[Security] make TokenInterface::getUser() nullable to tell about unauthenticated tokens

nicolas-grekas · nicolas-grekas · commit 1d049282fd02 · 2021-08-20T09:39:46.000+02:00
diff --git a/Authentication/AuthenticationProviderManager.php b/Authentication/AuthenticationProviderManager.php
@@ -111,7 +111,7 @@ public function authenticate(TokenInterface $token)
             }
 
             // @deprecated since Symfony 5.3
-            if ($user = $result->getUser() instanceof UserInterface && !method_exists($result->getUser(), 'getUserIdentifier')) {
+            if ($result->getUser() instanceof UserInterface && !method_exists($result->getUser(), 'getUserIdentifier')) {
                 trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "getUserIdentifier(): string" in user class "%s" is deprecated. This method will replace "getUsername()" in Symfony 6.0.', get_debug_type($result->getUser()));
             }
 
diff --git a/Authentication/AuthenticationTrustResolver.php b/Authentication/AuthenticationTrustResolver.php
@@ -12,7 +12,6 @@
 namespace Symfony\Component\Security\Core\Authentication;
 
 use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
-use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
@@ -25,9 +24,9 @@ class AuthenticationTrustResolver implements AuthenticationTrustResolverInterfac
 {
     public function isAuthenticated(TokenInterface $token = null): bool
     {
-        return null !== $token && !$token instanceof NullToken
+        return $token && $token->getUser()
             // @deprecated since Symfony 5.4, TokenInterface::isAuthenticated() and AnonymousToken no longer exists in 6.0
-            && !$token instanceof AnonymousToken && $token->isAuthenticated(false);
+            && !$token instanceof AnonymousToken && (!method_exists($token, 'isAuthenticated') || $token->isAuthenticated(false));
     }
 
     /**
@@ -39,34 +38,22 @@ public function isAnonymous(TokenInterface $token = null/*, $deprecation = true*
             trigger_deprecation('symfony/security-core', '5.4', 'The "%s()" method is deprecated, use "isAuthenticated()" or "isFullFledged()" if you want to check if the request is (fully) authenticated.', __METHOD__);
         }
 
-        if (null === $token) {
-            return false;
-        }
-
-        return $token instanceof AnonymousToken || $token instanceof NullToken;
+        return $token && !$this->isAuthenticated($token);
     }
 
     /**
      * {@inheritdoc}
      */
     public function isRememberMe(TokenInterface $token = null)
     {
-        if (null === $token) {
-            return false;
-        }
-
-        return $token instanceof RememberMeToken;
+        return $token && $token instanceof RememberMeToken;
     }
 
     /**
      * {@inheritdoc}
      */
     public function isFullFledged(TokenInterface $token = null)
     {
-        if (null === $token) {
-            return false;
-        }
-
-        return !$this->isAnonymous($token, false) && !$this->isRememberMe($token);
+        return $token && !$this->isAnonymous($token, false) && !$this->isRememberMe($token);
     }
 }
diff --git a/Authentication/Token/AbstractToken.php b/Authentication/Token/AbstractToken.php
@@ -141,7 +141,7 @@ public function setUser($user)
     public function isAuthenticated()
     {
         if (1 > \func_num_args() || func_get_arg(0)) {
-            trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated. In version 6.0, security tokens won\'t have an "authenticated" flag anymore and will always be considered authenticated.', __METHOD__);
+            trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated, return null from "getUser()" instead when a token is not authenticated.', __METHOD__);
         }
 
         return $this->authenticated;
@@ -153,7 +153,7 @@ public function isAuthenticated()
     public function setAuthenticated(bool $authenticated)
     {
         if (2 > \func_num_args() || func_get_arg(1)) {
-            trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated. In version 6.0, security tokens won\'t have an "authenticated" state anymore and will always be considered as authenticated.', __METHOD__);
+            trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated', __METHOD__);
         }
 
