[Security] Rename UserInterface::getUsername() to getUserIdentifier()

Author: wouterj

Authentication/AuthenticatorManager.php

@@ -70,7 +70,8 @@ public function __construct(iterable $authenticators, TokenStorageInterface $tok
     public function authenticateUser(UserInterface $user, AuthenticatorInterface $authenticator, Request $request, array $badges = []): ?Response
     {
         // create an authenticated token for the User
-        $token = $authenticator->createAuthenticatedToken($passport = new SelfValidatingPassport(new UserBadge($user->getUsername(), function () use ($user) { return $user; }), $badges), $this->firewallName);
+        // @deprecated since 5.3, change to $user->getUserIdentifier() in 6.0
+        $token = $authenticator->createAuthenticatedToken($passport = new SelfValidatingPassport(new UserBadge(method_exists($user, 'getUserIdentifier') ? $user->getUserIdentifier() : $user->getUsername(), function () use ($user) { return $user; }), $badges), $this->firewallName);
 
         // announce the authenticated token
         $token = $this->eventDispatcher->dispatch(new AuthenticationTokenCreatedEvent($token))->getAuthenticatedToken();
@@ -215,6 +216,11 @@ private function executeAuthenticator(AuthenticatorInterface $authenticator, Req
 
     private function handleAuthenticationSuccess(TokenInterface $authenticatedToken, PassportInterface $passport, Request $request, AuthenticatorInterface $authenticator): ?Response
     {
+        // @deprecated since 5.3
+        if (!method_exists($authenticatedToken->getUser(), 'getUserIdentifier')) {
+            trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "getUserIdentifier(): string" in user class "%s" is deprecated. This method will replace "getUsername()" in Symfony 6.0.', get_debug_type($authenticatedToken->getUser()));
+        }
+
         $this->tokenStorage->setToken($authenticatedToken);
 
         $response = $authenticator->onAuthenticationSuccess($request, $authenticatedToken, $this->firewallName);

Authenticator/AbstractPreAuthenticatedAuthenticator.php

@@ -87,9 +87,18 @@ public function supports(Request $request): ?bool
 
     public function authenticate(Request $request): PassportInterface
     {
-        return new SelfValidatingPassport(new UserBadge($request->attributes->get('_pre_authenticated_username'), function ($username) {
-            return $this->userProvider->loadUserByUsername($username);
-        }), [new PreAuthenticatedUserBadge()]);
+        // @deprecated since 5.3, change to $this->userProvider->loadUserByIdentifier() in 6.0
+        $method = 'loadUserByIdentifier';
+        if (!method_exists($this->userProvider, 'loadUserByIdentifier')) {
+            trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($this->userProvider));
+
+            $method = 'loadUserByUsername';
+        }
+
+        return new SelfValidatingPassport(
+            new UserBadge($request->attributes->get('_pre_authenticated_username'), [$this->userProvider, $method]),
+            [new PreAuthenticatedUserBadge()]
+        );
     }
 
     public function createAuthenticatedToken(PassportInterface $passport, string $firewallName): TokenInterface

Authenticator/AuthenticatorInterface.php

@@ -46,7 +46,7 @@ public function supports(Request $request): ?bool;
      * presented password and the CSRF token value.
      *
      * You may throw any AuthenticationException in this method in case of error (e.g.
-     * a UsernameNotFoundException when the user cannot be found).
+     * a UserNotFoundException when the user cannot be found).
      *
      * @throws AuthenticationException
      */

Authenticator/FormLoginAuthenticator.php

@@ -84,14 +84,19 @@ public function authenticate(Request $request): PassportInterface
     {
         $credentials = $this->getCredentials($request);
 
