[Security] Deprecate PersistentToken::getClass() and RememberMeDetails::getUserFqcn() in order to remove the user FQCN from the remember-me cookie in 8.0

Author: nicolas-grekas

Authentication/RememberMe/InMemoryTokenProvider.php

@@ -38,7 +38,7 @@ public function updateToken(string $series, #[\SensitiveParameter] string $token
         }
 
         $token = new PersistentToken(
-            $this->tokens[$series]->getClass(),
+            $this->tokens[$series]->getClass(false),
             $this->tokens[$series]->getUserIdentifier(),
             $series,
             $tokenValue,

Authentication/RememberMe/PersistentToken.php

@@ -43,8 +43,15 @@ public function __construct(
         $this->lastUsed = \DateTimeImmutable::createFromInterface($lastUsed);
     }
 
-    public function getClass(): string
+    /**
+     * @deprecated since Symfony 7.4
+     */
+    public function getClass(bool $triggerDeprecation = true): string
     {
+        if ($triggerDeprecation) {
+            trigger_deprecation('symfony/security-core', '7.4', 'The "%s()" method is deprecated: the user class will be removed from the remember-me cookie in 8.0.', __METHOD__);
+        }
+
         return $this->class;
     }
 

Authentication/RememberMe/PersistentTokenInterface.php

@@ -21,6 +21,8 @@ interface PersistentTokenInterface
 {
     /**
      * Returns the class of the user.
+     *
+     * @deprecated since Symfony 7.4, the user class will be removed from the remember-me cookie in 8.0
      */
     public function getClass(): string;
 

CHANGELOG.md

@@ -4,7 +4,8 @@ CHANGELOG
 7.4
 ---
 
-* Add `MermaidDumper` to dump Role Hierarchy graphs in the Mermaid.js flowchart format
+ * Add `MermaidDumper` to dump Role Hierarchy graphs in the Mermaid.js flowchart format
+ * Deprecate `PersistentTokenInterface::getClass()`, the user class will be removed from the remember-me cookie in 8.0
 
 7.3
 ---

Tests/Authentication/RememberMe/PersistentTokenTest.php

@@ -11,6 +11,8 @@
 
 namespace Symfony\Component\Security\Core\Tests\Authentication\RememberMe;
 
+use PHPUnit\Framework\Attributes\Group;
+use PHPUnit\Framework\Attributes\IgnoreDeprecations;
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\RememberMe\PersistentToken;
 
@@ -21,7 +23,6 @@ public function testConstructor()
         $lastUsed = new \DateTimeImmutable();
         $token = new PersistentToken('fooclass', 'fooname', 'fooseries', 'footokenvalue', $lastUsed);
 
-        $this->assertEquals('fooclass', $token->getClass());
         $this->assertEquals('fooname', $token->getUserIdentifier());
         $this->assertEquals('fooseries', $token->getSeries());
         $this->assertEquals('footokenvalue', $token->getTokenValue());
@@ -35,4 +36,12 @@ public function testDateTime()
 
         $this->assertEquals($lastUsed, $token->getLastUsed());
     }
+
+    #[IgnoreDeprecations]
+    #[Group('legacy')]
+    public function testClassDeprecation()
+    {
+        $token = new PersistentToken('fooclass', 'fooname', 'fooseries', 'footokenvalue', new \DateTimeImmutable());
+        $this->assertSame('fooclass', $token->getClass());
+    }
 }