RememberMeLogoutListener, which was introduced together with the new authenticator security in Symfony 5.1, depends onAbstractRememberMeServices. This forces people to always extend fromAbstractRememberMeServices, even when they're implementing the correct interface.

I'd suggest to depend on the minimum interface, which isLogoutHandlerInterface, instead.

Example of the type errors you'd get otherwise:
Argument 1 passed to Symfony\Component\Security\Http\EventListener\RememberMeLogoutListener::__construct() must be an instance of Symfony\Component\Security\Http\RememberMe\AbstractRememberMeServices, instance of Scheb\TwoFactorBundle\Security\Authentication\RememberMe\RememberMeServicesDecorator given, called in var/cache/dev/Container3IpOCEd/getSecurity_Logout_Listener_RememberMe_MainService.php on line 22

with

class RememberMeServicesDecoratorimplements RememberMeServicesInterface, LogoutHandlerInterface[...]

Depend on LogoutHandlerInterface

994700f

carsonbot added Status: Needs Review Bug labels

May 13, 2020

Copy link

Member

wouterj commentedMay 13, 2020

Hmm, theLogoutHandlerInterface was deprecated and this listener actually replaces it (ref#36243). So I don't think it's a good idea to introduce that interface.

However, I agree with you and I see the problem here as well. What about this:

Keep the changes in this PR
ImplementEventSubscriberInterface + the code of this listener inAbstractRememberMeServices
If the remember me service implementsEventSubscriberInterface, add thekernel.event_subscriber tag inRememberMeFactory.
If the remember me service implementsLogoutHandlerInterface, but notEventSubscriberInterface, trigger a deprecation and "fix" the situation by registering this logout listener with the remember me service instead.

If I'm correct, this would make core work without deprecated usages and provide an upgrade path for your bundle and people creating their own remember me service.

Copy link

ContributorAuthor

scheb commentedMay 14, 2020

Would it be such a bad thing to depend on the deprecatedLogoutHandlerInterface? For the matter of keeping backwards compatibility, sometimes it's necessary to depend on a deprecated item, until you can introduce a potentially breaking change.

I like that there is aRememberMeLogoutListener, because that keeps the architecture nice and clean. Merging the listener intoAbstractRememberMeServices doesn't feel to me like proper separation of concerns (but I agree, your suggestion would work).

I believe the long-term solution to this problem would be to move the method fromLogoutHandlerInterface toRememberMeServicesInterface in the next major version. Its signature goes very well with the other methods of the interface, so it feels like the right place.

publicfunction autoLogin(Request$request);publicfunction loginFail(Request$request,\Exception$exception =null);publicfunction loginSuccess(Request$request,Response$response,TokenInterface$token);publicfunction logout(Request$request,Response$response,TokenInterface$token);

For offering a migration path, you could treat the constructor argument inRememberMeLogoutListener as a "union type" (even when we don't have union types yet):

class RememberMeLogoutListenerimplements EventSubscriberInterface{private$rememberMeServices;publicfunction__construct(object$rememberMeServices)    {if (!($rememberMeServicesinstanceof RememberMeServicesInterface &&$rememberMeServicesinstanceof LogoutHandlerInterface)) {thrownew \InvalidArgumentException('Argument 0 must be instance of RememberMeServicesInterface and LogoutHandlerInterface');        }$this->rememberMeServices =$rememberMeServices;    }

You could also "softly" introduce the method onRememberMeServicesInterface without the risk of breaking code.

/** * @method logout(Request $request, Response $response, TokenInterface $token) */interface RememberMeServicesInterface

Then, with the next major release, you could move the method, removeLogoutHandlerInterface and remove the union type checks to only check forRememberMeServicesInterface.

nicolas-grekas added this to the5.1 milestone

May 16, 2020

Copy link

Member

nicolas-grekas commentedMay 16, 2020

This change is fine technically to ease BC/FC. Updating the constructor in 6.0 can happen without any hard BC break.

nicolas-grekas approved these changes

May 16, 2020

View reviewed changes

carsonbot added Status: Reviewed and removed Status: Needs Review labels

May 16, 2020

Copy link

Member

nicolas-grekas commentedMay 16, 2020

Thank you@scheb.

nicolas-grekas merged commit5dd99f2 intosymfony:master

May 16, 2020

Copy link

ContributorAuthor

scheb commentedMay 16, 2020

Glad to help 👍

wouterj mentioned this pull request

May 16, 2020

[Security] Improved upgrade path for custom remember me services#36832

Merged

Copy link

Member

wouterj commentedMay 16, 2020

I think we should provide the upgrade path as proposed by@scheb. I've submitted a PR for it:#36832

nicolas-grekas added a commit that referenced this pull request

May 16, 2020

bug#36832[Security] Improved upgrade path for custom remember me se…

c268915

…rvices (wouterj)This PR was merged into the 5.1-dev branch.Discussion----------[Security] Improved upgrade path for custom remember me services| Q             | A| ------------- | ---| Branch?       | master| Bug fix?      | no| New feature?  | -| Deprecations? | -| Tickets       |#36806 (comment)| License       | MIT| Doc PR        |This improves the upgrade path for custom remember me services now `LogoutHandlerInterface` has been deprecated.As suggested in#36806 (comment), the `logout()` method should be added to the `RememberMeServicesInterface` in Symfony 6.This patch allows developers to write a custom class implementing only `RememberMeServicesInterface` with a `logout()` method. Requiring them to implement `LogoutHandlerInterface` will mean they have to maintain 2 version of the class to support both Symfony 5.1+ and 6.0.Commits-------c49d00f Added deprecation for RememberMe services without logout() method