[Security] make TokenInterface::getUser() nullable to tell about unauthenticated tokens

nicolas-grekas · nicolas-grekas · commit f364ce6e7f83 · 2021-08-20T09:39:46.000+02:00
diff --git a/EventListener/UserCheckerListener.php b/EventListener/UserCheckerListener.php
@@ -46,7 +46,6 @@ public function preCheckCredentials(CheckPassportEvent $event): void
     public function postCheckCredentials(AuthenticationSuccessEvent $event): void
     {
         $user = $event->getAuthenticationToken()->getUser();
-        // @deprecated since 5.4, $user will always be an UserInterface instance
         if (!$user instanceof UserInterface) {
             return;
         }
diff --git a/Firewall/AccessListener.php b/Firewall/AccessListener.php
@@ -114,7 +114,7 @@ public function authenticate(RequestEvent $event)
 
         // @deprecated since Symfony 5.4
         if (method_exists($token, 'isAuthenticated') && !$token->isAuthenticated(false)) {
-            trigger_deprecation('symfony/core', '5.4', 'Returning false from "%s()" is deprecated and won\'t have any effect in Symfony 6.0 as security tokens will always be considered authenticated.');
+            trigger_deprecation('symfony/core', '5.4', 'Returning false from "%s()" is deprecated, return null from "getUser()" instead.');
 
             if ($this->authManager) {
                 $token = $this->authManager->authenticate($token);

Original file line number	Diff line number	Diff line change
`@@ -46,7 +46,6 @@ public function preCheckCredentials(CheckPassportEvent $event): void`
`46`	`46`	`public function postCheckCredentials(AuthenticationSuccessEvent $event): void`
`47`	`47`	`{`
`48`	`48`	`$user = $event->getAuthenticationToken()->getUser();`
`49`		`- // @deprecated since 5.4, $user will always be an UserInterface instance`
`50`	`49`	`if (!$user instanceof UserInterface) {`
`51`	`50`	`return;`
`52`	`51`	`}`