-        $passport = new Passport(new UserBadge($credentials['username'], function ($username) {
-            $user = $this->userProvider->loadUserByUsername($username);
-            if (!$user instanceof UserInterface) {
-                throw new AuthenticationServiceException('The user provider must return a UserInterface object.');
-            }
-
-            return $user;
-        }), new PasswordCredentials($credentials['password']), [new RememberMeBadge()]);
+        // @deprecated since 5.3, change to $this->userProvider->loadUserByIdentifier() in 6.0
+        $method = 'loadUserByIdentifier';
+        if (!method_exists($this->userProvider, 'loadUserByIdentifier')) {
+            trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($this->userProvider));
+
+            $method = 'loadUserByUsername';
+        }
+
+        $passport = new Passport(
+            new UserBadge($credentials['username'], [$this->userProvider, $method]),
+            new PasswordCredentials($credentials['password']),
+            [new RememberMeBadge()]
+        );
         if ($this->options['enable_csrf']) {
             $passport->addBadge(new CsrfTokenBadge($this->options['csrf_token_id'], $credentials['csrf_token']));
         }

Authenticator/HttpBasicAuthenticator.php

@@ -67,14 +67,18 @@ public function authenticate(Request $request): PassportInterface
         $username = $request->headers->get('PHP_AUTH_USER');
         $password = $request->headers->get('PHP_AUTH_PW', '');
 
-        $passport = new Passport(new UserBadge($username, function ($username) {
-            $user = $this->userProvider->loadUserByUsername($username);
-            if (!$user instanceof UserInterface) {
-                throw new AuthenticationServiceException('The user provider must return a UserInterface object.');
-            }
-
-            return $user;
-        }), new PasswordCredentials($password));
+        // @deprecated since 5.3, change to $this->userProvider->loadUserByIdentifier() in 6.0
+        $method = 'loadUserByIdentifier';
+        if (!method_exists($this->userProvider, 'loadUserByIdentifier')) {
+            trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($this->userProvider));
+
+            $method = 'loadUserByUsername';
+        }
+
+        $passport = new Passport(
+            new UserBadge($username, [$this->userProvider, $method]),
+            new PasswordCredentials($password)
+        );
         if ($this->userProvider instanceof PasswordUpgraderInterface) {
             $passport->addBadge(new PasswordUpgradeBadge($password, $this->userProvider));
         }

Authenticator/JsonLoginAuthenticator.php

@@ -94,14 +94,18 @@ public function authenticate(Request $request): PassportInterface
             throw $e;
         }
 
-        $passport = new Passport(new UserBadge($credentials['username'], function ($username) {
-            $user = $this->userProvider->loadUserByUsername($username);
-            if (!$user instanceof UserInterface) {
-                throw new AuthenticationServiceException('The user provider must return a UserInterface object.');
-            }
+        // @deprecated since 5.3, change to $this->userProvider->loadUserByIdentifier() in 6.0
+        $method = 'loadUserByIdentifier';
+        if (!method_exists($this->userProvider, 'loadUserByIdentifier')) {
+            trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($this->userProvider));
+
+            $method = 'loadUserByUsername';
+        }
 
-            return $user;
-        }), new PasswordCredentials($credentials['password']));
+        $passport = new Passport(
+            new UserBadge($credentials['username'], [$this->userProvider, $method]),
+            new PasswordCredentials($credentials['password'])
+        );
         if ($this->userProvider instanceof PasswordUpgraderInterface) {
             $passport->addBadge(new PasswordUpgradeBadge($credentials['password'], $this->userProvider));
         }

Authenticator/Passport/Badge/UserBadge.php

@@ -11,7 +11,7 @@
 
 namespace Symfony\Component\Security\Http\Authenticator\Passport\Badge;
 
-use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\Exception\AuthenticationServiceException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Http\EventListener\UserProviderListener;
 
@@ -40,7 +40,7 @@ class UserBadge implements BadgeInterface
      * based on email *and* company name). This string can be used for e.g. login throttling.
      *
      * Optionally, you may pass a user loader. This callable receives the $userIdentifier
-     * as argument and must return a UserInterface object (otherwise a UsernameNotFoundException
+     * as argument and must return a UserInterface object (otherwise an AuthenticationServiceException
      * is thrown). If this is not set, the default user provider will be used with
      * $userIdentifier as username.
      */
@@ -64,7 +64,7 @@ public function getUser(): UserInterface
 
