Skip to content

[Security] deprecate extending RememberMeDetails using legacy constructor signature #61789

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
fabpot merged 1 commit into from
Sep 26, 2025
Merged

[Security] deprecate extending RememberMeDetails using legacy constructor signature #61789

fabpot merged 1 commit into from
Sep 26, 2025

Conversation

@xabbuh
Copy link
Member

@xabbuh xabbuh commented Sep 19, 2025

Q A
Branch? 7.4
Bug fix? no
New feature? yes
Deprecations? no
Issues
License MIT

@xabbuh xabbuh requested a review from chalasr as a code owner September 19, 2025 08:47
@carsonbot carsonbot added this to the 7.4 milestone Sep 19, 2025
@OskarStark OskarStark changed the title [Security] mark the RememberMeDetails class as final [Security] mark RememberMeDetails class as final Sep 19, 2025
@OskarStark OskarStark changed the title [Security] mark RememberMeDetails class as final [Security] mark RememberMeDetails class as final Sep 19, 2025
@xabbuh xabbuh changed the title [Security] mark RememberMeDetails class as final [Security] mark the RememberMeDetails class as final Sep 19, 2025
@xabbuh
Copy link
Member Author

xabbuh commented Sep 19, 2025

/cc @wouterj As you added the class back then #40145 you maybe have use cases in mind where being able to extend this class is necessary. In that case we may have to figure out a different solution.

@wouterj
Copy link
Member

wouterj commented Sep 19, 2025
edited
Loading

I believe there is a general policy to not make value objects final if they don't have an interface (or at least back then). Making this class final means your custom RememberMeHandlerInterface implementation cannot customize the value object (e.g. if it needs to store more data). Can't remember if I had a concrete use-case.

@xabbuh
Copy link
Member Author

xabbuh commented Sep 19, 2025

An alternative solution I have in mind is triggering a deprecation in case the custom implementation has its own constructor but does not also override the two static factory methods. Otherwise we risk that custom implementations break in 8.0 with our new constructor signature.

@chalasr
Copy link
Member

chalasr commented Sep 21, 2025
edited
Loading

Although Wouter's rule make sense most of the times, I'm fine making this class final because I think the security-http API that exposes it doesn't make it a good extension point anyway.

nicolas-grekas

This comment was marked as resolved.

Sign in to view

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Sep 22, 2025
edited
Loading

An alternative solution I have in mind is triggering a deprecation in case the custom implementation has its own constructor but does not also override the two static factory methods. Otherwise we risk that custom implementations break in 8.0 with our new constructor signature.

OK, on closer inspection I understand the motivation - having the constructor part of a public API since we're calling new static().
What about triggering a deprecation from the factories when the constructor is overridden and has more than 2 required arguments?

@xabbuh xabbuh changed the title [Security] mark the RememberMeDetails class as final [Security] deprecate extending RememberMeDetails using legacy constructor signature Sep 25, 2025
@xabbuh xabbuh force-pushed the pr-61743 branch 2 times, most recently from dee44a8 to fac9442 Compare September 25, 2025 08:45
@xabbuh
Copy link
Member Author

xabbuh commented Sep 25, 2025

What about triggering a deprecation from the factories when the constructor is overridden and has more than 2 required arguments?

works as well, I updated the PR accordingly

nicolas-grekas
nicolas-grekas reviewed Sep 25, 2025
View reviewed changes
@fabpot
Copy link
Member

fabpot commented Sep 26, 2025

Thank you @xabbuh.

@fabpot fabpot merged commit 044082f into symfony:7.4 Sep 26, 2025
10 of 12 checks passed
@fabpot fabpot mentioned this pull request Sep 26, 2025
Closed
@xabbuh xabbuh deleted the pr-61743 branch September 26, 2025 07:44
This was referenced Oct 27, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@OskarStark OskarStark OskarStark left review comments

@fabpot fabpot fabpot approved these changes

@nicolas-grekas nicolas-grekas nicolas-grekas approved these changes

@chalasr chalasr chalasr approved these changes

Assignees

No one assigned

Labels

Feature Security Status: Reviewed

Projects

None yet

Milestone

7.4

Development

Successfully merging this pull request may close these issues.

7 participants

@xabbuh @wouterj @chalasr @nicolas-grekas @fabpot @OskarStark @carsonbot