[Security] Deprecate UserInterface & TokenInterface's `eraseCredentials…

[nicolas-grekas]

Q	A
Feature PR	symfony/symfony#59682
PR author(s)	@chalasr, @nicolas-grekas
Merged in	7.3

We created this issue to not forget to document this new feature. We would really appreciate if you can help us with this task. If you are not sure how to do it, please ask us and we will help you.

To fix this issue, please create a PR against the 7.3 branch in the symfony-docs repository.

Thank you! 😃

[alamirault]

There are 2 references to eraseCredentials method

security.rst

Output of maker-bundle make:user

symfony-docs/security.rst

Lines 196 to 203 in 5b70521

	/**
	* @see UserInterface
	*/
	public function eraseCredentials(): void
	{
	// If you store any temporary, sensitive data on the user, clear it here
	// $this->plainPassword = null;
	}

I created symfony/maker-bundle#1700, so when it's done, we can remove this part.

reference/configuration/security.rst

symfony-docs/reference/configuration/security.rst

Lines 48 to 54 in 5b70521

	erase_credentials
	-----------------
	**type**: ``boolean`` **default**: ``true``
	If ``true``, the ``eraseCredentials()`` method of the user object is called
	after authentication.

We should probably add a deprecated directive or note section.

@nicolas-grekas erase_credentials option is not deprecated. The after example is

#[\Deprecated]
public function eraseCredentials(): void
{
}

// If your eraseCredentials() method was used to empty a "password" property:
public function __serialize(): array
{
    $data = (array) $this;
    unset($data["\0".self::class."\0password"]);

    return $data;
}

In symfony 8.0, does #[\Deprecated] attribute and eraseCredentials method will be kept then ?

[nicolas-grekas]

In symfony 8.0, does #[\Deprecated] attribute and eraseCredentials method will be kept then ?

They should become unused so could be removed indeed.