Deprecation: Returning a string from "getSalt()" without implementing the LegacyPasswordAuthenticatedUserInterface

[piddubnij]

Environment

Sonata packages

show

$ composer show --latest 'sonata-project/*'
Direct dependencies required in composer.json:
sonata-project/admin-bundle              4.25.0 4.25.0 The missing Symfony Admin Generator
sonata-project/doctrine-orm-admin-bundle 4.13.0 4.13.0 Integrate Doctrine ORM into the SonataAdminBundle
sonata-project/user-bundle               5.9.0  5.9.0  Symfony SonataUserBundle

Transitive dependencies not required in composer.json:
sonata-project/block-bundle              4.21.0 4.21.0 Symfony SonataBlockBundle
sonata-project/cache                     2.2.0  2.2.0  Cache library
Package sonata-project/cache is abandoned, you should avoid using it. No replacement was suggested.
sonata-project/doctrine-extensions       2.3.0  2.3.0  Doctrine2 behavioral extensions
sonata-project/exporter                  3.1.1  3.1.1  Lightweight Exporter library

Symfony packages

show

$ composer show --latest 'symfony/*'
Direct dependencies required in composer.json:
symfony/asset                      v5.4.21 v6.3.0  Manages URL generation and versioning of web assets such as CSS stylesheets, JavaScript files and image files
symfony/browser-kit                v5.4.21 v6.3.0  Simulates the behavior of a web browser, allowing you to make requests, click on links and submit forms programmatically
symfony/console                    v5.4.24 v6.3.0  Eases the creation of beautiful and testable command line interfaces
symfony/css-selector               v5.4.21 v6.3.0  Converts CSS selectors to XPath expressions
symfony/debug-bundle               v5.4.21 v6.3.0  Provides a tight integration of the Symfony VarDumper component and the ServerLogCommand from MonologBridge into the Symfony full-stack framework
symfony/dotenv                     v5.4.22 v6.3.0  Registers environment variables from a .env file
symfony/expression-language        v5.4.21 v6.3.0  Provides an engine that can compile and evaluate expressions
symfony/filesystem                 v5.4.23 v6.3.0  Provides basic utilities for the filesystem
symfony/finder                     v5.4.21 v6.3.0  Finds files and directories via an intuitive fluent interface
symfony/flex                       v1.20.0 v2.3.1  Composer plugin for Symfony
symfony/form                       v5.4.24 v6.3.0  Allows to easily create, process and reuse HTML forms
symfony/framework-bundle           v5.4.24 v6.3.0  Provides a tight integration between Symfony components and the Symfony full-stack framework
symfony/http-client                v5.4.24 v6.3.0  Provides powerful methods to fetch HTTP resources synchronously or asynchronously
symfony/intl                       v5.4.23 v6.3.0  Provides a PHP replacement layer for the C intl extension that includes additional data from the ICU library
symfony/mailer                     v5.4.22 v6.3.0  Helps sending emails
symfony/maker-bundle               v1.49.0 v1.49.0 Symfony Maker helps you create empty commands, controllers, form classes, tests and more so you can forget about writing boilerplate code.
symfony/monolog-bundle             v3.8.0  v3.8.0  Symfony MonologBundle
symfony/phpunit-bridge             v6.3.0  v6.3.0  Provides utilities for PHPUnit, especially user deprecation notices management
symfony/process                    v5.4.24 v6.3.0  Executes commands in sub-processes
symfony/property-access            v5.4.22 v6.3.0  Provides functions to read and write from/to an object or array using a simple string notation
symfony/property-info              v5.4.24 v6.3.0  Extracts information about PHP class' properties using metadata of popular sources
symfony/runtime                    v5.4.22 v6.3.0  Enables decoupling PHP applications from global state
symfony/security-bundle            v5.4.22 v6.3.0  Provides a tight integration of the Security component into the Symfony full-stack framework
symfony/serializer                 v5.4.24 v6.3.0  Handles serializing and deserializing data structures, including object graphs, into array structures or other formats like XML and JSON.
symfony/stopwatch                  v5.4.21 v6.3.0  Provides a way to profile code
symfony/translation                v5.4.24 v6.3.0  Provides tools to internationalize your application
symfony/twig-bundle                v5.4.21 v6.3.0  Provides a tight integration of Twig into the Symfony full-stack framework
symfony/validator                  v5.4.24 v6.3.0  Provides tools to validate values
symfony/web-link                   v5.4.21 v6.3.0  Manages links between resources
symfony/web-profiler-bundle        v5.4.24 v6.3.0  Provides a development tool that gives detailed information about the execution of any request
symfony/webpack-encore-bundle      v1.17.1 v2.0.1  Integration with your Symfony app & Webpack Encore!
symfony/yaml                       v5.4.23 v6.3.0  Loads and dumps YAML files

