[Security] Make PersistentToken immutable and tell TokenProviderInterface::updateToken() implementations should accept DateTimeInterface

nicolas-grekas · nicolas-grekas · commit 9eb649d8f177 · 2023-07-13T14:34:25.000+02:00
diff --git a/Authentication/RememberMe/InMemoryTokenProvider.php b/Authentication/RememberMe/InMemoryTokenProvider.php
@@ -17,6 +17,8 @@
  * This class is used for testing purposes, and is not really suited for production.
  *
  * @author Johannes M. Schmitt <schmittjoh@gmail.com>
+ *
+ * @final since Symfony 6.4
  */
 class InMemoryTokenProvider implements TokenProviderInterface
 {
@@ -32,6 +34,8 @@ public function loadTokenBySeries(string $series): PersistentTokenInterface
     }
 
     /**
+     * @param \DateTimeInterface $lastUsed Accepting only DateTime is deprecated since Symfony 6.4
+     *
      * @return void
      */
     public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed)
diff --git a/Authentication/RememberMe/PersistentToken.php b/Authentication/RememberMe/PersistentToken.php
@@ -22,9 +22,9 @@ final class PersistentToken implements PersistentTokenInterface
     private string $userIdentifier;
     private string $series;
     private string $tokenValue;
-    private \DateTime $lastUsed;
+    private \DateTimeImmutable $lastUsed;
 
-    public function __construct(string $class, string $userIdentifier, string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed)
+    public function __construct(string $class, string $userIdentifier, string $series, #[\SensitiveParameter] string $tokenValue, \DateTimeInterface $lastUsed)
     {
         if (empty($class)) {
             throw new \InvalidArgumentException('$class must not be empty.');
@@ -43,7 +43,7 @@ public function __construct(string $class, string $userIdentifier, string $serie
         $this->userIdentifier = $userIdentifier;
         $this->series = $series;
         $this->tokenValue = $tokenValue;
-        $this->lastUsed = $lastUsed;
+        $this->lastUsed = \DateTimeImmutable::createFromInterface($lastUsed);
     }
 
     public function getClass(): string
@@ -68,6 +68,6 @@ public function getTokenValue(): string
 
     public function getLastUsed(): \DateTime
     {
-        return $this->lastUsed;
+        return \DateTime::createFromImmutable($this->lastUsed);
     }
 }
diff --git a/Authentication/RememberMe/PersistentTokenInterface.php b/Authentication/RememberMe/PersistentTokenInterface.php
@@ -36,6 +36,8 @@ public function getTokenValue(): string;
 
     /**
      * Returns the time the token was last used.
+     *
+     * Each call SHOULD return a new distinct DateTime instance.
      */
     public function getLastUsed(): \DateTime;
 
diff --git a/Authentication/RememberMe/TokenProviderInterface.php b/Authentication/RememberMe/TokenProviderInterface.php
@@ -39,6 +39,8 @@ public function deleteTokenBySeries(string $series);
     /**
      * Updates the token according to this data.
      *
+     * @param \DateTimeInterface $lastUsed Accepting only DateTime is deprecated since Symfony 6.4
+     *
      * @return void
      *
      * @throws TokenNotFoundException if the token is not found
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+6.4
+---
+
+ * Make `PersistentToken` immutable
+ * Deprecate accepting only `DateTime` for `TokenProviderInterface::updateToken()`, use `DateTimeInterface` instead
+
 6.3
 ---
 
diff --git a/Tests/Authentication/RememberMe/CacheTokenVerifierTest.php b/Tests/Authentication/RememberMe/CacheTokenVerifierTest.php
@@ -21,23 +21,23 @@ class CacheTokenVerifierTest extends TestCase
     public function testVerifyCurrentToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());
+        $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());
         $this->assertTrue($verifier->verifyToken($token, 'value'));
     }
 
     public function testVerifyFailsInvalidToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());
+        $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());
         $this->assertFalse($verifier->verifyToken($token, 'wrong-value'));
     }
 
     public function testVerifyOutdatedToken()
     {
         $verifier = new CacheTokenVerifier(new ArrayAdapter());
-        $outdatedToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());
-        $newToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'newvalue', new \DateTime());
-        $verifier->updateExistingToken($outdatedToken, 'newvalue', new \DateTime());
+        $outdatedToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());
+        $newToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'newvalue', new \DateTimeImmutable());
+        $verifier->updateExistingToken($outdatedToken, 'newvalue', new \DateTimeImmutable());
         $this->assertTrue($verifier->verifyToken($newToken, 'value'));
     }
 }
diff --git a/Tests/Authentication/RememberMe/InMemoryTokenProviderTest.php b/Tests/Authentication/RememberMe/InMemoryTokenProviderTest.php
@@ -22,7 +22,7 @@ public function testCreateNewToken()
     {
         $provider = new InMemoryTokenProvider();
 
