------
7f2b13bcb3 [Security] Add missing Latvian translations
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
Add missing vietnamese translations
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix#38770 <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
| Doc PR | - <!-- required for new features -->
<!--
Replace this notice by a short README for your feature/bugfix. This will help people
understand your PR and can be used as a start for the documentation.
Additionally (see https://symfony.com/releases):
- Always add tests and ensure they pass.
- Never break backward compatibility (see https://symfony.com/bc).
- Bug fixes must be submitted against the lowest maintained branch where they apply
(lowest branches are regularly merged to upper ones so they get the fixes too.)
- Features and deprecations must be submitted against branch 5.x.
-->
Commits
-------
6289b271aa Add missing vietnamese translations
This PR was merged into the 3.4 branch.
Discussion
----------
Closes#38747: Add italian translations.
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | no
| New feature? | no
| Deprecations? | no
| Tickets | Fix#38747
| License | MIT
| Doc PR | N/A
Commits
-------
7d25a46b3bCloses#38747: Add italian translations.
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
Update Security Arabic Translations
| Q | A
| ------------- | ---
| Branch? | 5.x for features / 3.4, 4.4
| Bug fix? | no
| New feature? | no <!-- please update src/**/CHANGELOG.md files -->
| Deprecations? | no <!-- please update UPGRADE-*.md and src/**/CHANGELOG.md files -->
| Tickets | Fix #... <!-- prefix each issue number with "Fix #", no need to create an issue if none exist, explain below instead -->
| License | MIT
| Doc PR | symfony/symfony-docs#... <!-- required for new features -->
Related to https://github.com/symfony/symfony/issues/38723
Commits
-------
e6219e4796 Update Security Arabic Translations
This PR was merged into the 3.4 branch.
Discussion
----------
[Security] Synchronized translations with 5.x
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Part of #38710
| License | MIT
| Doc PR | N/A
Commits
-------
3d7863f5b5 [Security] Synchronized translations with 5.x.
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[RateLimiter] Moved classes implementing LimiterInterface to a new namespace
| Q | A
| ------------- | ---
| Branch? | 5.x
| Bug fix? | no
| New feature? | no
| Deprecations? | no?
| Tickets |
| License | MIT
| Doc PR |
Before we release the RateLimit component.
I think it would be a good idea to put the 7 classes that belongs to a specific strategy in their own "Policy" namespace. It is very likely that it will be more strategies in the future and the `Symfony\Component\RateLimiter` namespace is crowed as it is.
I decided not to put the `CompoundLimiter` in this namespace as it is not a strategy.
Commits
-------
1e6cea56e4 [RateLimiter] Moved classes implementing LimiterInterface to a new namespace
* 5.1:
fix merge
fix merge
Remove branch-version (keep them for contracts only)
[HttpClient] relax auth bearer format requirements
[PHPUnitBridge] Silence errors from mkdir()
[DependencyInjection] Preload classes with union types correctly.
[Serializer] fix decoding float XML attributes starting with 0
add missing dutch translations
[TwigBridge] Remove "transchoice" from the code base
Support PHPUnit 8 and PHPUnit 9 in constraint compatibility trait
Add expectDeprecation, expectNotice, expectWarning, and expectError to TestCase polyfill
[String] fix before/after[Last]() returning the empty string instead of the original one on non-match
Add missing exporter function for PHPUnit 7
[Validator] Add missing romanian translations
[String] fix slicing in UnicodeString
[Cache] Use correct expiry in ChainAdapter
do not translate null placeholders or titles
* 4.4:
fix merge
Remove branch-version (keep them for contracts only)
[HttpClient] relax auth bearer format requirements
[PHPUnitBridge] Silence errors from mkdir()
[DependencyInjection] Preload classes with union types correctly.
[Serializer] fix decoding float XML attributes starting with 0
add missing dutch translations
Support PHPUnit 8 and PHPUnit 9 in constraint compatibility trait
Add expectDeprecation, expectNotice, expectWarning, and expectError to TestCase polyfill
Add missing exporter function for PHPUnit 7
[Validator] Add missing romanian translations
[Cache] Use correct expiry in ChainAdapter
do not translate null placeholders or titles
* 3.4:
Remove branch-version (keep them for contracts only)
[Serializer] fix decoding float XML attributes starting with 0
add missing dutch translations
[Validator] Add missing romanian translations
do not translate null placeholders or titles
This PR was squashed before being merged into the 5.x branch.
Discussion
----------
[Validator] Upgraded constraints to enable named arguments and attributes
| Q | A
| ------------- | ---
| Branch? | 5.2
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | #38096
| License | MIT
| Doc PR | TODO with symfony/symfony-docs#14305
This PR enables all remaining atomic (!= composite) constraints to be used as attributes.
