symfony · derrabus · Jul 15, 2021 · Jul 15, 2021
@@ -1,6 +1,12 @@
 CHANGELOG
 =========
 
+6.0
+---
+
+ * Remove the `SessionInterface $session` constructor argument of `SessionTokenStorage`, inject a `\Symfony\Component\HttpFoundation\RequestStack $requestStack` instead
+ * Using `SessionTokenStorage` outside a request context throws a `SessionNotFoundException`
+
 5.3
 ---
 

@@ -12,7 +12,6 @@
 namespace Symfony\Component\Security\Csrf\Tests\TokenStorage;
 
 use PHPUnit\Framework\TestCase;
-use Symfony\Bridge\PhpUnit\ExpectDeprecationTrait;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
 use Symfony\Component\HttpFoundation\Session\Session;
@@ -25,8 +24,6 @@
  */
 class SessionTokenStorageTest extends TestCase
 {
-    use ExpectDeprecationTrait;
-
     private const SESSION_NAMESPACE = 'foobar';
 
     /**
@@ -162,50 +159,4 @@ public function testClearDoesNotRemoveNonNamespacedSessionValues()
         $this->assertTrue($this->session->has('foo'));
         $this->assertSame('baz', $this->session->get('foo'));
     }
-
-    /**
-     * @group legacy
-     */
-    public function testMockSessionIsCreatedWhenMissing()
-    {
-        $this->expectDeprecation('Since symfony/security-csrf 5.3: Using the "Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage" without a session has no effect and is deprecated. It will throw a "Symfony\Component\HttpFoundation\Exception\SessionNotFoundException" in Symfony 6.0');
-
-        $this->storage->setToken('token_id', 'TOKEN');
-
-        $requestStack = new RequestStack();
-        $storage = new SessionTokenStorage($requestStack, self::SESSION_NAMESPACE);
-
-        $this->assertFalse($storage->hasToken('foo'));
-        $storage->setToken('foo', 'bar');
-        $this->assertTrue($storage->hasToken('foo'));
-        $this->assertSame('bar', $storage->getToken('foo'));
-
-        $session = new Session(new MockArraySessionStorage());
-        $request = new Request();
-        $request->setSession($session);
-        $requestStack->push($request);
-    }
-
-    /**
-     * @group legacy
-     */
-    public function testMockSessionIsReusedEvenWhenRequestHasSession()
-    {
-        $this->expectDeprecation('Since symfony/security-csrf 5.3: Using the "Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage" without a session has no effect and is deprecated. It will throw a "Symfony\Component\HttpFoundation\Exception\SessionNotFoundException" in Symfony 6.0');
-
-        $this->storage->setToken('token_id', 'TOKEN');
-
-        $requestStack = new RequestStack();
-        $storage = new SessionTokenStorage($requestStack, self::SESSION_NAMESPACE);
-
-        $storage->setToken('foo', 'bar');
-        $this->assertSame('bar', $storage->getToken('foo'));
-
-        $session = new Session(new MockArraySessionStorage());
-        $request = new Request();
-        $request->setSession($session);
-        $requestStack->push($request);
-
-        $this->assertSame('bar', $storage->getToken('foo'));
-    }
 }
@@ -12,11 +12,8 @@
 namespace Symfony\Component\Security\Csrf\TokenStorage;
 
 use Symfony\Component\HttpFoundation\Exception\SessionNotFoundException;
-use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\RequestStack;
-use Symfony\Component\HttpFoundation\Session\Session;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
-use Symfony\Component\HttpFoundation\Session\Storage\MockArraySessionStorage;
 use Symfony\Component\Security\Csrf\Exception\TokenNotFoundException;
 
 /**
@@ -33,27 +30,14 @@ class SessionTokenStorage implements ClearableTokenStorageInterface
 
     private $requestStack;
     private $namespace;
-    /**
-     * To be removed in Symfony 6.0.
-     */
-    private $session;
 
     /**
      * Initializes the storage with a RequestStack object and a session namespace.
      *
-     * @param RequestStack $requestStack
-     * @param string       $namespace    The namespace under which the token is stored in the requestStack
+     * @param string $namespace The namespace under which the token is stored in the requestStack
      */
-    public function __construct(/* RequestStack*/ $requestStack, string $namespace = self::SESSION_NAMESPACE)
+    public function __construct(RequestStack $requestStack, string $namespace = self::SESSION_NAMESPACE)
     {
-        if ($requestStack instanceof SessionInterface) {
-            trigger_deprecation('symfony/security-csrf', '5.3', 'Passing a "%s" to "%s" is deprecated, use a "%s" instead.', SessionInterface::class, __CLASS__, RequestStack::class);
-            $request = new Request();
-            $request->setSession($requestStack);
-
-            $requestStack = new RequestStack();
-            $requestStack->push($request);
-        }
         $this->requestStack = $requestStack;
         $this->namespace = $namespace;
     }
@@ -127,14 +111,11 @@ public function clear()
         }
     }
 
+    /**
+     * @throws SessionNotFoundException
+     */
     private function getSession(): SessionInterface
     {
-        try {
-            return $this->session ?? $this->requestStack->getSession();
-        } catch (SessionNotFoundException $e) {
-            trigger_deprecation('symfony/security-csrf', '5.3', 'Using the "%s" without a session has no effect and is deprecated. It will throw a "%s" in Symfony 6.0', __CLASS__, SessionNotFoundException::class);
-
-            return $this->session ?? $this->session = new Session(new MockArraySessionStorage());
-        }
+        return $this->requestStack->getSession();
     }
 }