-        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTime());
+        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTimeImmutable());
         $provider->createNewToken($token);
 
         $this->assertSame($provider->loadTokenBySeries('foo'), $token);
@@ -39,21 +39,21 @@ public function testUpdateToken()
     {
         $provider = new InMemoryTokenProvider();
 
-        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTime());
+        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTimeImmutable());
         $provider->createNewToken($token);
         $provider->updateToken('foo', 'newFoo', $lastUsed = new \DateTime());
         $token = $provider->loadTokenBySeries('foo');
 
         $this->assertEquals('newFoo', $token->getTokenValue());
-        $this->assertSame($token->getLastUsed(), $lastUsed);
+        $this->assertEquals($token->getLastUsed(), $lastUsed);
     }
 
     public function testDeleteToken()
     {
         $this->expectException(TokenNotFoundException::class);
         $provider = new InMemoryTokenProvider();
 
-        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTime());
+        $token = new PersistentToken('foo', 'foo', 'foo', 'foo', new \DateTimeImmutable());
         $provider->createNewToken($token);
         $provider->deleteTokenBySeries('foo');
         $provider->loadTokenBySeries('foo');
diff --git a/Tests/Authentication/RememberMe/PersistentTokenTest.php b/Tests/Authentication/RememberMe/PersistentTokenTest.php
@@ -18,13 +18,21 @@ class PersistentTokenTest extends TestCase
 {
     public function testConstructor()
     {
-        $lastUsed = new \DateTime();
+        $lastUsed = new \DateTimeImmutable();
         $token = new PersistentToken('fooclass', 'fooname', 'fooseries', 'footokenvalue', $lastUsed);
 