         $this->authenticated = $authenticated;
diff --git a/Authentication/Token/NullToken.php b/Authentication/Token/NullToken.php
@@ -59,7 +59,7 @@ public function getUserIdentifier(): string
     public function isAuthenticated()
     {
         if (0 === \func_num_args() || func_get_arg(0)) {
-            trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated. In version 6.0, security tokens won\'t have an "authenticated" flag anymore and will always be considered authenticated.', __METHOD__);
+            trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated, return null from "getUser()" instead when a token is not authenticated.', __METHOD__);
         }
 
         return true;
diff --git a/Authentication/Token/TokenInterface.php b/Authentication/Token/TokenInterface.php
@@ -51,7 +51,7 @@ public function getCredentials();
     /**
      * Returns a user representation.
      *
-     * @return UserInterface
+     * @return UserInterface|null
      *
      * @see AbstractToken::setUser()
      */
@@ -71,14 +71,14 @@ public function setUser($user);
      *
      * @return bool true if the token has been authenticated, false otherwise
      *
-     * @deprecated since Symfony 5.4. In 6.0, security tokens will always be considered authenticated
+     * @deprecated since Symfony 5.4, return null from "getUser()" instead when a token is not authenticated
      */
     public function isAuthenticated();
 
     /**
      * Sets the authenticated flag.
      *
-     * @deprecated since Symfony 5.4. In 6.0, security tokens will always be considered authenticated
+     * @deprecated since Symfony 5.4
      */
     public function setAuthenticated(bool $isAuthenticated);
 
diff --git a/Authorization/AuthorizationChecker.php b/Authorization/AuthorizationChecker.php
@@ -67,7 +67,9 @@ public function __construct(TokenStorageInterface $tokenStorage, /*AccessDecisio
      */
     final public function isGranted($attribute, $subject = null): bool
     {
-        if (null === ($token = $this->tokenStorage->getToken())) {
+        $token = $this->tokenStorage->getToken();
+
+        if (!$token || !$token->getUser()) {
             if ($this->exceptionOnNoToken) {
                 throw new AuthenticationCredentialsNotFoundException('The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL.');
             }
@@ -78,7 +80,7 @@ final public function isGranted($attribute, $subject = null): bool
             // @deprecated since Symfony 5.4
             if ($this->alwaysAuthenticate || !$authenticated = $token->isAuthenticated(false)) {
                 if (!($authenticated ?? true)) {
-                    trigger_deprecation('symfony/core', '5.4', 'Returning false from "%s()" is deprecated and won\'t have any effect in Symfony 6.0 as security tokens will always be considered authenticated.');
+                    trigger_deprecation('symfony/core', '5.4', 'Returning false from "%s()" is deprecated, return null from "getUser()" instead.');
                 }
                 $this->tokenStorage->setToken($token = $this->authenticationManager->authenticate($token));
             }
diff --git a/Authorization/Voter/AuthenticatedVoter.php b/Authorization/Voter/AuthenticatedVoter.php
@@ -12,7 +12,6 @@
 namespace Symfony\Component\Security\Core\Authorization\Voter;
 
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolverInterface;
-use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 
@@ -96,7 +95,7 @@ public function vote(TokenInterface $token, $subject, array $attributes)
             if (self::IS_AUTHENTICATED === $attribute
                 && (method_exists($this->authenticationTrustResolver, 'isAuthenticated')
                     ? $this->authenticationTrustResolver->isAuthenticated($token)
-                    : (null !== $token && !$token instanceof NullToken))) {
+                    : ($token && $token->getUser()))) {
                 return VoterInterface::ACCESS_GRANTED;
             }
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -17,7 +17,7 @@ CHANGELOG
  * Deprecate setting the `$alwaysAuthenticate` argument to `true` and not setting the
    `$exceptionOnNoToken` argument to `false` of `AuthorizationChecker`
  * Deprecate methods `TokenInterface::isAuthenticated()` and `setAuthenticated`,
-   tokens will always be considered authenticated in 6.0
+   return null from "getUser()" instead when a token is not authenticated
 
 5.3
 ---
diff --git a/Security.php b/Security.php
@@ -42,12 +42,8 @@ public function getUser(): ?UserInterface
         }
 