The only exception is `UniqueEntity` from Doctrine bridge because we don't have a Doctrine ORM release yet that supports PHP 8. So I could migrate that one as well, but I cannot really test it.
Commits
-------
fb99eb2052 [Validator] Upgraded constraints to enable named arguments and attributes
Returning DateTime objects seems like a common use-case to automatically expire
all login links when one is used or to only allow the login link to be used
once.
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[Security] Magic login link authentication
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| Tickets | none
| License | MIT
| Doc PR | TODO
Hi!
This adds a Slack-style "magic link" login authenticator to the new login system: (A) enter your email into a form, (B) receive an email with a link in it (C) click that link and you are authenticated!
For most users, implementing this would require:
A) Create a [controller](https://github.com/weaverryan/symfony-magic-login-link-example/blob/master/src/Controller/MagicLinkLoginController.php) with the "enter your email" form and a route for the "check" functionality (similar to `form_login`)
B) Activate in `security.yaml`:
```yml
security:
enable_authenticator_manager: true
# ...
firewalls:
# ...
main:
# ...
login_link:
check_route: 'magic_link_verify'
# this is an important and powerful option
# An array of properties on your User that are used to sign the link.
# If any of these change, all existing links will become invalid
# tl;dr If you want the modification of ANY field to invalidate ALL existing magic links immediately,
# then you can add it to this list. You could even add a "lastLoginLinkSentAt" to invalid
# all existing login links when a new one is sent.
signature_properties: [id, password, email]
# optional - by default, links can be reused but have a 10 minute lifetime
#max_uses: 3
#used_link_cache: cache.app
```
Done! This will generate a URL that looks something like this:
> https://127.0.0.1:9033/login/verify?user=weaverryan@gmail.com&expires=1601342578&hash=YzE1ZDJlYjM3YTMyMjgwZDdkYzg2ZjFlMjZhN2E5ZWRmMzk3NjAxNjRjYThiMjMzNmIxYzAzYzQ4NmQ2Zjk4NA%3D%3D
We would implement a Maker command this config + login/controller. The implementation is done via a "signed URL" and an optional cache pool to "expire" links. The hash of the signed URL can contain any user fields you want, which give you a powerful mechanism to invalidate magic tokens on user data changes. See `signature_properties` above.
#### Security notes:
There is a LOT of variability about how secure these need to be:
* A) Many/most implementation only allow links to be used ONE time. That is *possible* with this implementation, but is not the *default*. You CAN add a `max_uses` config which stores the expired links in a cache so they cannot be re-used. However, to make this work, you need to do more work by adding some "page" between the link the users clicks and *actually* using the login link. Why? Because unless you do this, email clients may follow the link to "preview" it and will "consume" the link.
* B) Many implementations will invalidate all other login links for a user when a new one is created. We do *not* do that, but that IS possible (and we could even generate the code for it) by adding a `lastLoginLinkSentAt` field to `User` and including this in `signature_properties`.
* C) We *do* invalidate all links if the user's email address is changed (assuming the `email` is included in `signature_properties`, which it should be). You can also invalidate on password change or whatever you want.
* D) Some implementations add a "state" so that you can only use the link on the same device that created it. That is, in many cases, quite annoying. We do not currently support that, but we could in the future (and the user could add it themselves).
Thanks!
#### TODOS:
* [x] A) more tests: functional (?) traits
* [ ] B) documentation
* [ ] C) MakerBundle PR
* [ ] D) Make sure we have what we need to allow that "in between" page
* [ ] E) Create a new cache pool instead of relying on cache.app?
Commits
-------
a8afe109d8 [Security] Magic login link authentication
This allows limiting on different elements of a request. This is usefull to
e.g. prevent breadth-first attacks, by allowing to enforce a limit on both IP
and IP+username.
* 5.1: (25 commits)
stop using the deprecated at() PHPUnit matcher
fix lowest allowed version of the HTTP client contracts
fix lowest allowed version for the PHPUnit bridge
fix merge
fix merge
drop logger mock in favor of using the BufferingLogger
catch ValueError thrown on PHP 8
[Yaml Parser] Fix edge cases when parsing multiple documents
fix parsing comments not prefixed by a space
[Translator] Make sure a null locale is handled properly
deal with errors being thrown on PHP 8
loadRoutes shoud receive RoutingPhpFileLoader
[Cache] Allow cache tags to be objects implementing __toString()
[HttpKernel] Do not override max_redirects option in HttpClientKernel
Log notice when no entry point is configured
remove superfluous cast
[HttpClient] Support for CURLOPT_LOCALPORT.
Upgrade PHPUnit to 8.5 (php 7.2) and 9.3 (php >= 7.3).
