Revert "minor symfony#46618 [Security] Centralize max username length enforcement (chalasr)"

This reverts commit aaa821b, reversing
changes made to 292f6da.

Author: chalasr

src/Symfony/Component/Security/Core/Security.php

@@ -46,7 +46,9 @@ class Security implements AuthorizationCheckerInterface
     public const LAST_USERNAME = '_security.last_username';
 
     /**
-     * @deprecated since Symfony 6.2, use \Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge::MAX_USERNAME_LENGTH instead
+     * @deprecated since Symfony 6.2, use \Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface::MAX_USERNAME_LENGTH instead
+     *
+     *  In 7.0, move this constant to the NewSecurityHelper class and make it reference AuthenticatorInterface:MAX_USERNAME_LENGTH.
      */
     public const MAX_USERNAME_LENGTH = 4096;
 

src/Symfony/Component/Security/Http/Authenticator/AuthenticatorInterface.php

@@ -26,6 +26,8 @@
  */
 interface AuthenticatorInterface
 {
+    public const MAX_USERNAME_LENGTH = 4096;
+
     /**
      * Does the authenticator support the given Request?
      *

src/Symfony/Component/Security/Http/Authenticator/FormLoginAuthenticator.php

@@ -132,6 +132,10 @@ private function getCredentials(Request $request): array
 
         $credentials['username'] = trim($credentials['username']);
 
+        if (\strlen($credentials['username']) > self::MAX_USERNAME_LENGTH) {
+            throw new BadCredentialsException('Invalid username.');
+        }
+
         $request->getSession()->set(SecurityRequestAttributes::LAST_USERNAME, $credentials['username']);
 
         return $credentials;

src/Symfony/Component/Security/Http/Authenticator/JsonLoginAuthenticator.php

@@ -150,6 +150,10 @@ private function getCredentials(Request $request)
             if (!\is_string($credentials['username'])) {
                 throw new BadRequestHttpException(sprintf('The key "%s" must be a string.', $this->options['username_path']));
             }
+
+            if (\strlen($credentials['username']) > self::MAX_USERNAME_LENGTH) {
+                throw new BadCredentialsException('Invalid username.');
+            }
         } catch (AccessException $e) {
             throw new BadRequestHttpException(sprintf('The key "%s" must be provided.', $this->options['username_path']), $e);
         }

src/Symfony/Component/Security/Http/Tests/Authenticator/FormLoginAuthenticatorTest.php

@@ -19,10 +19,10 @@
 use Symfony\Component\Security\Core\User\InMemoryUserProvider;
 use Symfony\Component\Security\Http\Authentication\AuthenticationFailureHandlerInterface;
 use Symfony\Component\Security\Http\Authentication\AuthenticationSuccessHandlerInterface;
+use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\FormLoginAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\CsrfTokenBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\PasswordUpgradeBadge;
-use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Security\Http\Tests\Authenticator\Fixtures\PasswordUpgraderProvider;
 
@@ -50,7 +50,7 @@ public function testHandleWhenUsernameLength($username, $ok)
             $this->expectNotToPerformAssertions();
         } else {
             $this->expectException(BadCredentialsException::class);
-            $this->expectExceptionMessage('Username too long.');
+            $this->expectExceptionMessage('Invalid username.');
         }
 
         $request = Request::create('/login_check', 'POST', ['_username' => $username, '_password' => 's$cr$t']);
@@ -62,8 +62,8 @@ public function testHandleWhenUsernameLength($username, $ok)
 
     public function provideUsernamesForLength()
     {
-        yield [str_repeat('x', UserBadge::MAX_USERNAME_LENGTH + 1), false];
-        yield [str_repeat('x', UserBadge::MAX_USERNAME_LENGTH - 1), true];
+        yield [str_repeat('x', AuthenticatorInterface::MAX_USERNAME_LENGTH + 1), false];
+        yield [str_repeat('x', AuthenticatorInterface::MAX_USERNAME_LENGTH - 1), true];
     }
 
     /**

src/Symfony/Component/Security/Http/Tests/Authenticator/JsonLoginAuthenticatorTest.php

@@ -19,7 +19,6 @@
 use Symfony\Component\Security\Core\User\InMemoryUserProvider;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\JsonLoginAuthenticator;
-use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Credentials\PasswordCredentials;
 use Symfony\Component\Security\Http\HttpUtils;
 use Symfony\Component\Translation\Loader\ArrayLoader;
@@ -122,9 +121,9 @@ public function provideInvalidAuthenticateData()
         $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], '{"username": "dunglas", "password": 1}');
         yield [$request, 'The key "password" must be a string.'];
 
-        $username = str_repeat('x', UserBadge::MAX_USERNAME_LENGTH + 1);
-        $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], sprintf('{"username": "%s", "password": "foo"}', $username));
-        yield [$request, 'Username too long.', BadCredentialsException::class];
+        $username = str_repeat('x', AuthenticatorInterface::MAX_USERNAME_LENGTH + 1);
+        $request = new Request([], [], [], [], [], ['HTTP_CONTENT_TYPE' => 'application/json'], sprintf('{"username": "%s", "password": 1}', $username));
+        yield [$request, 'Invalid username.', BadCredentialsException::class];
     }
 
     public function testAuthenticationFailureWithoutTranslator()