         $user = $token->getUser();
-        // @deprecated since 5.4, $user will always be a UserInterface instance
-        if (!\is_object($user)) {
-            return null;
-        }
 
-        // @deprecated since 5.4, $user will always be a UserInterface instance
+        // @deprecated since Symfony 5.4, $user will always be a UserInterface instance
         if (!$user instanceof UserInterface) {
             return null;
         }
diff --git a/Tests/Authentication/AuthenticationTrustResolverTest.php b/Tests/Authentication/AuthenticationTrustResolverTest.php
@@ -17,7 +17,6 @@
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\User\InMemoryUser;
-use Symfony\Component\Security\Core\User\User;
 use Symfony\Component\Security\Core\User\UserInterface;
 
 class AuthenticationTrustResolverTest extends TestCase
@@ -29,7 +28,6 @@ public function testIsAnonymous()
     {
         $resolver = new AuthenticationTrustResolver();
         $this->assertFalse($resolver->isAnonymous(null));
-        $this->assertFalse($resolver->isAnonymous($this->getToken()));
         $this->assertFalse($resolver->isAnonymous($this->getRememberMeToken()));
         $this->assertFalse($resolver->isAnonymous(new FakeCustomToken()));
     }
@@ -39,7 +37,6 @@ public function testIsRememberMe()
         $resolver = new AuthenticationTrustResolver();
 
         $this->assertFalse($resolver->isRememberMe(null));
-        $this->assertFalse($resolver->isRememberMe($this->getToken()));
         $this->assertFalse($resolver->isRememberMe(new FakeCustomToken()));
         $this->assertTrue($resolver->isRememberMe(new RealCustomRememberMeToken()));
         $this->assertTrue($resolver->isRememberMe($this->getRememberMeToken()));
@@ -52,7 +49,6 @@ public function testisFullFledged()
         $this->assertFalse($resolver->isFullFledged(null));
         $this->assertFalse($resolver->isFullFledged($this->getRememberMeToken()));
         $this->assertFalse($resolver->isFullFledged(new RealCustomRememberMeToken()));
-        $this->assertTrue($resolver->isFullFledged($this->getToken()));
         $this->assertTrue($resolver->isFullFledged(new FakeCustomToken()));
     }
 
@@ -72,7 +68,7 @@ public function testIsAnonymousWithClassAsConstructorButStillExtending()
         $resolver = $this->getResolver();
 
         $this->assertFalse($resolver->isAnonymous(null));
-        $this->assertFalse($resolver->isAnonymous($this->getToken()));
+        $this->assertFalse($resolver->isAnonymous(new FakeCustomToken()));
         $this->assertFalse($resolver->isAnonymous($this->getRememberMeToken()));
     }
 
@@ -81,7 +77,7 @@ public function testIsRememberMeWithClassAsConstructorButStillExtending()
         $resolver = $this->getResolver();
 
         $this->assertFalse($resolver->isRememberMe(null));
-        $this->assertFalse($resolver->isRememberMe($this->getToken()));
+        $this->assertFalse($resolver->isRememberMe(new FakeCustomToken()));
         $this->assertTrue($resolver->isRememberMe($this->getRememberMeToken()));
         $this->assertTrue($resolver->isRememberMe(new RealCustomRememberMeToken()));
     }
@@ -93,7 +89,7 @@ public function testisFullFledgedWithClassAsConstructorButStillExtending()
         $this->assertFalse($resolver->isFullFledged(null));
         $this->assertFalse($resolver->isFullFledged($this->getRememberMeToken()));
         $this->assertFalse($resolver->isFullFledged(new RealCustomRememberMeToken()));
-        $this->assertTrue($resolver->isFullFledged($this->getToken()));
+        $this->assertTrue($resolver->isFullFledged(new FakeCustomToken()));
     }
 
     /**
@@ -112,11 +108,6 @@ public function testLegacy()
         $this->assertFalse($resolver->isFullFledged($this->getRealCustomAnonymousToken()));
     }
 
