[FrameworkBundle] make KernelBrowser::loginUser() session available for updating after login

[arderyp]

Q	A
Branch?	6.2
Bug fix?	no
New feature?	yes
Deprecations?	no
Tickets	#46961
License	MIT
Doc PR	symfony/symfony-docs#...

After upgrading from 4.4 to 5.4, I started running into deprecation warnings about fetching security.csrf.token_manager and security.csrf.token_storage from the test container. The issue was that, in my functional tests, I was logging in, then I needed to generate and apply CSRF tokens to the logged in session so that I could directly submit data arrays to POST controller action methods without having to crawl to the form page first.

Since I was not crawling to the form page first, no CSRF for the form was generated and applied to the session. Oddly enough, generating tokens from the CSRF token storage services did work, despite the deprecation warnings, and I'm not entirely sure how that was working without an activated session pointer. I prefer to not crawl to the form page first as it would double the amount of crawler requests in my test suite, so this approach is mostly for convenience (easier to abstract than crawler DOM interactions) and speed.

So, this is a simply PR that probably needs tweaks, and test coverage and docs, but I didn't want to invest the time into the later two if the Symfony team thinks this is not an idea they'd consider for implementation.

Anyways, all this PR really does is track an internal pointer to the generated test session on KernelBrowser, which can be manipulated after calling loginUser().

I've explained the workaround to my problem, which implements this kind of logic here: #46961

I suppose another simpler option would be to continue allowing the use of the csrf token storage services without an active session within the test container (to basically function as they do now but without the deprecation warnings). I suspect this might not be possible given the system migration towards RequestStack.

Given this PR, I could now do:

use Symfony\Component\Security\Csrf\TokenStorage\SessionTokenStorage;

$user = ...;
$client = static::createClient();
$client->loginUser($user);
        
// Technically, you don't need to generate a real token here, and instead could use any test string
$tokenId = ...;
$csrfToken = static::getContainer()->get('security.csrf.token_generator')->generateToken();
$client->setLoginSessionValue(SessionTokenStorage::SESSION_NAMESPACE . "/$tokenId", $csrfToken);

I imagine there are wide applications for this feature beyond CSRF tokens.

[arderyp]

On a related note, it would be nice to be able to tell loginUser() which token type to user, for example UsernamePasswordToken instead of TestBrowserToken.

[arderyp]

Any thoughts on this?