Security Http Laravel Package

Changelog (https://github.com/symfony/security-http/compare/v8.1.0-RC1...v8.1.0)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v8.1.0-BETA3...v8.1.0-RC1)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
• bug #64337 Initialize lazy users before serializing them (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v8.0.12...v8.0.13)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
• bug #64337 Initialize lazy users before serializing them (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v7.4.12...v7.4.13)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
• bug #64337 Initialize lazy users before serializing them (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v6.4.40...v6.4.41)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)
• bug #64337 Initialize lazy users before serializing them (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v5.4.52...v5.4.53)

• security #cve-2026-48489 Don't honor user-supplied _failure_path on failure_forward (@nicolas-grekas)

Changelog (https://github.com/symfony/security-http/compare/v8.1.0-BETA2...v8.1.0-BETA3)

• security #cve-2026-45069 Add missing claims in OidcTokenHandler (@alexandre-daubois)
• bug #64290 Various fixes and hardenings (@nicolas-grekas)
• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
• security #cve-2026-45074 Require configuring trusted hosts when using CAS authentication (@nicolas-grekas)
• security #cve-2026-45075 Fix HEAD requests bypassing methods filter in IsGranted, IsCsrfTokenValid and IsSignatureValid attributes (@nicolas-grekas)
• bug #64213 Fix impersonation being deauthenticated on every request (@nicolas-grekas)

Changelog (https://github.com/symfony/security-http/compare/v8.0.11...v8.0.12)

• security #cve-2026-45069 Add missing claims in OidcTokenHandler (@alexandre-daubois)
• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
• security #cve-2026-45074 Require configuring trusted hosts when using CAS authentication (@nicolas-grekas)
• security #cve-2026-45075 Fix HEAD requests bypassing methods filter in IsGranted, IsCsrfTokenValid and IsSignatureValid attributes (@nicolas-grekas)
• bug #64213 Fix impersonation being deauthenticated on every request (@nicolas-grekas)

Changelog (https://github.com/symfony/security-http/compare/v7.4.11...v7.4.12)

• security #cve-2026-45069 Add missing claims in OidcTokenHandler (@alexandre-daubois)
• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)
• security #cve-2026-45074 Require configuring trusted hosts when using CAS authentication (@nicolas-grekas)
• security #cve-2026-45075 Fix HEAD requests bypassing methods filter in IsGranted, IsCsrfTokenValid and IsSignatureValid attributes (@nicolas-grekas)
• bug #64213 Fix impersonation being deauthenticated on every request (@nicolas-grekas)

Changelog (https://github.com/symfony/security-http/compare/v6.4.39...v6.4.40)

• security #cve-2026-45069 Add missing claims in OidcTokenHandler (@alexandre-daubois)
• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)

Changelog (https://github.com/symfony/security-http/compare/v5.4.47...v5.4.52)

• security #cve-2026-45063 Anchor emailAddress regex to RDN boundary in X509Authenticator (@alexandre-daubois)

Changelog (https://github.com/symfony/security-http/compare/v8.1.0-BETA1...v8.1.0-BETA2)

• bug #64181 Preserve webserver base URL in HttpUtils::createRequest() (@ousamabenyounes)

Changelog (https://github.com/symfony/security-http/compare/v8.0.9...v8.0.11)

• bug #64181 Preserve webserver base URL in HttpUtils::createRequest() (@ousamabenyounes)

Changelog (https://github.com/symfony/security-http/compare/v7.4.9...v7.4.11)

• bug #64181 Preserve webserver base URL in HttpUtils::createRequest() (@ousamabenyounes)

Changelog (https://github.com/symfony/security-http/compare/v6.4.31...v6.4.39)

• bug #64181 Preserve webserver base URL in HttpUtils::createRequest() (@ousamabenyounes)

Changelog (https://github.com/symfony/security-http/compare/v8.0.3...v8.0.9)

• bug #63983 Throw BadCredentialsException on empty JSON login username/password (@ousamabenyounes)

Changelog (https://github.com/symfony/security-http/compare/v7.4.3...v7.4.9)

• bug #63983 Throw BadCredentialsException on empty JSON login username/password (@ousamabenyounes)

Changelog (https://github.com/symfony/security-http/compare/v8.0.7...v8.0.8)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v7.4.7...v7.4.8)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v8.0.5...v8.0.6)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v7.4.5...v7.4.6)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v6.4.33...v6.4.34)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v8.0.3...v8.0.4)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v7.4.3...v7.4.4)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v7.3.9...v7.3.10)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v8.0.2...v8.0.3)

• bug symfony/symfony#62796 [Security] do not use PHPUnit mock objects without configured expectations (@xabbuh)