-    protected function getToken()
-    {
-        return $this->createMock(TokenInterface::class);
-    }
-
     protected function getAnonymousToken()
     {
         return new AnonymousToken('secret', 'anon.');
@@ -133,7 +124,7 @@ public function __construct()
 
     protected function getRememberMeToken()
     {
-        $user = class_exists(InMemoryUser::class) ? new InMemoryUser('wouter', '', ['ROLE_USER']) : new User('wouter', '', ['ROLE_USER']);
+        $user = new InMemoryUser('wouter', '', ['ROLE_USER']);
 
         return new RememberMeToken($user, 'main', 'secret');
     }
@@ -179,6 +170,7 @@ public function getCredentials()
 
     public function getUser(): UserInterface
     {
+        return new InMemoryUser('wouter', '', ['ROLE_USER']);
     }
 
     public function setUser($user)
diff --git a/Tests/Authorization/Voter/AuthenticatedVoterTest.php b/Tests/Authorization/Voter/AuthenticatedVoterTest.php
@@ -13,12 +13,13 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\AuthenticationTrustResolver;
-use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;
+use Symfony\Component\Security\Core\Authentication\Token\AbstractToken;
+use Symfony\Component\Security\Core\Authentication\Token\NullToken;
 use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Authentication\Token\SwitchUserToken;
-use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Authorization\Voter\AuthenticatedVoter;
 use Symfony\Component\Security\Core\Authorization\Voter\VoterInterface;
+use Symfony\Component\Security\Core\User\InMemoryUser;
 
 class AuthenticatedVoterTest extends TestCase
 {
@@ -84,14 +85,28 @@ public function getLegacyVoteTests()
 
