symfony
diff --git a/‎UPGRADE-7.4.md
Lines changed: 24 additions & 0 deletions b/‎UPGRADE-7.4.md
Lines changed: 24 additions & 0 deletions
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Lines changed: 3 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Resources/views/Collector/security.html.twig
Lines changed: 3 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/RegisterEntryPointsPassTest.php
Lines changed: 2 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/Compiler/RegisterEntryPointsPassTest.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
Lines changed: 2 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/SecurityExtensionTest.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/AuthenticatorBundle/ApiAuthenticator.php
Lines changed: 2 additions & 1 deletion b/‎src/Symfony/Bundle/SecurityBundle/Tests/Functional/Bundle/AuthenticatorBundle/ApiAuthenticator.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Ldap/Security/LdapAuthenticator.php
Lines changed: 3 additions & 2 deletions b/‎src/Symfony/Component/Ldap/Security/LdapAuthenticator.php
Lines changed: 3 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Ldap/Tests/Security/CheckLdapCredentialsListenerTest.php
Lines changed: 2 additions & 1 deletion b/‎src/Symfony/Component/Ldap/Tests/Security/CheckLdapCredentialsListenerTest.php
Lines changed: 2 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/AbstractLoginFormAuthenticator.php
Lines changed: 19 additions & 2 deletions b/‎src/Symfony/Component/Security/Http/Authenticator/AbstractLoginFormAuthenticator.php
Lines changed: 19 additions & 2 deletions
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php
Lines changed: 10 additions & 1 deletion b/‎src/Symfony/Component/Security/Http/Authenticator/AbstractPreAuthenticatedAuthenticator.php
Lines changed: 10 additions & 1 deletion
diff --git a/‎src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php
Lines changed: 14 additions & 2 deletions b/‎src/Symfony/Component/Security/Http/Authenticator/AccessTokenAuthenticator.php
Lines changed: 14 additions & 2 deletions
@@ -0,0 +1,24 @@
+UPGRADE FROM 7.3 to 7.4
+=======================
+
+Symfony 7.4 is a minor release. According to the Symfony release process, there should be no significant
+backward compatibility breaks. Minor backward compatibility breaks are prefixed in this document with
+`[BC BREAK]`, make sure your code is compatible with these entries before upgrading.
+Read more about this in the [Symfony documentation](https://symfony.com/doc/7.4/setup/upgrade_minor.html).
+
+If you're upgrading from a version below 7.3, follow the [7.3 upgrade guide](UPGRADE-7.3.md) first.
+
+Security
+--------
+
+ * Add argument `$requestSupport` to `AuthenticatorInterface::supports()`;
+   it should be used to report the reason a request isn't supported. E.g:
+
+   ```php
+   public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool
+   {
+       $requestSupport?->addReason('This authenticator does not support any request.');
+
+       return false;
+   }
+   ```
@@ -423,7 +423,9 @@
                                         <div id="authenticator-{{ i }}" class="font-normal">
                                             {% if authenticator.supports is same as(false) %}
                                                 <div class="empty">
-                                                    <p>This authenticator did not support the request.</p>
+                                                    {% for reason in (authenticator.supportReasons ?? []) is empty ? ['This authenticator did not support the request.'] : authenticator.supportReasons %}
+                                                        <p>{{ reason }}</p>
+                                                    {% endfor %}
                                                 </div>
                                             {% elseif authenticator.authenticated is null %}
                                                 <div class="empty">
 
@@ -28,6 +28,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\Firewall\ExceptionListener;
+use Symfony\Component\Security\Http\RequestSupport;
 
 class RegisterEntryPointsPassTest extends TestCase
 {
@@ -71,7 +72,7 @@ public function testProcessResolvesChildDefinitionsClass()
 
 class CustomAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface
 {
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool
     {
         return false;
     }
 
@@ -38,6 +38,7 @@
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Authenticator\HttpBasicAuthenticator;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
+use Symfony\Component\Security\Http\RequestSupport;
 
 class SecurityExtensionTest extends TestCase
 {
@@ -959,7 +960,7 @@ protected function getContainer()
 
 class TestAuthenticator implements AuthenticatorInterface
 {
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool
     {
     }
 
 
@@ -22,6 +22,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\RequestSupport;
 
 class ApiAuthenticator extends AbstractAuthenticator
 {
@@ -32,7 +33,7 @@ public function __construct(bool $selfLoadingUser = false)
         $this->selfLoadingUser = $selfLoadingUser;
     }
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool
     {
         return $request->headers->has('X-USER-EMAIL');
     }
 
@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
 use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;
+use Symfony\Component\Security\Http\RequestSupport;
 