Fixed exception message formatting
[FrameworkBundle] Fix error in xsd which prevent to register more than one metadata
...
* 5.1:
[Debug] fix test
consistently use same types for strict comparisons
[PhpUnitBridge] Skip internal classes in CoverageListenerTrait
[VarExporter] unserialize() might throw an Exception on php 8.
[SecurityHttp] Don't call createMock() with multiple interfaces.
[ErrorHandler] Parse "x not found" errors correctly on php 8.
Prevent parsing invalid octal digits as octal numbers
remove unnecessary check for existing request
[DI] fix ContainerBuilder on PHP8
[Console] Make sure $maxAttempts is an int or null.
[VarDumper] Fix caster for invalid SplFileInfo objects on php 8.
[Intl] Skip test cases that produce a TypeError on php 8.
[PhpUnitBridge] Adjust output parsing for PHPUnit 9.3.
[PhpUnitBridge] CoverageListenerTrait update for PHPUnit 8.5/9.x
add bosnian (bs) translation
[Debug] Parse "x not found" errors correctly on php 8.
* 5.1:
Enable "native_constant_invocation" CS rule
Make AbstractPhpFileCacheWarmer public
Fix CS
Add a warning comment on ldap empty password
Bump Symfony version to 4.4.14
Update VERSION for 4.4.13
Update CHANGELOG for 4.4.13
[PhpunitBridge] Fix deprecation type detection
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Configurable execution order for firewall listeners
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
| Doc PR | n/a
Hello there, I'm the author of `scheb/two-factor-bundle`, which extends Symfony's security layer with two-factor authentication. I've been closely following the recent changes by @wouterj to rework the security layer with "authenticators" (great work!). While I managed to make my bundle work with authenticators, I see some limitations in the security layer that I'd like to address to make such extensions easier to implement.
In #37336 I've submitted a draft to let security factories add their own authentication listeners to the firewall. This PR is intended to address the issue of execution order. If you look at the `Firewall` class
f64f59a9c0/src/Symfony/Component/Security/Http/Firewall.php (L62-L82)
authentication listeners are executed in the order of their creation. Additionally, there's hardcoded logic to execute `Symfony\Component\Security\Http\Firewall\AccessListener` always last and the logout listener second to last. I'd like to have a more flexible approach, to remove the hardcoded order and give authentication listeners the ability to determine their execution order.
I've added an optional interface to provide a priority to sort all registered authenitication listeners. Sorting is done in a compiler pass, so no time is wasted at runtime.
This is a draft, so I'd like to hear your opinion on this :)
Commits
-------
91388e871b Add ability to prioritize firewall listeners
This PR was merged into the 5.2-dev branch.
Discussion
----------
[Security] Renamed provider key to firewall name
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | no
| Deprecations? | yes
| Tickets | Fix#15207
| License | MIT
| Doc PR | tbd
This fixes the `$providerKey` argument names on the classes that will remain in use, even when the new Security system will take over. @fabpot do you think these changes are worth it?
Officially, all token classes are not marked as `@final`. Do I need to take into account when someone is overriding the `getProviderKey()` method? Also, I couldn't find a way to trigger a deprecation notice for deprecated properties, is this a problem?
Commits
-------
91b276326d Renamed $providerKey to $firewallName
* 5.1:
Backport: Improve link script with rollback when using symlink
fix more numeric cases changing in PHP 8
Fixed autoLogin() returning null
[Notifier] add doc for free mobile dsn
* 5.1:
fix: clarify parameter name to comply with deprecations from #34074
[Sendgrid-Mailer] Fixed envelope recipients on sendgridApiTransport
mark the AssertingContextualValidator class as internal
Fix the parameter names in the SecurityFactoryInterface::create() method
[Serializer][ClassDiscriminatorMapping] Fix getMappedObjectType() when a discriminator child extends another one
make return type correct
* 5.1:
Postpone BC layer removal to 6.0.
add validator translation 99 for Italian language
stop using the deprecated at() PHPUnit matcher
Fix typehint phpdoc
This PR was squashed before being merged into the 5.2-dev branch.
Discussion
----------
[Security] Add event to inspect authenticated token before it becomes effective
| Q | A
| ------------- | ---
| Branch? | master
| Bug fix? | no
| New feature? | yes
| Deprecations? | no
| License | MIT
| Doc PR | n/a
Hello there, I'm the author of `scheb/two-factor-bundle`, which extends Symfony's security layer with two-factor authentication. I've been closely following the recent changes by @wouterj to rework the security layer with "authenticators" (great work!). While I managed to make my bundle work with authenticators, I see some limitations in the security layer that I'd like to address to make such extensions easier to implement.