     protected function getToken($authenticated)
     {
+        $user = new InMemoryUser('wouter', '', ['ROLE_USER']);
+
         if ('fully' === $authenticated) {
-            return $this->createMock(TokenInterface::class);
-        } elseif ('remembered' === $authenticated) {
-            return $this->getMockBuilder(RememberMeToken::class)->setMethods(['setPersistent'])->disableOriginalConstructor()->getMock();
-        } elseif ('impersonated' === $authenticated) {
+            $token = new class() extends AbstractToken {
+                public function getCredentials()
+                {
+                }
+            };
+            $token->setUser($user);
+            $token->setAuthenticated(true, false);
+
+            return $token;
+        }
+
+        if ('remembered' === $authenticated) {
+            return new RememberMeToken($user, 'foo', 'bar');
+        }
+
+        if ('impersonated' === $authenticated) {
             return $this->getMockBuilder(SwitchUserToken::class)->disableOriginalConstructor()->getMock();
-        } else {
-            return $this->getMockBuilder(AnonymousToken::class)->setConstructorArgs(['', ''])->getMock();
         }
+
+        return new NullToken();
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -111,7 +111,7 @@ public function authenticate(TokenInterface $token)`
`111`	`111`	`}`
`112`	`112`
`113`	`113`	`// @deprecated since Symfony 5.3`
`114`		`- if ($user = $result->getUser() instanceof UserInterface && !method_exists($result->getUser(), 'getUserIdentifier')) {`
	`114`	`+ if ($result->getUser() instanceof UserInterface && !method_exists($result->getUser(), 'getUserIdentifier')) {`
`115`	`115`	`trigger_deprecation('symfony/security-core', '5.3', 'Not implementing method "getUserIdentifier(): string" in user class "%s" is deprecated. This method will replace "getUsername()" in Symfony 6.0.', get_debug_type($result->getUser()));`
`116`	`116`	`}`
`117`	`117`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,6 @@`
`12`	`12`	`namespace Symfony\Component\Security\Core\Authentication;`
`13`	`13`
`14`	`14`	`use Symfony\Component\Security\Core\Authentication\Token\AnonymousToken;`
`15`		`-use Symfony\Component\Security\Core\Authentication\Token\NullToken;`
`16`	`15`	`use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;`
`17`	`16`	`use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;`
`18`	`17`
`@@ -25,9 +24,9 @@ class AuthenticationTrustResolver implements AuthenticationTrustResolverInterfac`
`25`	`24`	`{`
`26`	`25`	`public function isAuthenticated(TokenInterface $token = null): bool`
`27`	`26`	`{`
`28`		`- return null !== $token && !$token instanceof NullToken`
	`27`	`+ return $token && $token->getUser()`
`29`	`28`	`// @deprecated since Symfony 5.4, TokenInterface::isAuthenticated() and AnonymousToken no longer exists in 6.0`
`30`		`- && !$token instanceof AnonymousToken && $token->isAuthenticated(false);`
	`29`	`+ && !$token instanceof AnonymousToken && (!method_exists($token, 'isAuthenticated') \|\| $token->isAuthenticated(false));`
`31`	`30`	`}`
`32`	`31`
`33`	`32`	`/**`
`@@ -39,34 +38,22 @@ public function isAnonymous(TokenInterface $token = null/, $deprecation = true`
`39`	`38`	`trigger_deprecation('symfony/security-core', '5.4', 'The "%s()" method is deprecated, use "isAuthenticated()" or "isFullFledged()" if you want to check if the request is (fully) authenticated.', __METHOD__);`
`40`	`39`	`}`
`41`	`40`
`42`		`- if (null === $token) {`
`43`		`- return false;`
`44`		`- }`
`45`		`-`
`46`		`- return $token instanceof AnonymousToken \|\| $token instanceof NullToken;`
	`41`	`+ return $token && !$this->isAuthenticated($token);`
`47`	`42`	`}`
`48`	`43`
`49`	`44`	`/**`
`50`	`45`	`* {@inheritdoc}`
`51`	`46`	`*/`
`52`	`47`	`public function isRememberMe(TokenInterface $token = null)`
`53`	`48`	`{`
`54`		`- if (null === $token) {`
`55`		`- return false;`
`56`		`- }`
`57`		`-`
`58`		`- return $token instanceof RememberMeToken;`
	`49`	`+ return $token && $token instanceof RememberMeToken;`
`59`	`50`	`}`
`60`	`51`
`61`	`52`	`/**`
`62`	`53`	`* {@inheritdoc}`
`63`	`54`	`*/`
`64`	`55`	`public function isFullFledged(TokenInterface $token = null)`
`65`	`56`	`{`
`66`		`- if (null === $token) {`
`67`		`- return false;`
`68`		`- }`
`69`		`-`
`70`		`- return !$this->isAnonymous($token, false) && !$this->isRememberMe($token);`
	`57`	`+ return $token && !$this->isAnonymous($token, false) && !$this->isRememberMe($token);`
`71`	`58`	`}`
`72`	`59`	`}`
Original file line number	Diff line number	Diff line change
`@@ -141,7 +141,7 @@ public function setUser($user)`
`141`	`141`	`public function isAuthenticated()`
`142`	`142`	`{`
`143`	`143`	`if (1 > \func_num_args() \|\| func_get_arg(0)) {`