Transitive dependencies not required in composer.json:
symfony/cache                      v5.4.23 v6.3.0  Provides extended PSR-6, PSR-16 (and tags) implementations
symfony/cache-contracts            v2.5.2  v3.3.0  Generic abstractions related to caching
symfony/config                     v5.4.21 v6.3.0  Helps you find, load, combine, autofill and validate configuration values of any kind
symfony/dependency-injection       v5.4.24 v6.3.0  Allows you to standardize and centralize the way objects are constructed in your application
symfony/deprecation-contracts      v3.3.0  v3.3.0  A generic function and convention to trigger deprecation notices
symfony/doctrine-bridge            v5.4.24 v6.3.0  Provides integration for Doctrine with various Symfony components
symfony/dom-crawler                v5.4.23 v6.3.0  Eases DOM navigation for HTML and XML documents
symfony/error-handler              v5.4.24 v6.3.0  Provides tools to manage errors and ease debugging PHP code
symfony/event-dispatcher           v5.4.22 v6.3.0  Provides tools that allow your application components to communicate with each other by dispatching events and listening to them
symfony/event-dispatcher-contracts v3.3.0  v3.3.0  Generic abstractions related to dispatching event
symfony/http-client-contracts      v2.5.2  v3.3.0  Generic abstractions related to HTTP clients
symfony/http-foundation            v5.4.24 v6.3.0  Defines an object-oriented layer for the HTTP specification
symfony/http-kernel                v5.4.24 v6.3.0  Provides a structured process for converting a Request into a Response
symfony/mime                       v5.4.23 v6.3.0  Allows manipulating MIME messages
symfony/monolog-bridge             v5.4.22 v6.3.0  Provides integration for Monolog with various Symfony components
symfony/options-resolver           v5.4.21 v6.3.0  Provides an improved replacement for the array_replace PHP function
symfony/password-hasher            v5.4.21 v6.3.0  Provides password hashing utilities
symfony/polyfill-intl-grapheme     v1.27.0 v1.27.0 Symfony polyfill for intl's grapheme_* functions
symfony/polyfill-intl-icu          v1.27.0 v1.27.0 Symfony polyfill for intl's ICU-related data and classes
symfony/polyfill-intl-idn          v1.27.0 v1.27.0 Symfony polyfill for intl's idn_to_ascii and idn_to_utf8 functions
symfony/polyfill-intl-normalizer   v1.27.0 v1.27.0 Symfony polyfill for intl's Normalizer class and related functions
symfony/polyfill-mbstring          v1.27.0 v1.27.0 Symfony polyfill for the Mbstring extension
symfony/polyfill-php72             v1.27.0 v1.27.0 Symfony polyfill backporting some PHP 7.2+ features to lower PHP versions
symfony/polyfill-php73             v1.27.0 v1.27.0 Symfony polyfill backporting some PHP 7.3+ features to lower PHP versions
symfony/polyfill-php80             v1.27.0 v1.27.0 Symfony polyfill backporting some PHP 8.0+ features to lower PHP versions
symfony/polyfill-php81             v1.27.0 v1.27.0 Symfony polyfill backporting some PHP 8.1+ features to lower PHP versions
symfony/routing                    v5.4.22 v6.3.0  Maps an HTTP request to a set of configuration variables
symfony/security-acl               v3.3.2  v3.3.2  Symfony Security Component - ACL (Access Control List)
symfony/security-core              v5.4.22 v6.3.0  Symfony Security Component - Core Library
symfony/security-csrf              v5.4.21 v6.3.0  Symfony Security Component - CSRF Library
symfony/security-guard             v5.4.22 v5.4.22 Symfony Security Component - Guard
symfony/security-http              v5.4.23 v6.3.0  Symfony Security Component - HTTP Integration
symfony/service-contracts          v2.5.2  v3.3.0  Generic abstractions related to writing services
symfony/string                     v5.4.22 v6.3.0  Provides an object-oriented API to strings and deals with bytes, UTF-8 code points and grapheme clusters in a unified way
symfony/translation-contracts      v2.5.2  v3.3.0  Generic abstractions related to translation
symfony/twig-bridge                v5.4.22 v6.3.0  Provides integration for Twig with various Symfony components
symfony/var-dumper                 v5.4.24 v6.3.0  Provides mechanisms for walking through any arbitrary PHP variable
symfony/var-exporter               v6.3.0  v6.3.0  Allows exporting any serializable PHP data structure to plain PHP code