Changelog (https://github.com/symfony/security-http/compare/v7.4.2...v7.4.3)

• bug symfony/symfony#62796 [Security] do not use PHPUnit mock objects without configured expectations (@xabbuh)

Changelog (https://github.com/symfony/security-http/compare/v7.3.8...v7.3.9)

• bug symfony/symfony#62796 [Security] do not use PHPUnit mock objects without configured expectations (@xabbuh)

Changelog (https://github.com/symfony/security-http/compare/v6.4.30...v6.4.31)

• bug symfony/symfony#62796 [Security] do not use PHPUnit mock objects without configured expectations (@xabbuh)

Changelog (https://github.com/symfony/security-http/compare/v8.0.0...v8.0.1)

• bug symfony/symfony#62495 [Security][Http] Fix OIDC discovery when multiple HttpClient instances are used (@Ali-HENDA)
• bug symfony/symfony#62487 [Security] Fix UserBadge validation bypass via identifier normalizer (@yoeunes)

Changelog (https://github.com/symfony/security-http/compare/v7.4.0...v7.4.1)

• bug symfony/symfony#62495 [Security][Http] Fix OIDC discovery when multiple HttpClient instances are used (@Ali-HENDA)

Changelog (https://github.com/symfony/security-http/compare/v7.3.7...v7.3.8)

• bug symfony/symfony#62487 [Security] Fix UserBadge validation bypass via identifier normalizer (@yoeunes)
• bug symfony/symfony#62093 [Security] Fix HttpUtils::createRequest() when the context’s base URL isn’t empty (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v6.4.29...v6.4.30)

• bug symfony/symfony#62093 [Security] Fix HttpUtils::createRequest() when the context’s base URL isn’t empty (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v7.4.0-RC3...v7.4.0)

• bug symfony/symfony#62487 [Security] Fix UserBadge validation bypass via identifier normalizer (@yoeunes)
• feature symfony/symfony#62469 [Security] Keep SymfonyCasts as backers of the Security components v7.4 🤗 (@nicolas-grekas)

Changelog (https://github.com/symfony/security-http/compare/v8.0.0-RC1...v8.0.0-RC2)

• bug symfony/symfony#62369 [Security] Set OIDC JWKS cache TTL from provider headers (@Ali-HENDA)

Changelog (https://github.com/symfony/security-http/compare/v7.4.0-RC1...v7.4.0-RC2)

• bug symfony/symfony#62369 [Security] Set OIDC JWKS cache TTL from provider headers (@Ali-HENDA)

Changelog (https://github.com/symfony/security-http/compare/v7.4.0-BETA2...v7.4.0-RC1)

• bug symfony/symfony#62093 [Security] Fix HttpUtils::createRequest() when the context’s base URL isn’t empty (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v7.3.4...v7.3.5)

• bug symfony/symfony#62037 Fix generating logout link with stateless csrf (@pierredup)

Changelog (https://github.com/symfony/security-http/compare/v7.3.4...v8.0.0-BETA1)

• feature symfony/symfony#62043 [Security] Allow multiple OIDC discovery endpoints (@ruudk)
• feature symfony/symfony#61949 [HttpFoundation] Deprecate HTTP method override for methods GET, HEAD, CONNECT and TRACE (@nicolas-grekas)
• feature symfony/symfony#60660 [Security] Add security:oidc-token:generate command (@Jean-Beru)
• feature symfony/symfony#61948 [HttpFoundation] Deprecate Request::get() in favor of using properties ->attributes, query or request directly (@nicolas-grekas)
• feature symfony/symfony#61789 [Security] deprecate extending RememberMeDetails using legacy constructor signature (@xabbuh)
• feature symfony/symfony#61760 [Security] remove the user FQCN from remember me cookies (@xabbuh)
• feature symfony/symfony#61743 [Security] deprecate the FQCN properties of PersistentToken and RememberMeDetails (@xabbuh)
• feature symfony/symfony#61694 [Security] Add $tokenSource argument to #[IsCsrfTokenValid] to support reading tokens from the query string or headers (@webda2l)
• feature symfony/symfony#61654 [Security] Deprecate PersistentToken::getClass() and RememberMeDetails::getUserFqcn() in order to remove the user FQCN from the remember-me cookie in 8.0 (@nicolas-grekas)
• feature symfony/symfony#61542 [Security] Allow subclassing #[IsGranted] (@nicolas-grekas)
• feature symfony/symfony#61504 [SecurityHttp] Removes final keyword from IsGranted attribute (@crtl)
• feature symfony/symfony#61359 [Security] Add $methods support to #[IsGranted] to restrict access by HTTP method (@santysisi)
• feature symfony/symfony#61204 [Security] Support union type for #[CurrentUser] attribute (@VincentLanglet)
• feature symfony/symfony#61187 Declare new parameters on interfaces and methods explicitly (@nicolas-grekas)
• feature symfony/symfony#61183 [Security] Throw when passing an empty string as $userIdentifier and tighten AuthenticatorManager and OidcTokenHandler arguments (@nicolas-grekas)
• feature symfony/symfony#61011 [Security] Remove deprecated RememberMeToken::getSecret() (@ktherage)
• feature symfony/symfony#60879 [Security] Remove callable firewall listeners support (@MatTheCat)
• feature symfony/symfony#60614 [Security] Deprecate callable firewall listeners (@MatTheCat)
• feature symfony/symfony#60742 [Ldap][Security] Remove deprecated eraseCredentials() from (User|Token)Interface (@chalasr)
• feature symfony/symfony#60697 Enforce return types on all components (@nicolas-grekas)
• feature symfony/symfony#60639 Bump Symfony 8 to PHP >= 8.4 (@nicolas-grekas)

