UserFrosting icon indicating copy to clipboard operation
UserFrosting copied to clipboard
verified publisher icon userfrosting

[UF5][PHP8.4][upstream]Rememberme component officially abandoned. Migrate to fork?

Open StrykeSlammerII opened this issue 10 months ago • 5 comments

Affected sprinkle or package

userfrosting/userfrosting

UserFrosting or package Version

5.1.4

Debug Data

UserFrosting Environnement Information
======================================

 -------------------- ------------------------------------------- 
  Framework version    5.1.4                                      
  OS Name              Linux                                      
  Main Sprinkle        Shopkeeper.cc                              
  Main Sprinkle Path   /home/strike/Frosting/UF5-shopkeeper/app/  
  Environment mode     debug                                      
  PHP Version          8.4.4                                      
  Node Version         v23.9.0                                    
  NPM Version          11.2.0                                     
 -------------------- -------------------------------------------

Chat Discussion (optional)

https://chat.userfrosting.com/channel/support?msg=yznz89pKPjN4tjTBp

Description

Previously this year, birke/rememberme was finally labelled "abandoned" and officially migrated to mober/rememberme (see https://github.com/gbirke/rememberme/issues/49 --this has been in-process for years. This thread also has a note from Alex Weissman showing UF's interest in the package.)

Composer message: Package birke/rememberme is abandoned, you should avoid using it. Use mober/rememberme instead.

This is more of an issue in PHP 8.4, which now shows the following deprecation message: PHP Deprecated: Birke\Rememberme\Authenticator::__construct(): Implicitly marking parameter $cookie as nullable is deprecated, the explicit nullable type must be used instead in .../vendor/birke/rememberme/src/Authenticator.php on line 66

There is an additional complication in that mober/rememberme v5 is not backwards compatible. Specifically, The token length was increased from 16 to 32 bytes. We also note that the database token is stored as varchar(255) in upstream v5, while UF's database only assigns a 40-character string,

Suggestions:

  1. Update UF5 to mober/rememberme v4 [assuming this fixes the PHP 8.4 warning--I have not tested this to confirm]
  2. Include v5 as a breaking change in UF6

Steps To Reproduce

run composer update for the composer notice

serve UF pages under PHP8.4, and observe the logs for the PHP Deprecated warning

StrykeSlammerII avatar Mar 24 '25 23:03 StrykeSlammerII

We also note that the database token is stored as varchar(255) in upstream v5, while UF's database only assigns a 40-character string,

Leaving this here for future reference. gbirke/rememberme was originally using 40-character string :

  • https://github.com/gbirke/rememberme/blob/80f123597347c56a04c87a0cbb4756a38273d098/resources/sql/tokens_mysql.sql#L3-L4
  • https://github.com/m-ober/rememberme/blob/0b186d0e81e637423572b0eaeaf757539f0f3666/resources/sql/tokens_mysql.sql#L3-L4
  • https://github.com/userfrosting/sprinkle-account/blob/758f26385be1ad222f9cf9f907282f454c1fce4f/app/src/Database/Migrations/v400/PersistencesTable.php#L34-L35

Relevant commit : https://github.com/m-ober/rememberme/commit/30cc9c07314669ca95a80673117eeea77fdbc784

As mentioned in chat, it could be worth using varchar(255) for future proofing (even in case we change token provider)

lcharette avatar Mar 25 '25 02:03 lcharette

I did some research and planning for UF6 and this package will be kept for UF6. However, I think it's important to update for both UF6 and UF5, as it could improve security. I'll take care of it.

it could be worth using varchar(255) for future proofing (even in case we change token provider)

FYI, it could be worth in case encoding changes later.

lcharette avatar Apr 02 '25 12:04 lcharette

FYI, SHA-256 is always 64 characters long when encoded in hex, and SHA-512 is always 128 characters long. So the database column varchar(225) is indeed the default, and could be optimized.

I've successfully replaced the package locally, it was quite simple, but I havent pushed it yet. First, since we'll require a new migration, this fix will need to be release as UF 5.2. Second, I want to change something else in our code to have better security regarding this cookie.

Last, m-ober/rememberme (and the orignal repo) code is far from optimized and I've found some red flags, like the lack of Interfaces. I'm not sure if I'll send them a PR or integrate the code directly in UF at this point. I'll sleep on it for tonight...

lcharette avatar Apr 04 '25 02:04 lcharette

It might be worth reaching out to the new maintainer and see how interested they are in updating? Looks like the most recent changes are nearly a year old, while the only issues are two years old and were never commented on. Is difficult to tell from that whether any other projects are using it 🤔

StrykeSlammerII avatar Apr 04 '25 07:04 StrykeSlammerII

I sent the changes to our 5.2 branch, however there's another issue : https://github.com/m-ober/rememberme/blob/0b186d0e81e637423572b0eaeaf757539f0f3666/composer.json#L22

They fixed the PHP version, so it's not compatible with PHP 8.4 🤦

lcharette avatar Apr 09 '25 00:04 lcharette

m-ober/rememberme 5.1.0 has been released with the PHP version fix, this can now move forward 🎉

lcharette avatar Jul 24 '25 01:07 lcharette

I'll close this issue as it's been merged into 5.2 (yet to be released) and 6.0 Beta 1.

lcharette avatar Sep 03 '25 01:09 lcharette