PHP version

$ php -v
PHP 8.2.6

Subject

Minimal repository with the bug

Steps to reproduce

"sonata-project/user-bundle": "^5.0"
"symfony/*": "5.4.*"

Login to admin and use Profiler -> [Last 10] -> 302 POST https://.../login_check -> Token -> Logs

Expected results

No deprecations

Actual results

User Deprecated: Since symfony/security-http 5.3: Returning a string from "getSalt()" without implementing the "Symfony\Component\Security\Core\User\LegacyPasswordAuthenticatedUserInterface" interface is deprecated, the "App\Entity\SonataUserUser" class should implement it.

// src/Entity/SonataUserUser.php
namespace App\Entity;

use Doctrine\DBAL\Types\Types;
use Doctrine\ORM\Mapping as ORM;
use Sonata\UserBundle\Entity\BaseUser;

#[ORM\Table(name: 'sonata_user__user')]
#[ORM\Entity]
class SonataUserUser extends BaseUser
{
    #[ORM\Id]
    #[ORM\GeneratedValue]
    #[ORM\Column(type: Types::INTEGER)]
    protected $id = null;
}

Stack Trace

[▼
  "exception" => ErrorException {#523 ▼
    #message: "User Deprecated: Since symfony/security-http 5.3: Returning a string from "getSalt()" without implementing the "Symfony\Component\Security\Core\User\LegacyPasswordAuthenticatedUserInterface" interface is deprecated, the "App\Entity\SonataUserUser" class should implement it."
    #code: 0
    #file: "/home/dev/project/vendor/symfony/security-http/EventListener/CheckCredentialsListener.php"
    #line: 79
    #severity: E_USER_DEPRECATED
    trace: {▼
      /home/dev/project/vendor/symfony/security-http/EventListener/CheckCredentialsListener.php:79 {▼
        Symfony\Component\Security\Http\EventListener\CheckCredentialsListener->checkPassport(CheckPassportEvent $event): void …
        › if ($salt && !$user instanceof LegacyPasswordAuthenticatedUserInterface) {
        ›     trigger_deprecation('symfony/security-http', '5.3', 'Returning a string from "getSalt()" without implementing the "%s" interface is deprecated, the "%s" class should implement it.', LegacyPasswordAuthenticatedUserInterface::class, get_debug_type($user));
        › }
      }
      /home/dev/project/vendor/symfony/event-dispatcher/EventDispatcher.php:270 {▼
        Symfony\Component\EventDispatcher\EventDispatcher::Symfony\Component\EventDispatcher\{closure} …
        ›     }
        ›     ($closure = \Closure::fromCallable($listener))(...$args);
        › };
      }
      /home/dev/project/vendor/symfony/event-dispatcher/EventDispatcher.php:230 {▼
        Symfony\Component\EventDispatcher\EventDispatcher->callListeners(iterable $listeners, string $eventName, object $event) …
        ›     }
        ›     $listener($event, $eventName, $this);
        › }
      }
      /home/dev/project/vendor/symfony/event-dispatcher/EventDispatcher.php:59 {▼
        Symfony\Component\EventDispatcher\EventDispatcher->dispatch(object $event, string $eventName = null): object …
        › if ($listeners) {
        ›     $this->callListeners($listeners, $eventName, $event);
        › }
      }
      /home/dev/project/vendor/symfony/security-http/Authentication/AuthenticatorManager.php:185 {▼
        Symfony\Component\Security\Http\Authentication\AuthenticatorManager->executeAuthenticator(AuthenticatorInterface $authenticator, Request $request): Response …
        › $event = new CheckPassportEvent($authenticator, $passport);
        › $this->eventDispatcher->dispatch($event);
        ›
      }
      /home/dev/project/vendor/symfony/security-http/Authentication/AuthenticatorManager.php:161 {▼
        Symfony\Component\Security\Http\Authentication\AuthenticatorManager->executeAuthenticators(array $authenticators, Request $request): Response …
        ›
        › $response = $this->executeAuthenticator($authenticator, $request);
        › if (null !== $response) {
      }
      /home/dev/project/vendor/symfony/security-http/Authentication/AuthenticatorManager.php:141 {▼
        Symfony\Component\Security\Http\Authentication\AuthenticatorManager->authenticateRequest(Request $request): Response …
        ›
        ›     return $this->executeAuthenticators($authenticators, $request);
        › }
      }
      /home/dev/project/vendor/symfony/security-http/Firewall/AuthenticatorManagerListener.php:40 {▼
        Symfony\Component\Security\Http\Firewall\AuthenticatorManagerListener->authenticate(RequestEvent $event): void …
        › $request = $event->getRequest();
        › $response = $this->authenticatorManager->authenticateRequest($request);
        › if (null === $response) {
      }
      /home/dev/project/vendor/symfony/security-http/Authenticator/Debug/TraceableAuthenticatorManagerListener.php:65 {▼
