feature #58007 [Security] Deprecate empty user identifier (ajgarlag)

This PR was merged into the 7.2 branch.

Discussion
----------

[Security] Deprecate empty user identifier

| Q             | A
| ------------- | ---
| Branch?       | 7.2
| Bug fix?      | no
| New feature?  | no
| Deprecations? | yes
| Issues        | Fix #57982
| License       | MIT

Commits
-------

63690ec02e Deprecate empty user identifier

Author: fabpot

Authenticator/Passport/Badge/UserBadge.php

@@ -52,6 +52,11 @@ public function __construct(
         ?callable $userLoader = null,
         private ?array $attributes = null,
     ) {
+        if ('' === $userIdentifier) {
+            trigger_deprecation('symfony/security-http', '7.2', 'Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.');
+            // throw new BadCredentialsException('Empty user identifier.');
+        }
+
         if (\strlen($userIdentifier) > self::MAX_USERNAME_LENGTH) {
             throw new BadCredentialsException('Username too long.');
         }

CHANGELOG.md

@@ -6,6 +6,7 @@ CHANGELOG
 
  * Pass the current token to the `checkPostAuth()` method of user checkers
  * Deprecate argument `$secret` of `RememberMeAuthenticator`
+ * Deprecate passing an empty string as `$userIdentifier` argument to `UserBadge` constructor
 
 7.1
 ---

Tests/Authenticator/Passport/Badge/UserBadgeTest.php

@@ -12,15 +12,29 @@
 namespace Symfony\Component\Security\Http\Tests\Authenticator\Passport\Badge;
 
 use PHPUnit\Framework\TestCase;
+use Symfony\Bridge\PhpUnit\ExpectUserDeprecationMessageTrait;
+use Symfony\Component\Security\Core\Exception\BadCredentialsException;
 use Symfony\Component\Security\Core\Exception\UserNotFoundException;
 use Symfony\Component\Security\Http\Authenticator\Passport\Badge\UserBadge;
 
 class UserBadgeTest extends TestCase
 {
+    use ExpectUserDeprecationMessageTrait;
+
     public function testUserNotFound()
     {
         $badge = new UserBadge('dummy', fn () => null);
         $this->expectException(UserNotFoundException::class);
         $badge->getUser();
     }
+
+    /**
+     * @group legacy
+     */
+    public function testEmptyUserIdentifier()
+    {
+        $this->expectUserDeprecationMessage('Since symfony/security-http 7.2: Using an empty string as user identifier is deprecated and will throw an exception in Symfony 8.0.');
+        // $this->expectException(BadCredentialsException::class)
+        new UserBadge('', fn () => null);
+    }
 }