This PR adds a new event, which is disapatched right after the authenticated token has been created by the authenticator, to "announce" it to the application *before* it becomes effective to the security system. The event works similar to `ResponseEvent`, but for security token. It allows listeners to inspect the new token before it becomes effective and - most importantly - apply modifications to it. So components other than the authenticator will be able to influence how the security token looks like, that will be set to the security layer on successful authentication.
Why would you want to do this? Of course I'm looking at this from the 2fa perspective. To make 2fa work, it's necessary to prevent a newly created authenticated token from becoming visible to the security system and therefore exposing its privileges/roles. This is done by replacing the authenticated token with a temporary "TwoFactorToken". Currently I'm doing this through dependency injection, getting all the registered authenticators and decorating them with my own token-exchange logic. This is not very clean and overly complicated, but it works. Adding this event as a hook-in point would allow for a much cleaner integration for any component that wants to have a saying in how the security token should look like.
Commits
-------
20309646b7 [Security] Add event to inspect authenticated token before it becomes effective
* 5.1:
Fix typo
Fix deprecated libxml_disable_entity_loader
Add Tagalog translations for validator messages 94, 95, 96 and 99
PHPUnit's assertContains() performs strict comparisons now.
[ClassLoader][Routing] Fix namespace parsing on php 8.
Fix deprecated libxml_disable_entity_loader
Made reference to PHPUnit\Util\XML::loadfile php5-compatible.
[Validator] Add missing translations for german and vietnamese
Modernized deprecated PHPUnit assertion calls
[Console] The message of "class not found" errors has changed in php 8.
The PHPUnit\Util\XML class has been removed in PHPUnit 9.3.
[Console] Make sure we pass a numeric array of arguments to call_user_func_array().
Remove outdated references from base_js.html.twig file
[String] We cannot have a "provides" function in test cases.
Typo: somes styles fixed
[Serializer] Fix that it will never reach DOMNode
[Validator] sync translations
[VarDumper] Improve previous fix on light array coloration
[Cache] Fix#37667
* 4.4:
Fix typo
Fix deprecated libxml_disable_entity_loader
Add Tagalog translations for validator messages 94, 95, 96 and 99
PHPUnit's assertContains() performs strict comparisons now.
[ClassLoader][Routing] Fix namespace parsing on php 8.
Fix deprecated libxml_disable_entity_loader
Made reference to PHPUnit\Util\XML::loadfile php5-compatible.
[Validator] Add missing translations for german and vietnamese
Modernized deprecated PHPUnit assertion calls
[Console] The message of "class not found" errors has changed in php 8.
The PHPUnit\Util\XML class has been removed in PHPUnit 9.3.
[Console] Make sure we pass a numeric array of arguments to call_user_func_array().
[Serializer] Fix that it will never reach DOMNode
[Validator] sync translations
[VarDumper] Improve previous fix on light array coloration
[Cache] Fix#37667
* 3.4:
Add Tagalog translations for validator messages 94, 95, 96 and 99
PHPUnit's assertContains() performs strict comparisons now.
[ClassLoader][Routing] Fix namespace parsing on php 8.
Fix deprecated libxml_disable_entity_loader
Made reference to PHPUnit\Util\XML::loadfile php5-compatible.
[Validator] Add missing translations for german and vietnamese
Modernized deprecated PHPUnit assertion calls
[Console] The message of "class not found" errors has changed in php 8.
The PHPUnit\Util\XML class has been removed in PHPUnit 9.3.
[Console] Make sure we pass a numeric array of arguments to call_user_func_array().
[Serializer] Fix that it will never reach DOMNode
[Validator] sync translations
[VarDumper] Improve previous fix on light array coloration
[Cache] Fix#37667
This PR was squashed before being merged into the 3.4 branch.
Discussion
----------
Modernized deprecated PHPUnit assertion calls
| Q | A
| ------------- | ---
| Branch? | 3.4
| Bug fix? | yes
| New feature? | no
| Deprecations? | no
| Tickets | Part of #37564
| License | MIT
| Doc PR | N/A
Some assertions have been renamed in PHPUnit 9. PhpUnitBridge should already have polyfills in place for those methods, so it should be save to use them.
Commits
-------
ab417f7040 Modernized deprecated PHPUnit assertion calls
* 5.1:
minor #37121 [Contracts] Add missing "extra.thanks" entries in composer.json (nicolas-grekas)
[Process] Fix Permission Denied error when writing sf_proc_00 lock files on Windows
fix handling null as empty data
[Security\Http] Skip remember-me logout on empty token
Missing return in loadValuesForChoices method
No need to create an issue when creating a PR
Use ">=" for the "php" requirement
[HttpClient] Fix promise behavior in HttplugClient
[Console] Fixes question input encoding on Windows