Skip to content

Commit ecbf0e9

Browse files
RobertMeRobertMe
committed
[Security] make secret required for DefaultLoginRateLimiter
The `secret` parameter has been added in #51434 with a default value of `''` and a deprecation message that it is required / may not be empty. Which is fine and doesn't hurt backwards compatiblity. The later ticket #52469 changes the deprecation into an exception, as it is undesirable that no secret is used (in any scenario). This leads to the unintended side effect that there is a BC breakage when a developer manually creates a `DefaultLoginRateLimiter` as it is now actually required to provide a (non empty) value due to the check and exception. Allowing the service / class to be used without providing the secret parameter, in a backwards compatible manner, but then still breaking the backwards compatibility by throwing due to the default value is confusing. So making the `secret` required makes more sense from a developer perspective as it is clear in that the parameter must be provided.
1 parent 6bf99c0 commit ecbf0e9

File tree

1 file changed

+1
-1
lines changed

1 file changed

+1
-1
lines changed

src/Symfony/Component/Security/Http/RateLimiter/DefaultLoginRateLimiter.php

+1-1
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,7 @@ final class DefaultLoginRateLimiter extends AbstractRequestRateLimiter
3434
/**
3535
* @param non-empty-string $secret A secret to use for hashing the IP address and username
3636
*/
37-
public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory, #[\SensitiveParameter] string $secret = '')
37+
public function __construct(RateLimiterFactory $globalFactory, RateLimiterFactory $localFactory, #[\SensitiveParameter] string $secret)
3838
{
3939
if (!$secret) {
4040
throw new InvalidArgumentException('A non-empty secret is required.');

0 commit comments

Comments
 (0)