 /**
  * This class decorates internal authenticators to add the LDAP integration.
@@ -44,9 +45,9 @@ public function __construct(
     ) {
     }
 
-    public function supports(Request $request): ?bool
+    public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool
     {
-        return $this->authenticator->supports($request);
+        return $this->authenticator->supports($request, $requestSupport);
     }
 
     public function authenticate(Request $request): Passport
 
@@ -33,6 +33,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Event\CheckPassportEvent;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Contracts\Service\ServiceLocatorTrait;
 
 class CheckLdapCredentialsListenerTest extends TestCase
@@ -206,7 +207,7 @@ private function createListener()
 if (interface_exists(AuthenticatorInterface::class)) {
     class TestAuthenticator implements AuthenticatorInterface
     {
-        public function supports(Request $request): ?bool
+        public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool
         {
         }
 
 
@@ -16,6 +16,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Component\Security\Http\SecurityRequestAttributes;
 
 /**
@@ -36,10 +37,26 @@ abstract protected function getLoginUrl(Request $request): string;
      *
      * This default implementation handles all POST requests to the
      * login path (@see getLoginUrl()).
+     *
+     * @param RequestSupport|null $requestSupport
      */
-    public function supports(Request $request): bool
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): bool
     {
-        return $request->isMethod('POST') && $this->getLoginUrl($request) === $request->getBaseUrl().$request->getPathInfo();
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : null;
+
+        if (!$request->isMethod('POST')) {
+            $requestSupport?->addReason('Request is not a POST.');
+
+            return false;
+        }
+
+        if ($this->getLoginUrl($request) !== $request->getBaseUrl().$request->getPathInfo()) {
+            $requestSupport?->addReason('Request does not match the login URL.');
+
+            return false;
+        }
+
+        return true;
     }
 
     /**
 
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
+use Symfony\Component\Security\Http\RequestSupport;
 
 /**
  * The base authenticator for authenticators to use pre-authenticated
@@ -52,20 +53,27 @@ public function __construct(
      */
     abstract protected function extractUsername(Request $request): ?string;
 
-    public function supports(Request $request): ?bool
+    /**
+     * @param RequestSupport|null $requestSupport
+     */
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool
     {
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : null;
+
         try {
             $username = $this->extractUsername($request);
         } catch (BadCredentialsException $e) {
             $this->clearToken($e);
 
             $this->logger?->debug('Skipping pre-authenticated authenticator as a BadCredentialsException is thrown.', ['exception' => $e, 'authenticator' => static::class]);
+            $requestSupport?->addReason('Could not find the username in the request.');
 
             return false;
         }
 
         if (null === $username) {
             $this->logger?->debug('Skipping pre-authenticated authenticator no username could be extracted.', ['authenticator' => static::class]);
+            $requestSupport?->addReason('Username found in the request was empty.');
 
             return false;
         }
@@ -75,6 +83,7 @@ public function supports(Request $request): ?bool
 
         if ($token instanceof PreAuthenticatedToken && $this->firewallName === $token->getFirewallName() && $token->getUserIdentifier() === $username) {
             $this->logger?->debug('Skipping pre-authenticated authenticator as the user already has an existing session.', ['authenticator' => static::class]);
+            $requestSupport?->addReason('A token already exists for the user in the session.');
 
             return false;
         }
 
@@ -24,6 +24,7 @@
 use Symfony\Component\Security\Http\Authenticator\Passport\Passport;
 use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;
 use Symfony\Component\Security\Http\Authenticator\Token\PostAuthenticationToken;
+use Symfony\Component\Security\Http\RequestSupport;
 use Symfony\Contracts\Translation\TranslatorInterface;
 
 /**
@@ -46,9 +47,20 @@ public function __construct(
     ) {
     }
 
-    public function supports(Request $request): ?bool
+    /**
+     * @param RequestSupport|null $requestSupport
+     */
+    public function supports(Request $request, /* ?RequestSupport $requestSupport = null */): ?bool
     {
-        return null === $this->accessTokenExtractor->extractAccessToken($request) ? false : null;
+        $requestSupport = 2 <= \func_num_args() ? func_get_arg(1) : null;
+
+        if (null === $this->accessTokenExtractor->extractAccessToken($request)) {
+            $requestSupport?->addReason(sprintf('No token was found in the request by the %s.', $this->accessTokenExtractor::class));
+
+            return false;
+        }
+
+        return null;
     }
 