         $this->assertEquals('fooclass', $token->getClass());
         $this->assertEquals('fooname', $token->getUserIdentifier());
         $this->assertEquals('fooseries', $token->getSeries());
         $this->assertEquals('footokenvalue', $token->getTokenValue());
-        $this->assertSame($lastUsed, $token->getLastUsed());
+        $this->assertEquals($lastUsed, $token->getLastUsed());
+    }
+
+    public function testDateTime()
+    {
+        $lastUsed = new \DateTime();
+        $token = new PersistentToken('fooclass', 'fooname', 'fooseries', 'footokenvalue', $lastUsed);
+
+        $this->assertEquals($lastUsed, $token->getLastUsed());
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -17,6 +17,8 @@`
`17`	`17`	`* This class is used for testing purposes, and is not really suited for production.`
`18`	`18`	`*`
`19`	`19`	`* @author Johannes M. Schmitt <[email protected]>`
	`20`	`+ *`
	`21`	`+ * @final since Symfony 6.4`
`20`	`22`	`*/`
`21`	`23`	`class InMemoryTokenProvider implements TokenProviderInterface`
`22`	`24`	`{`
`@@ -32,6 +34,8 @@ public function loadTokenBySeries(string $series): PersistentTokenInterface`
`32`	`34`	`}`
`33`	`35`
`34`	`36`	`/**`
	`37`	`+ * @param \DateTimeInterface $lastUsed Accepting only DateTime is deprecated since Symfony 6.4`
	`38`	`+ *`
`35`	`39`	`* @return void`
`36`	`40`	`*/`
`37`	`41`	`public function updateToken(string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed)`
Original file line number	Diff line number	Diff line change
`@@ -22,9 +22,9 @@ final class PersistentToken implements PersistentTokenInterface`
`22`	`22`	`private string $userIdentifier;`
`23`	`23`	`private string $series;`
`24`	`24`	`private string $tokenValue;`
`25`		`- private \DateTime $lastUsed;`
	`25`	`+ private \DateTimeImmutable $lastUsed;`
`26`	`26`
`27`		`- public function __construct(string $class, string $userIdentifier, string $series, #[\SensitiveParameter] string $tokenValue, \DateTime $lastUsed)`
	`27`	`+ public function __construct(string $class, string $userIdentifier, string $series, #[\SensitiveParameter] string $tokenValue, \DateTimeInterface $lastUsed)`
`28`	`28`	`{`
`29`	`29`	`if (empty($class)) {`
`30`	`30`	`throw new \InvalidArgumentException('$class must not be empty.');`
`@@ -43,7 +43,7 @@ public function __construct(string $class, string $userIdentifier, string $serie`
`43`	`43`	`$this->userIdentifier = $userIdentifier;`
`44`	`44`	`$this->series = $series;`
`45`	`45`	`$this->tokenValue = $tokenValue;`
`46`		`- $this->lastUsed = $lastUsed;`
	`46`	`+ $this->lastUsed = \DateTimeImmutable::createFromInterface($lastUsed);`
`47`	`47`	`}`
`48`	`48`
`49`	`49`	`public function getClass(): string`
`@@ -68,6 +68,6 @@ public function getTokenValue(): string`
`68`	`68`
`69`	`69`	`public function getLastUsed(): \DateTime`
`70`	`70`	`{`
`71`		`- return $this->lastUsed;`
	`71`	`+ return \DateTime::createFromImmutable($this->lastUsed);`
`72`	`72`	`}`
`73`	`73`	`}`
Original file line number	Diff line number	Diff line change
`@@ -39,6 +39,8 @@ public function deleteTokenBySeries(string $series);`
`39`	`39`	`/**`
`40`	`40`	`* Updates the token according to this data.`
`41`	`41`	`*`
	`42`	`+ * @param \DateTimeInterface $lastUsed Accepting only DateTime is deprecated since Symfony 6.4`
	`43`	`+ *`
`42`	`44`	`* @return void`
`43`	`45`	`*`
`44`	`46`	`* @throws TokenNotFoundException if the token is not found`
Original file line number	Diff line number	Diff line change
`@@ -21,23 +21,23 @@ class CacheTokenVerifierTest extends TestCase`
`21`	`21`	`public function testVerifyCurrentToken()`
`22`	`22`	`{`
`23`	`23`	`$verifier = new CacheTokenVerifier(new ArrayAdapter());`
`24`		`- $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());`
	`24`	`+ $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());`
`25`	`25`	`$this->assertTrue($verifier->verifyToken($token, 'value'));`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`public function testVerifyFailsInvalidToken()`
`29`	`29`	`{`
`30`	`30`	`$verifier = new CacheTokenVerifier(new ArrayAdapter());`
`31`		`- $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());`
	`31`	`+ $token = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());`
`32`	`32`	`$this->assertFalse($verifier->verifyToken($token, 'wrong-value'));`
`33`	`33`	`}`
`34`	`34`
`35`	`35`	`public function testVerifyOutdatedToken()`
`36`	`36`	`{`
`37`	`37`	`$verifier = new CacheTokenVerifier(new ArrayAdapter());`
`38`		`- $outdatedToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTime());`
`39`		`- $newToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'newvalue', new \DateTime());`
`40`		`- $verifier->updateExistingToken($outdatedToken, 'newvalue', new \DateTime());`
	`38`	`+ $outdatedToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'value', new \DateTimeImmutable());`
	`39`	`+ $newToken = new PersistentToken('class', 'user', 'series1@special:chars=/', 'newvalue', new \DateTimeImmutable());`
	`40`	`+ $verifier->updateExistingToken($outdatedToken, 'newvalue', new \DateTimeImmutable());`
`41`	`41`	`$this->assertTrue($verifier->verifyToken($newToken, 'value'));`
`42`	`42`	`}`
`43`	`43`	`}`
Original file line number	Diff line number	Diff line change
`@@ -18,13 +18,21 @@ class PersistentTokenTest extends TestCase`
`18`	`18`	`{`
`19`	`19`	`public function testConstructor()`
`20`	`20`	`{`
`21`		`- $lastUsed = new \DateTime();`
	`21`	`+ $lastUsed = new \DateTimeImmutable();`
`22`	`22`	`$token = new PersistentToken('fooclass', 'fooname', 'fooseries', 'footokenvalue', $lastUsed);`
`23`	`23`
`24`	`24`	`$this->assertEquals('fooclass', $token->getClass());`
`25`	`25`	`$this->assertEquals('fooname', $token->getUserIdentifier());`
`26`	`26`	`$this->assertEquals('fooseries', $token->getSeries());`
`27`	`27`	`$this->assertEquals('footokenvalue', $token->getTokenValue());`
`28`		`- $this->assertSame($lastUsed, $token->getLastUsed());`
	`28`	`+ $this->assertEquals($lastUsed, $token->getLastUsed());`
	`29`	`+ }`
	`30`	`+`
	`31`	`+ public function testDateTime()`
	`32`	`+ {`
	`33`	`+ $lastUsed = new \DateTime();`
	`34`	`+ $token = new PersistentToken('fooclass', 'fooname', 'fooseries', 'footokenvalue', $lastUsed);`
	`35`	`+`
	`36`	`+ $this->assertEquals($lastUsed, $token->getLastUsed());`
`29`	`37`	`}`
`30`	`38`	`}`