Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
bug #52724 [Security] make secret required for DefaultLoginRateLimite…
…r (RobertMe) This PR was merged into the 6.4 branch. Discussion ---------- [Security] make secret required for DefaultLoginRateLimiter | Q | A | ------------- | --- | Branch? | 6.4 | Bug fix? | yes/no | New feature? | no | Deprecations? | yes/no | Issues | | License | MIT This tickets results from the discussion here: #52469 (review) and `@nicolas`-grekas requested a PR for it. The `secret` parameter has been added in #51434 with a default value of `''` and a deprecation message that it is required / may not be empty. Which is fine and doesn't hurt backwards compatibility. The later ticket #52469 changes the deprecation into an exception, as it is undesirable that no secret is used (in any scenario). This leads to the unintended side effect that there is a BC breakage when a developer manually creates a `DefaultLoginRateLimiter` as it is now actually required to provide a (non empty) value due to the check and exception. Allowing the service / class to be used without providing the secret parameter, in a backwards compatible manner, but then still breaking the backwards compatibility by throwing due to the default value is confusing. So making the `secret` required makes more sense from a developer perspective as it is clear in that the parameter must be provided. Commits ------- ecbf0e9 [Security] make secret required for DefaultLoginRateLimiter
- Loading branch information