minor #59558 [Security] Unset token roles when serializing it and user implements EquatableInterface (nicolas-grekas)

This PR was merged into the 7.3 branch.

Discussion
----------

[Security] Unset token roles when serializing it and user implements EquatableInterface

| Q             | A
| ------------- | ---
| Branch?       | 7.3
| Bug fix?      | no
| New feature?  | no
| Deprecations? | no
| Issues        | -
| License       | MIT

When the user object implement EquatableInterface, we never read the roles stored in the token object that wraps the user in the session storage.

This PR ensures we don't store these roles either - they're just wasting space.

Commits
-------

b7c55c87bcb [Security] Unset token roles when serializing it and user implements EquatableInterface

Author: nicolas-grekas

Firewall/ContextListener.php

@@ -308,11 +308,12 @@ private static function hasUserChanged(UserInterface $originalUser, TokenInterfa
             }
         }
 
-        $userRoles = array_map('strval', $refreshedUser->getRoles());
+        $refreshedRoles = array_map('strval', $refreshedUser->getRoles());
+        $originalRoles = $refreshedToken->getRoleNames(); // This comes from cloning the original token, so it still contains the roles of the original user
 
         if (
-            \count($userRoles) !== \count($refreshedToken->getRoleNames())
-            || \count($userRoles) !== \count(array_intersect($userRoles, $refreshedToken->getRoleNames()))
+            \count($refreshedRoles) !== \count($originalRoles)
+            || \count($refreshedRoles) !== \count(array_intersect($refreshedRoles, $originalRoles))
         ) {
             return true;
         }