diff --git a/src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php b/src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php index 230f33fb257f3..6c9bf9820b0c7 100644 --- a/src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php +++ b/src/Symfony/Component/Security/Csrf/Tests/TokenStorage/SessionTokenStorageTest.php @@ -12,6 +12,7 @@ namespace Symfony\Component\Security\Csrf\Tests\TokenStorage; use PHPUnit\Framework\TestCase; +use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait; use Symfony\Component\HttpFoundation\Request; use Symfony\Component\HttpFoundation\RequestStack; use Symfony\Component\HttpFoundation\Session\Session; @@ -24,6 +25,8 @@ */ class SessionTokenStorageTest extends TestCase { + use ExpectDeprecationTrait; + private const SESSION_NAMESPACE = 'foobar'; /** @@ -159,4 +162,50 @@ public function testClearDoesNotRemoveNonNamespacedSessionValues() $this->assertTrue($this->session->has('foo')); $this->assertSame('baz', $this->session->get('foo')); } + + /** + * @group legacy + */ + public function testMockSessionIsCreatedWhenMissing() + { + $this->expectDeprecation('Since symfony/security-csrf 5.3: Using the "Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage" without a session has no effect and is deprecated. It will throw a "Symfony\Component\HttpFoundation\Exception\SessionNotFoundException" in Symfony 6.0'); + + $this->storage->setToken('token_id', 'TOKEN'); + + $requestStack = new RequestStack(); + $storage = new SessionTokenStorage($requestStack, self::SESSION_NAMESPACE); + + $this->assertFalse($storage->hasToken('foo')); + $storage->setToken('foo', 'bar'); + $this->assertTrue($storage->hasToken('foo')); + $this->assertSame('bar', $storage->getToken('foo')); + + $session = new Session(new MockArraySessionStorage()); + $request = new Request(); + $request->setSession($session); + $requestStack->push($request); + } + + /** + * @group legacy + */ + public function testMockSessionIsReusedEvenWhenRequestHasSession() + { + $this->expectDeprecation('Since symfony/security-csrf 5.3: Using the "Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage" without a session has no effect and is deprecated. It will throw a "Symfony\Component\HttpFoundation\Exception\SessionNotFoundException" in Symfony 6.0'); + + $this->storage->setToken('token_id', 'TOKEN'); + + $requestStack = new RequestStack(); + $storage = new SessionTokenStorage($requestStack, self::SESSION_NAMESPACE); + + $storage->setToken('foo', 'bar'); + $this->assertSame('bar', $storage->getToken('foo')); + + $session = new Session(new MockArraySessionStorage()); + $request = new Request(); + $request->setSession($session); + $requestStack->push($request); + + $this->assertSame('bar', $storage->getToken('foo')); + } } diff --git a/src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php b/src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php index 70613f5f26f25..5b86499bc9e8a 100644 --- a/src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php +++ b/src/Symfony/Component/Security/Csrf/TokenStorage/SessionTokenStorage.php @@ -34,7 +34,7 @@ class SessionTokenStorage implements ClearableTokenStorageInterface private $requestStack; private $namespace; /** - * Tp be remove in Symfony 6.0 + * To be removed in Symfony 6.0. */ private $session; @@ -130,7 +130,7 @@ public function clear() private function getSession(): SessionInterface { try { - return $this->requestStack->getSession(); + return $this->session ?? $this->requestStack->getSession(); } catch (SessionNotFoundException $e) { trigger_deprecation('symfony/security-csrf', '5.3', 'Using the "%s" without a session has no effect and is deprecated. It will throw a "%s" in Symfony 6.0', __CLASS__, SessionNotFoundException::class);