Skip to content

[HttpKernel] drop the ability to configure a signer with the #[IsSignatureValid] attribute #61756

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
nicolas-grekas merged 1 commit into from
Sep 15, 2025
Merged

[HttpKernel] drop the ability to configure a signer with the #[IsSignatureValid] attribute #61756

nicolas-grekas merged 1 commit into from
Sep 15, 2025

Conversation

@xabbuh
Copy link
Member

@xabbuh xabbuh commented Sep 15, 2025

Q A
Branch? 7.4
Bug fix? no
New feature? no
Deprecations? no
Issues
License MIT

I would like to challenge the decision made in #60395 to support custom URI signers per usage of the new #[IsSignatureValid] attribute. I doubt that use cases for it are so wide-spread that we need to add support for it here.

@carsonbot carsonbot added this to the 7.4 milestone Sep 15, 2025
@xabbuh
Copy link
Member Author

xabbuh commented Sep 15, 2025

cc @santysisi

xabbuh
xabbuh commented Sep 15, 2025
View reviewed changes
src/Symfony/Component/HttpKernel/Tests/EventListener/IsSignatureValidAttributeListenerTest.php
use Symfony\Component\HttpKernel\Tests\Fixtures\IsSignatureValidAttributeController;
use Symfony\Component\HttpKernel\Tests\Fixtures\IsSignatureValidAttributeMethodsController;

#[RequiresMethod(UriSigner::class, 'verify')]
Copy link
Member Author

@xabbuh xabbuh Sep 15, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

UriSigner::verify() is available since 7.3 and HttpKernel requires 7.4+ of the HttpFoundation component

Copy link
Contributor

@santysisi santysisi Sep 15, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, that was my fault, sorry about that! 🙏

@OskarStark OskarStark changed the title [HttpKernel] drop the ability to configure a signer with the IsSignatureValid attribute [HttpKernel] drop the ability to configure a signer with the #[IsSignatureValid] attribute Sep 15, 2025
wouterj
wouterj approved these changes Sep 15, 2025
View reviewed changes
Copy link
Member

@wouterj wouterj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I agree, good catch!

I can't remember seeing requests for having multiple uri signer implementations in 1 application (nor the need to have a custom uri signer implementation). So let's make this a separate feature from the attribute.
If there is a need for this, it can always be reintroduced at a future point.

@santysisi
Copy link
Contributor

santysisi commented Sep 15, 2025
edited
Loading

In my opinion, this is a good feature, giving developers the ability to choose which UriSigner to use adds flexibility. I know it’s a niche use case, but I personally appreciate having that option.

For context, I’ve been working in another PR

Also, just as a reference, the #[AsEventListener] attribute already allows choosing a specific dispatcher via its dispatcher argument

But if this cc was just to confirm the change is okay. I think it is! 👍

@nicolas-grekas
Copy link
Member

nicolas-grekas commented Sep 15, 2025
edited
Loading

@santysisi it does give that flexibility, but would you have a concrete use case? We're not looking for nice to haves but for actually useful features ;)

santysisi
santysisi approved these changes Sep 15, 2025
View reviewed changes
Copy link
Contributor

@santysisi santysisi left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I understand your point of view 😔👍

Edit:
I'll update the Symfony Docs PR later tonight.
Also, just checking, do we need to close this PR?

@nicolas-grekas nicolas-grekas mentioned this pull request Sep 15, 2025
Closed
@nicolas-grekas
Copy link
Member

nicolas-grekas commented Sep 15, 2025

Thank you @xabbuh.

@nicolas-grekas nicolas-grekas merged commit 280fd47 into symfony:7.4 Sep 15, 2025
9 of 12 checks passed
@xabbuh xabbuh deleted the pr-60395 branch September 15, 2025 13:25
@xabbuh
Copy link
Member Author

xabbuh commented Sep 15, 2025
edited
Loading

@santysisi The ping was both a FYI as well as a request for comments in case you have a real world use case of which you think it's common enough to have this ability. Than you for the feedback. 👍

@xabbuh xabbuh mentioned this pull request Sep 15, 2025
Merged
@kbond
Copy link
Member

kbond commented Sep 16, 2025

I've been playing with using the URI signer for stateless password reset and email verification. This could be a use case for when you would want multiple. The idea here is you would have a separate secret for each of these implementations.

I admit it's not fully fleshed out yet so we can come back to it.

@wouterj
Copy link
Member

wouterj commented Sep 16, 2025

@kbond you might want to try out the SignatureHasher class for those functions, it's what also powers the login link authenticator.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wouterj wouterj wouterj approved these changes

+1 more reviewer

@santysisi santysisi santysisi approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

HttpKernel Status: Reviewed

Projects

None yet

Milestone

7.4

Development

Successfully merging this pull request may close these issues.

6 participants

@xabbuh @santysisi @nicolas-grekas @kbond @wouterj @carsonbot