Deprecate empty user identifier

ajgarlag · ajgarlag · commit 38e3e37c07d8 · 2024-08-14T14:27:58.000+02:00
diff --git a/UPGRADE-7.2.md b/UPGRADE-7.2.md
@@ -39,6 +39,7 @@ Security
 
  * Add `$token` argument to `UserCheckerInterface::checkPostAuth()`
  * Deprecate argument `$secret` of `RememberMeToken` and `RememberMeAuthenticator`
+ * Deprecate passing an empty string as `$userIdentifier` argument to `UserBadge` constructor
 
 String
 ------
diff --git a/src/Symfony/Component/Security/Core/User/UserInterface.php b/src/Symfony/Component/Security/Core/User/UserInterface.php
@@ -56,6 +56,8 @@ public function eraseCredentials(): void;
 
     /**
      * Returns the identifier for this user (e.g. username or email address).
+     *
+     * @return non-empty-string
      */
     public function getUserIdentifier(): string;
 }
diff --git a/src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/UserBadge.php b/src/Symfony/Component/Security/Http/Authenticator/Passport/Badge/UserBadge.php
@@ -52,6 +52,10 @@ public function __construct(
         ?callable $userLoader = null,
         private ?array $attributes = null,
     ) {
+        if ('' === $userIdentifier) {
+            trigger_deprecation('symfony/security-http', '7.2', 'Using an empty string as user identifier is deprecated and will not be allowed in 8.0.');
+        }
+
         if (\strlen($userIdentifier) > self::MAX_USERNAME_LENGTH) {
             throw new BadCredentialsException('Username too long.');
         }
diff --git a/src/Symfony/Component/Security/Http/Tests/Authenticator/Passport/Badge/UserBadgeTest.php b/src/Symfony/Component/Security/Http/Tests/Authenticator/Passport/Badge/UserBadgeTest.php
@@ -12,15 +12,27 @@
 namespace Symfony\Component\Security\Http\Tests\Authenticator\Passport\Badge;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectUserDeprecationMessageTrait;
 use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 
 class UserBadgeTest extends TestCase
 {
+    use ExpectUserDeprecationMessageTrait;
+
     public function testUserNotFound()
     {
         $badge = new UserBadge('dummy', fn () => null);
         $this->expectException(UserNotFoundException::class);
         $badge->getUser();
     }
+
+    /**
+     * @group legacy
+     */
+    public function testDeprecatedEmptyUserIdentifier()
+    {
+        $this->expectUserDeprecationMessage('Since symfony/security-http 7.2: Using an empty string as the user indentifier is deprecated and will not be allowed in 8.0.');
+        new UserBadge('', fn () => null);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -56,6 +56,8 @@ public function eraseCredentials(): void;`
`56`	`56`
`57`	`57`	`/**`
`58`	`58`	`* Returns the identifier for this user (e.g. username or email address).`
	`59`	`+ *`
	`60`	`+ * @return non-empty-string`
`59`	`61`	`*/`
`60`	`62`	`public function getUserIdentifier(): string;`
`61`	`63`	`}`