             $this->user = ($this->userLoader)($this->userIdentifier);
             if (!$this->user instanceof UserInterface) {
-                throw new UsernameNotFoundException();
+                throw new AuthenticationServiceException(sprintf('The user provider must return a UserInterface object, "%s" given.', \get_debug_type($this->user)));
             }
         }
 

Authenticator/RememberMeAuthenticator.php

@@ -82,7 +82,8 @@ public function authenticate(Request $request): PassportInterface
             throw new \LogicException('No remember me token is set.');
         }
 
-        return new SelfValidatingPassport(new UserBadge($token->getUsername(), [$token, 'getUser']));
+        // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
+        return new SelfValidatingPassport(new UserBadge(method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername(), [$token, 'getUser']));
     }
 
     public function createAuthenticatedToken(PassportInterface $passport, string $firewallName): TokenInterface

EventListener/UserProviderListener.php

@@ -46,6 +46,13 @@ public function checkPassport(CheckPassportEvent $event): void
             return;
         }
 
-        $badge->setUserLoader([$this->userProvider, 'loadUserByUsername']);
+        // @deprecated since 5.3, change to $this->userProvider->loadUserByIdentifier() in 6.0
+        if (method_exists($this->userProvider, 'loadUserByIdentifier')) {
+            $badge->setUserLoader([$this->userProvider, 'loadUserByIdentifier']);
+        } else {
+            trigger_deprecation('symfony/security-http', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($this->userProvider));
+
+            $badge->setUserLoader([$this->userProvider, 'loadUserByUsername']);
+        }
     }
 }

Firewall/AbstractAuthenticationListener.php

@@ -195,7 +195,8 @@ private function onFailure(Request $request, AuthenticationException $failed): R
     private function onSuccess(Request $request, TokenInterface $token): Response
     {
         if (null !== $this->logger) {
-            $this->logger->info('User has been authenticated successfully.', ['username' => $token->getUsername()]);
+            // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
+            $this->logger->info('User has been authenticated successfully.', ['username' => method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()]);
         }
 
         $this->tokenStorage->setToken($token);

Firewall/AbstractPreAuthenticatedListener.php

@@ -83,7 +83,8 @@ public function authenticate(RequestEvent $event)
         }
 
         if (null !== $token = $this->tokenStorage->getToken()) {
-            if ($token instanceof PreAuthenticatedToken && $this->providerKey == $token->getFirewallName() && $token->isAuthenticated() && $token->getUsername() === $user) {
+            // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
+            if ($token instanceof PreAuthenticatedToken && $this->providerKey == $token->getFirewallName() && $token->isAuthenticated() && (method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()) === $user) {
                 return;
             }
         }

Firewall/BasicAuthenticationListener.php

@@ -73,7 +73,8 @@ public function authenticate(RequestEvent $event)
         }
 
         if (null !== $token = $this->tokenStorage->getToken()) {
-            if ($token instanceof UsernamePasswordToken && $token->isAuthenticated() && $token->getUsername() === $username) {
+            // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
+            if ($token instanceof UsernamePasswordToken && $token->isAuthenticated() && (method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()) === $username) {
                 return;
             }
         }

Firewall/ContextListener.php

@@ -27,7 +27,7 @@
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\UnsupportedUserException;
-use Symfony\Component\Security\Core\Exception\UsernameNotFoundException;
+use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 use Symfony\Component\Security\Core\User\UserInterface;
 use Symfony\Component\Security\Core\User\UserProviderInterface;
 use Symfony\Component\Security\Http\Event\DeauthenticatedEvent;
@@ -222,7 +222,8 @@ protected function refreshUser(TokenInterface $token): ?TokenInterface
                     $userDeauthenticated = true;
 
                     if (null !== $this->logger) {
-                        $this->logger->debug('Cannot refresh token because user has changed.', ['username' => $refreshedUser->getUsername(), 'provider' => \get_class($provider)]);
+                        // @deprecated since 5.3, change to $refreshedUser->getUserIdentifier() in 6.0
+                        $this->logger->debug('Cannot refresh token because user has changed.', ['username' => method_exists($refreshedUser, 'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername(), 'provider' => \get_class($provider)]);
                     }
 