        Symfony\Component\Security\Http\Authenticator\Debug\TraceableAuthenticatorManagerListener->authenticate(RequestEvent $event): void …
        ›
        › $this->authenticationManagerListener->authenticate($event);
        ›
      }
      /home/dev/project/vendor/symfony/security-bundle/Debug/WrappedLazyListener.php:49 {▼
        Symfony\Bundle\SecurityBundle\Debug\WrappedLazyListener->authenticate(RequestEvent $event) …
        › try {
        ›     $ret = $this->listener->authenticate($event);
        › } catch (LazyResponseException $e) {
      }
      /home/dev/project/vendor/symfony/security-http/Firewall/AbstractListener.php:26 {▼
        Symfony\Component\Security\Http\Firewall\AbstractListener->__invoke(RequestEvent $event) …
        › if (false !== $this->supports($event->getRequest())) {
        ›     $this->authenticate($event);
        › }
      }
      /home/dev/project/vendor/symfony/security-bundle/Security/LazyFirewallContext.php:60 {▼
        Symfony\Bundle\SecurityBundle\Security\LazyFirewallContext->__invoke(RequestEvent $event) …
        › foreach ($listeners as $listener) {
        ›     $listener($event);
        ›
      }
      /home/dev/project/vendor/symfony/security-bundle/Debug/TraceableFirewallListener.php:70 {▼
        Symfony\Bundle\SecurityBundle\Debug\TraceableFirewallListener->callListeners(RequestEvent $event, iterable $listeners) …
        ›
        ›     $listener($event);
        › } else {
      }
      /home/dev/project/vendor/symfony/security-http/Firewall.php:92 {▼
        Symfony\Component\Security\Http\Firewall->onKernelRequest(RequestEvent $event) …
        ›
        ›     $this->callListeners($event, $authenticationListeners());
        › }
      }
      /home/dev/project/vendor/symfony/event-dispatcher/Debug/WrappedListener.php:118 {▼
        Symfony\Component\EventDispatcher\Debug\WrappedListener->__invoke(object $event, string $eventName, EventDispatcherInterface $dispatcher): void …
        › try {
        ›     ($this->optimizedListener ?? $this->listener)($event, $eventName, $dispatcher);
        › } finally {
      }
      /home/dev/project/vendor/symfony/event-dispatcher/EventDispatcher.php:230 {▼
        Symfony\Component\EventDispatcher\EventDispatcher->callListeners(iterable $listeners, string $eventName, object $event) …
        ›     }
        ›     $listener($event, $eventName, $this);
        › }
      }
      /home/dev/project/vendor/symfony/event-dispatcher/EventDispatcher.php:59 {▼
        Symfony\Component\EventDispatcher\EventDispatcher->dispatch(object $event, string $eventName = null): object …
        › if ($listeners) {
        ›     $this->callListeners($listeners, $eventName, $event);
        › }
      }
      /home/dev/project/vendor/symfony/event-dispatcher/Debug/TraceableEventDispatcher.php:154 {▼
        Symfony\Component\EventDispatcher\Debug\TraceableEventDispatcher->dispatch(object $event, string $eventName = null): object …
        › try {
        ›     $this->dispatcher->dispatch($event, $eventName);
        › } finally {
      }
      /home/dev/project/vendor/symfony/http-kernel/HttpKernel.php:139 {▼
        Symfony\Component\HttpKernel\HttpKernel->handleRaw(Request $request, int $type = self::MAIN_REQUEST): Response …
        › $event = new RequestEvent($this, $request, $type);
        › $this->dispatcher->dispatch($event, KernelEvents::REQUEST);
        ›
      }
      /home/dev/project/vendor/symfony/http-kernel/HttpKernel.php:75 {▼
        Symfony\Component\HttpKernel\HttpKernel->handle(Request $request, int $type = HttpKernelInterface::MAIN_REQUEST, bool $catch = true) …
        › try {
        ›     return $this->handleRaw($request, $type);
        › } catch (\Exception $e) {
      }
      /home/dev/project/vendor/symfony/http-kernel/Kernel.php:202 {▼
        Symfony\Component\HttpKernel\Kernel->handle(Request $request, int $type = HttpKernelInterface::MAIN_REQUEST, bool $catch = true) …
        › try {
        ›     return $this->getHttpKernel()->handle($request, $type, $catch);
        › } finally {
      }
      /home/dev/project/vendor/symfony/runtime/Runner/Symfony/HttpKernelRunner.php:35 {▼
        Symfony\Component\Runtime\Runner\Symfony\HttpKernelRunner->run(): int …
        › {
        ›     $response = $this->kernel->handle($this->request);
        ›     $response->send();
      }
      /home/dev/project/vendor/autoload_runtime.php:35 {▼
        require_once …
        ›         ->getRunner($app)
        ›         ->run()
        › );
      }
      /home/dev/project/public/index.php:5 {▼
        ›
        › require_once dirname(__DIR__).'/vendor/autoload_runtime.php';
        ›
      }
    }
  }
]