     public function authenticate(Request $request): Passport
Original file line number	Diff line number	Diff line change
`@@ -28,6 +28,7 @@`
`28`	`28`	`use Symfony\Component\Security\Http\Authenticator\Passport\Passport;`
`29`	`29`	`use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;`
`30`	`30`	`use Symfony\Component\Security\Http\Firewall\ExceptionListener;`
	`31`	`+use Symfony\Component\Security\Http\RequestSupport;`
`31`	`32`
`32`	`33`	`class RegisterEntryPointsPassTest extends TestCase`
`33`	`34`	`{`
`@@ -71,7 +72,7 @@ public function testProcessResolvesChildDefinitionsClass()`
`71`	`72`
`72`	`73`	`class CustomAuthenticator extends AbstractAuthenticator implements AuthenticationEntryPointInterface`
`73`	`74`	`{`
`74`		`- public function supports(Request $request): ?bool`
	`75`	`+ public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool`
`75`	`76`	`{`
`76`	`77`	`return false;`
`77`	`78`	`}`
Original file line number	Diff line number	Diff line change
`@@ -38,6 +38,7 @@`
`38`	`38`	`use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;`
`39`	`39`	`use Symfony\Component\Security\Http\Authenticator\HttpBasicAuthenticator;`
`40`	`40`	`use Symfony\Component\Security\Http\Authenticator\Passport\Passport;`
	`41`	`+use Symfony\Component\Security\Http\RequestSupport;`
`41`	`42`
`42`	`43`	`class SecurityExtensionTest extends TestCase`
`43`	`44`	`{`
`@@ -959,7 +960,7 @@ protected function getContainer()`
`959`	`960`
`960`	`961`	`class TestAuthenticator implements AuthenticatorInterface`
`961`	`962`	`{`
`962`		`- public function supports(Request $request): ?bool`
	`963`	`+ public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool`
`963`	`964`	`{`
`964`	`965`	`}`
`965`	`966`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,7 @@`
`22`	`22`	`use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;`
`23`	`23`	`use Symfony\Component\Security\Http\Authenticator\Passport\Passport;`
`24`	`24`	`use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;`
	`25`	`+use Symfony\Component\Security\Http\RequestSupport;`
`25`	`26`
`26`	`27`	`class ApiAuthenticator extends AbstractAuthenticator`
`27`	`28`	`{`
`@@ -32,7 +33,7 @@ public function __construct(bool $selfLoadingUser = false)`
`32`	`33`	`$this->selfLoadingUser = $selfLoadingUser;`
`33`	`34`	`}`
`34`	`35`
`35`		`- public function supports(Request $request): ?bool`
	`36`	`+ public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool`
`36`	`37`	`{`
`37`	`38`	`return $request->headers->has('X-USER-EMAIL');`
`38`	`39`	`}`
Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@`
`20`	`20`	`use Symfony\Component\Security\Http\Authenticator\Passport\Passport;`
`21`	`21`	`use Symfony\Component\Security\Http\EntryPoint\AuthenticationEntryPointInterface;`
`22`	`22`	`use Symfony\Component\Security\Http\EntryPoint\Exception\NotAnEntryPointException;`
	`23`	`+use Symfony\Component\Security\Http\RequestSupport;`
`23`	`24`
`24`	`25`	`/**`
`25`	`26`	`* This class decorates internal authenticators to add the LDAP integration.`
`@@ -44,9 +45,9 @@ public function __construct(`
`44`	`45`	`) {`
`45`	`46`	`}`
`46`	`47`
`47`		`- public function supports(Request $request): ?bool`
	`48`	`+ public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool`
`48`	`49`	`{`
`49`		`- return $this->authenticator->supports($request);`
	`50`	`+ return $this->authenticator->supports($request, $requestSupport);`
`50`	`51`	`}`
`51`	`52`
`52`	`53`	`public function authenticate(Request $request): Passport`
Original file line number	Diff line number	Diff line change
`@@ -33,6 +33,7 @@`
`33`	`33`	`use Symfony\Component\Security\Http\Authenticator\Passport\Passport;`
`34`	`34`	`use Symfony\Component\Security\Http\Authenticator\Passport\SelfValidatingPassport;`
`35`	`35`	`use Symfony\Component\Security\Http\Event\CheckPassportEvent;`
	`36`	`+use Symfony\Component\Security\Http\RequestSupport;`
`36`	`37`	`use Symfony\Contracts\Service\ServiceLocatorTrait;`
`37`	`38`
`38`	`39`	`class CheckLdapCredentialsListenerTest extends TestCase`
`@@ -206,7 +207,7 @@ private function createListener()`
`206`	`207`	`if (interface_exists(AuthenticatorInterface::class)) {`
`207`	`208`	`class TestAuthenticator implements AuthenticatorInterface`
`208`	`209`	`{`
`209`		`- public function supports(Request $request): ?bool`
	`210`	`+ public function supports(Request $request, ?RequestSupport $requestSupport = null): ?bool`
`210`	`211`	`{`
`211`	`212`	`}`
`212`	`213`