`144`		`- trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated. In version 6.0, security tokens won\'t have an "authenticated" flag anymore and will always be considered authenticated.', __METHOD__);`
	`144`	`+ trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated, return null from "getUser()" instead when a token is not authenticated.', __METHOD__);`
`145`	`145`	`}`
`146`	`146`
`147`	`147`	`return $this->authenticated;`
`@@ -153,7 +153,7 @@ public function isAuthenticated()`
`153`	`153`	`public function setAuthenticated(bool $authenticated)`
`154`	`154`	`{`
`155`	`155`	`if (2 > \func_num_args() \|\| func_get_arg(1)) {`
`156`		`- trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated. In version 6.0, security tokens won\'t have an "authenticated" state anymore and will always be considered as authenticated.', __METHOD__);`
	`156`	`+ trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated', __METHOD__);`
`157`	`157`	`}`
`158`	`158`
`159`	`159`	`$this->authenticated = $authenticated;`
Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ public function getUserIdentifier(): string`
`59`	`59`	`public function isAuthenticated()`
`60`	`60`	`{`
`61`	`61`	`if (0 === \func_num_args() \|\| func_get_arg(0)) {`
`62`		`- trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated. In version 6.0, security tokens won\'t have an "authenticated" flag anymore and will always be considered authenticated.', __METHOD__);`
	`62`	`+ trigger_deprecation('symfony/security-core', '5.4', 'Method "%s()" is deprecated, return null from "getUser()" instead when a token is not authenticated.', __METHOD__);`
`63`	`63`	`}`
`64`	`64`
`65`	`65`	`return true;`
Original file line number	Diff line number	Diff line change
`@@ -51,7 +51,7 @@ public function getCredentials();`
`51`	`51`	`/**`
`52`	`52`	`* Returns a user representation.`
`53`	`53`	`*`
`54`		`- * @return UserInterface`
	`54`	`+ * @return UserInterface\|null`
`55`	`55`	`*`
`56`	`56`	`* @see AbstractToken::setUser()`
`57`	`57`	`*/`
`@@ -71,14 +71,14 @@ public function setUser($user);`
`71`	`71`	`*`
`72`	`72`	`* @return bool true if the token has been authenticated, false otherwise`
`73`	`73`	`*`
`74`		`- * @deprecated since Symfony 5.4. In 6.0, security tokens will always be considered authenticated`
	`74`	`+ * @deprecated since Symfony 5.4, return null from "getUser()" instead when a token is not authenticated`
`75`	`75`	`*/`
`76`	`76`	`public function isAuthenticated();`
`77`	`77`
`78`	`78`	`/**`
`79`	`79`	`* Sets the authenticated flag.`
`80`	`80`	`*`
`81`		`- * @deprecated since Symfony 5.4. In 6.0, security tokens will always be considered authenticated`
	`81`	`+ * @deprecated since Symfony 5.4`
`82`	`82`	`*/`
`83`	`83`	`public function setAuthenticated(bool $isAuthenticated);`
`84`	`84`
Original file line number	Diff line number	Diff line change
`@@ -67,7 +67,9 @@ public function __construct(TokenStorageInterface $tokenStorage, /*AccessDecisio`
`67`	`67`	`*/`
`68`	`68`	`final public function isGranted($attribute, $subject = null): bool`
`69`	`69`	`{`
`70`		`- if (null === ($token = $this->tokenStorage->getToken())) {`
	`70`	`+ $token = $this->tokenStorage->getToken();`
	`71`	`+`
	`72`	`+ if (!$token \|\| !$token->getUser()) {`
`71`	`73`	`if ($this->exceptionOnNoToken) {`
`72`	`74`	`throw new AuthenticationCredentialsNotFoundException('The token storage contains no authentication token. One possible reason may be that there is no firewall configured for this URL.');`
`73`	`75`	`}`
`@@ -78,7 +80,7 @@ final public function isGranted($attribute, $subject = null): bool`
`78`	`80`	`// @deprecated since Symfony 5.4`
`79`	`81`	`if ($this->alwaysAuthenticate \|\| !$authenticated = $token->isAuthenticated(false)) {`
`80`	`82`	`if (!($authenticated ?? true)) {`
`81`		`- trigger_deprecation('symfony/core', '5.4', 'Returning false from "%s()" is deprecated and won\'t have any effect in Symfony 6.0 as security tokens will always be considered authenticated.');`
	`83`	`+ trigger_deprecation('symfony/core', '5.4', 'Returning false from "%s()" is deprecated, return null from "getUser()" instead.');`
`82`	`84`	`}`
`83`	`85`	`$this->tokenStorage->setToken($token = $this->authenticationManager->authenticate($token));`
`84`	`86`	`}`
Original file line number	Diff line number	Diff line change
`@@ -42,12 +42,8 @@ public function getUser(): ?UserInterface`
`42`	`42`	`}`
`43`	`43`
`44`	`44`	`$user = $token->getUser();`
`45`		`- // @deprecated since 5.4, $user will always be a UserInterface instance`
`46`		`- if (!\is_object($user)) {`
`47`		`- return null;`
`48`		`- }`
`49`	`45`
`50`		`- // @deprecated since 5.4, $user will always be a UserInterface instance`
	`46`	`+ // @deprecated since Symfony 5.4, $user will always be a UserInterface instance`
`51`	`47`	`if (!$user instanceof UserInterface) {`
`52`	`48`	`return null;`
`53`	`49`	`}`