[VincentLanglet]

Hi @piddubnij Thanks for the report, could you open a PR with the fix ? Thanks

[piddubnij]

I'm not familiar with bundle insides. So just add interface may break something.

namespace Sonata\UserBundle\Model;

use Symfony\Component\Security\Core\User\LegacyPasswordAuthenticatedUserInterface;
use Symfony\Component\Security\Core\User\UserInterface as SymfonyUserInterface;

abstract class User implements LegacyPasswordAuthenticatedUserInterface, UserInterface, \Stringable
{

[Hanmac]

@VincentLanglet what would the preferred fix?

implement the Interface (which would be a BC break?)
or remove the Salt use for Sonata User? (which might also be a BC break?)

[VincentLanglet]

implement the Interface (which would be a BC break?)

Doesn't seem to be a BC break to me so I would do this way

The only issue would be if the LegacyPasswordAuthenticatedUserInterface doesn't exists in all the Sf versions

[Hanmac]

implement the Interface (which would be a BC break?)

Doesn't seem to be a BC break to me so I would do this way

The only issue would be if the LegacyPasswordAuthenticatedUserInterface doesn't exists in all the Sf versions

Implemented in 5.3, so should be in all of this supported Symfony versions:
https://symfony.com/blog/new-in-symfony-5-3-improvements-for-security-users#decoupled-passwords-from-users