Changelog (https://github.com/symfony/security-http/compare/v7.3.4...v7.4.0-BETA1)

• feature symfony/symfony#62043 [Security] Allow multiple OIDC discovery endpoints (@ruudk)
• feature symfony/symfony#61949 [HttpFoundation] Deprecate HTTP method override for methods GET, HEAD, CONNECT and TRACE (@nicolas-grekas)
• feature symfony/symfony#60660 [Security] Add security:oidc-token:generate command (@Jean-Beru)
• feature symfony/symfony#61948 [HttpFoundation] Deprecate Request::get() in favor of using properties ->attributes, query or request directly (@nicolas-grekas)
• feature symfony/symfony#61789 [Security] deprecate extending RememberMeDetails using legacy constructor signature (@xabbuh)
• feature symfony/symfony#61743 [Security] deprecate the FQCN properties of PersistentToken and RememberMeDetails (@xabbuh)
• feature symfony/symfony#61694 [Security] Add $tokenSource argument to #[IsCsrfTokenValid] to support reading tokens from the query string or headers (@webda2l)
• feature symfony/symfony#61654 [Security] Deprecate PersistentToken::getClass() and RememberMeDetails::getUserFqcn() in order to remove the user FQCN from the remember-me cookie in 8.0 (@nicolas-grekas)
• feature symfony/symfony#61542 [Security] Allow subclassing #[IsGranted] (@nicolas-grekas)
• feature symfony/symfony#61504 [SecurityHttp] Removes final keyword from IsGranted attribute (@crtl)
• feature symfony/symfony#61359 [Security] Add $methods support to #[IsGranted] to restrict access by HTTP method (@santysisi)
• feature symfony/symfony#61204 [Security] Support union type for #[CurrentUser] attribute (@VincentLanglet)
• feature symfony/symfony#60614 [Security] Deprecate callable firewall listeners (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v7.3.3...v7.3.4)

• bug symfony/symfony#61659 [Security] Fix HttpUtils::createRequest() when the base request is forwarded (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v6.4.25...v6.4.26)

• bug symfony/symfony#61659 [Security] Fix HttpUtils::createRequest() when the base request is forwarded (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v7.3.2...v7.3.3)

• feature symfony/symfony#61486 [Security] Ignore target route when exiting impersonation (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v6.4.24...v6.4.25)

• feature symfony/symfony#61486 [Security] Ignore target route when exiting impersonation (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v7.3.1...v7.3.2)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v7.2.8...v7.2.9)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v6.4.23...v6.4.24)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v7.3.0...v7.3.1)

• bug symfony/symfony#60785 [Security] Handle non-callable implementations of FirewallListenerInterface (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v7.2.7...v7.2.8)

• bug symfony/symfony#60785 [Security] Handle non-callable implementations of FirewallListenerInterface (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v6.4.22...v6.4.23)

• bug symfony/symfony#60785 [Security] Handle non-callable implementations of FirewallListenerInterface (@MatTheCat)

Changelog (https://github.com/symfony/security-http/compare/v7.3.0-RC1...v7.3.0)

• no significant changes

Changelog (https://github.com/symfony/security-http/compare/v7.2.6...v7.2.7)

• bug symfony/symfony#60379 [Security] Avoid failing when PersistentRememberMeHandler handles a malformed cookie (@Seldaek)
• bug symfony/symfony#60350 [Security][LoginLink] Throw InvalidLoginLinkException on invalid parameters (@davidszkiba)