Deprecate the default signed cookie algorithm

Deprecate the default value for the `signed_cookie.hash_algo` configuration value (currently "sha256") in preparation for a change in 4.0.
nelmio · Jul 4, 2024 · 0f2790d · 0f2790d
1 parent 6a12626
commit 0f2790d
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 2 deletions.
diff --git a/src/DependencyInjection/Configuration.php b/src/DependencyInjection/Configuration.php
@@ -253,7 +253,7 @@ private function getSignedCookiesNode(): ArrayNodeDefinition
                     ->defaultValue(['*'])
                 ->end()
                 ->scalarNode('secret')->defaultValue('%kernel.secret%')->end()
-                ->scalarNode('hash_algo')->defaultValue('sha256')->end()
+                ->scalarNode('hash_algo')->end()
             ->end();
 
         return $node;

diff --git a/src/DependencyInjection/NelmioSecurityExtension.php b/src/DependencyInjection/NelmioSecurityExtension.php
@@ -35,7 +35,13 @@ public function load(array $configs, ContainerBuilder $container): void
             $loader->load('signed_cookie.php');
             $container->setParameter('nelmio_security.signed_cookie.names', $config['signed_cookie']['names']);
             $container->setParameter('nelmio_security.signer.secret', $config['signed_cookie']['secret']);
-            $container->setParameter('nelmio_security.signer.hash_algo', $config['signed_cookie']['hash_algo']);
+
+            if (isset($config['signed_cookie']['hash_algo'])) {
+                $container->setParameter('nelmio_security.signer.hash_algo', $config['signed_cookie']['hash_algo']);
+            } else {
+                trigger_deprecation('nelmio/security-bundle', '3.4.0', 'The default value for `signed_cookie.hash_algo` is deprecated and will change in 4.0. You should configure an algorithm explicitly.');
+                $container->setParameter('nelmio_security.signer.hash_algo', 'sha256');
+            }
         }
 
         if (isset($config['clickjacking']) && [] !== $config['clickjacking']) {

diff --git a/tests/DependencyInjection/NelmioSecurityExtensionTest.php b/tests/DependencyInjection/NelmioSecurityExtensionTest.php
@@ -22,10 +22,13 @@
 use Nelmio\SecurityBundle\ExternalRedirect\AllowListBasedTargetValidator;
 use Nelmio\SecurityBundle\Signer;
 use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
 use Symfony\Component\DependencyInjection\ContainerBuilder;
 
 final class NelmioSecurityExtensionTest extends TestCase
 {
+    use ExpectDeprecationTrait;
+
     private NelmioSecurityExtension $extension;
 
     protected function setUp(): void
@@ -54,6 +57,23 @@ public function testLoadSignedCookie(): void
         $this->assertServiceIdClass($container, 'nelmio_security.signer', Signer::class);
     }
 
+    /**
+     * @group legacy
+     */
+    public function testDeprecatedSignedCookieDefaultAlgorithm(): void
+    {
+        $this->expectDeprecation('Since nelmio/security-bundle 3.4.0: The default value for `signed_cookie.hash_algo` is deprecated and will change in 4.0. You should configure an algorithm explicitly.');
+
+        $container = new ContainerBuilder();
+        $this->extension->load([
+            [
+                'signed_cookie' => [],
+            ],
+        ], $container);
+
+        $this->assertContainerWithParameterValue($container, 'nelmio_security.signer.hash_algo', 'sha256');
+    }
+
     public function testLoadClickJacking(): void
     {
         $container = new ContainerBuilder();