Merge branch '5.4' into 6.0

* 5.4:
  [HttpFoundation] Fix bad return type in IpUtils::checkIp4()
  [DependencyInjection] Fix order of arguments when mixing positional and named ones
  [HttpClient] Fix collecting data non-late for the profiler
  [Security/Http] Fix compat of persistent remember-me with legacy tokens
  Bump Symfony version to 5.4.20
  Update VERSION for 5.4.19
  Update CONTRIBUTORS for 5.4.19
  Update CHANGELOG for 5.4.19
  [Security/Http] Remove CSRF tokens from storage on successful login
  [HttpKernel] Remove private headers before storing responses with HttpCache

Author: nicolas-grekas

RememberMe/PersistentRememberMeHandler.php

@@ -34,7 +34,6 @@ final class PersistentRememberMeHandler extends AbstractRememberMeHandler
 {
     private $tokenProvider;
     private $tokenVerifier;
-    private string $secret;
 
     public function __construct(TokenProviderInterface $tokenProvider, string $secret, UserProviderInterface $userProvider, RequestStack $requestStack, array $options, LoggerInterface $logger = null, TokenVerifierInterface $tokenVerifier = null)
     {
@@ -45,7 +44,6 @@ public function __construct(TokenProviderInterface $tokenProvider, string $secre
         }
         $this->tokenProvider = $tokenProvider;
         $this->tokenVerifier = $tokenVerifier;
-        $this->secret = $secret;
     }
 
     /**

RememberMe/RememberMeDetails.php

@@ -36,6 +36,9 @@ public function __construct(string $userFqcn, string $userIdentifier, int $expir
 
     public static function fromRawCookie(string $rawCookie): self
     {
+        if (!str_contains($rawCookie, self::COOKIE_DELIMITER)) {
+            $rawCookie = base64_decode($rawCookie);
+        }
         $cookieParts = explode(self::COOKIE_DELIMITER, $rawCookie, 4);
         if (4 !== \count($cookieParts)) {
             throw new AuthenticationException('The cookie contains invalid data.');

Session/SessionAuthenticationStrategy.php

@@ -13,6 +13,7 @@
 
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface;
 
 /**
  * The default session strategy implementation.
@@ -31,10 +32,15 @@ class SessionAuthenticationStrategy implements SessionAuthenticationStrategyInte
     public const INVALIDATE = 'invalidate';
 
     private string $strategy;
+    private ?ClearableTokenStorageInterface $csrfTokenStorage = null;
 
-    public function __construct(string $strategy)
+    public function __construct(string $strategy, ClearableTokenStorageInterface $csrfTokenStorage = null)
     {
         $this->strategy = $strategy;
+
+        if (self::MIGRATE === $strategy) {
+            $this->csrfTokenStorage = $csrfTokenStorage;
+        }
     }
 
     /**
@@ -47,10 +53,12 @@ public function onAuthentication(Request $request, TokenInterface $token)
                 return;
 
             case self::MIGRATE:
-                // Note: this logic is duplicated in several authentication listeners
-                // until Symfony 5.0 due to a security fix with BC compat
                 $request->getSession()->migrate(true);
 
+                if ($this->csrfTokenStorage) {
+                    $this->csrfTokenStorage->clear();
+                }
+
                 return;
 
             case self::INVALIDATE:

Tests/RememberMe/PersistentRememberMeHandlerTest.php

@@ -156,4 +156,19 @@ public function testConsumeRememberMeCookieExpired()
 
         $this->handler->consumeRememberMeCookie(new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue'));
     }
+
+    public function testBase64EncodedTokens()
+    {
+        $this->tokenProvider->expects($this->any())
+            ->method('loadTokenBySeries')
+            ->with('series1')
+            ->willReturn(new PersistentToken(InMemoryUser::class, 'wouter', 'series1', 'tokenvalue', new \DateTime('-10 min')))
+        ;
+
+        $this->tokenProvider->expects($this->once())->method('updateToken')->with('series1');
+
+        $rememberMeDetails = new RememberMeDetails(InMemoryUser::class, 'wouter', 360, 'series1:tokenvalue');
+        $rememberMeDetails = RememberMeDetails::fromRawCookie(base64_encode($rememberMeDetails->toString()));
+        $this->handler->consumeRememberMeCookie($rememberMeDetails);
+    }
 }

Tests/Session/SessionAuthenticationStrategyTest.php

@@ -15,6 +15,7 @@
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Session\SessionInterface;
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
+use Symfony\Component\Security\Csrf\TokenStorage\ClearableTokenStorageInterface;
 use Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy;
 
 class SessionAuthenticationStrategyTest extends TestCase
@@ -57,6 +58,18 @@ public function testSessionIsInvalidated()
         $strategy->onAuthentication($this->getRequest($session), $this->createMock(TokenInterface::class));
     }
 
+    public function testCsrfTokensAreCleared()
+    {
+        $session = $this->createMock(SessionInterface::class);
+        $session->expects($this->once())->method('migrate')->with($this->equalTo(true));
+
+        $csrfStorage = $this->createMock(ClearableTokenStorageInterface::class);
+        $csrfStorage->expects($this->once())->method('clear');
+
+        $strategy = new SessionAuthenticationStrategy(SessionAuthenticationStrategy::MIGRATE, $csrfStorage);
+        $strategy->onAuthentication($this->getRequest($session), $this->createMock(TokenInterface::class));
+    }
+
     private function getRequest($session = null)
     {
         $request = $this->createMock(Request::class);