                     continue;
@@ -231,10 +232,12 @@ protected function refreshUser(TokenInterface $token): ?TokenInterface
                 $token->setUser($refreshedUser);
 
                 if (null !== $this->logger) {
-                    $context = ['provider' => \get_class($provider), 'username' => $refreshedUser->getUsername()];
+                    // @deprecated since 5.3, change to $refreshedUser->getUserIdentifier() in 6.0
+                    $context = ['provider' => \get_class($provider), 'username' => method_exists($refreshedUser, 'getUserIdentifier') ? $refreshedUser->getUserIdentifier() : $refreshedUser->getUsername()];
 
                     if ($token instanceof SwitchUserToken) {
-                        $context['impersonator_username'] = $token->getOriginalToken()->getUsername();
+                        // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
+                        $context['impersonator_username'] = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getOriginalToken()->getUsername();
                     }
 
                     $this->logger->debug('User was reloaded from a user provider.', $context);
@@ -243,9 +246,9 @@ protected function refreshUser(TokenInterface $token): ?TokenInterface
                 return $token;
             } catch (UnsupportedUserException $e) {
                 // let's try the next user provider
-            } catch (UsernameNotFoundException $e) {
+            } catch (UserNotFoundException $e) {
                 if (null !== $this->logger) {
-                    $this->logger->warning('Username could not be found in the selected user provider.', ['username' => $e->getUsername(), 'provider' => \get_class($provider)]);
+                    $this->logger->warning('Username could not be found in the selected user provider.', ['username' => method_exists($e, 'getUserIdentifier') ? $e->getUserIdentifier() : $e->getUsername(), 'provider' => \get_class($provider)]);
                 }
 
                 $userNotFoundByProvider = true;

Firewall/SwitchUserListener.php

@@ -140,28 +140,36 @@ private function attemptSwitchUser(Request $request, string $username): ?TokenIn
         $originalToken = $this->getOriginalToken($token);
 
         if (null !== $originalToken) {
-            if ($token->getUsername() === $username) {
+            // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
+            if ((method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()) === $username) {
                 return $token;
             }
 
             // User already switched, exit before seamlessly switching to another user
             $token = $this->attemptExitUser($request);
         }
 
-        $currentUsername = $token->getUsername();
+        // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
+        $currentUsername = method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername();
         $nonExistentUsername = '_'.md5(random_bytes(8).$username);
 
         // To protect against user enumeration via timing measurements
         // we always load both successfully and unsuccessfully
+        $methodName = 'loadUserByIdentifier';
+        if (!method_exists($this->provider, $methodName)) {
+            trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "loadUserByIdentifier()" in user provider "%s" is deprecated. This method will replace "loadUserByUsername()" in Symfony 6.0.', get_debug_type($this->provider));
+
+            $methodName = 'loadUserByUsername';
+        }
         try {
-            $user = $this->provider->loadUserByUsername($username);
+            $user = $this->provider->$methodName($username);
 
             try {
-                $this->provider->loadUserByUsername($nonExistentUsername);
+                $this->provider->$methodName($nonExistentUsername);
             } catch (\Exception $e) {
             }
         } catch (AuthenticationException $e) {
-            $this->provider->loadUserByUsername($currentUsername);
+            $this->provider->$methodName($currentUsername);
 
             throw $e;
         }

Firewall/UsernamePasswordJsonAuthenticationListener.php

@@ -151,7 +151,8 @@ public function authenticate(RequestEvent $event)
     private function onSuccess(Request $request, TokenInterface $token): ?Response
     {
         if (null !== $this->logger) {
-            $this->logger->info('User has been authenticated successfully.', ['username' => $token->getUsername()]);
+            // @deprecated since 5.3, change to $token->getUserIdentifier() in 6.0
+            $this->logger->info('User has been authenticated successfully.', ['username' => method_exists($token, 'getUserIdentifier') ? $token->getUserIdentifier() : $token->getUsername()]);
         }
 
         $this->migrateSession($request, $token);