Merge branch '4.4' into 5.0

* 4.4: (25 commits)
  [DoctrineBridge] Use new Types::* constants and support new json type
  [Debug][ErrorHandler] improved deprecation notices for methods new args and return type
  [BrowserKit] Nested file array prevents uploading file
  [ExpressionLanguage] Fixed collisions of character operators with object properties
  [Validator] Remove specific check for Valid targets
  [PhpUnitBridge] Use trait instead of extending deprecated class
  Fix versioned namespace clears
  fix remember me
  Use strict assertion in asset tests
  [DoctrineBridge][DoctrineExtractor] Fix indexBy with custom and some core types
  Do not rely on the current locale when dumping a Graphviz object
  fix typo
  [Ldap] force default network timeout
  [Config] don't throw on missing excluded paths
  Docs: Typo, grammar
  [Validator] Add the missing translations for the Polish ("pl") locale
  [PhpUnitBridge] Add compatibility to PHPUnit 9 #35662
  [Routing] Add locale requirement for localized routes
  [Console] Inline exact-match handling with 4.4
  Set previous exception when rethrown from controller resolver
  ...

Author: nicolas-grekas

Authentication/Provider/RememberMeAuthenticationProvider.php

@@ -15,7 +15,9 @@
 use Symfony\Component\Security\Core\Authentication\Token\TokenInterface;
 use Symfony\Component\Security\Core\Exception\AuthenticationException;
 use Symfony\Component\Security\Core\Exception\BadCredentialsException;
+use Symfony\Component\Security\Core\Exception\LogicException;
 use Symfony\Component\Security\Core\User\UserCheckerInterface;
+use Symfony\Component\Security\Core\User\UserInterface;
 
 class RememberMeAuthenticationProvider implements AuthenticationProviderInterface
 {
@@ -48,6 +50,11 @@ public function authenticate(TokenInterface $token)
         }
 
         $user = $token->getUser();
+
+        if (!$token->getUser() instanceof UserInterface) {
+            throw new LogicException(sprintf('Method "%s::getUser()" must return a "%s" instance, "%s" returned.', \get_class($token), UserInterface::class, \is_object($user) ? \get_class($user) : \gettype($user)));
+        }
+
         $this->userChecker->checkPreAuth($user);
         $this->userChecker->checkPostAuth($user);
 

Tests/Authentication/Provider/RememberMeAuthenticationProviderTest.php

@@ -13,7 +13,9 @@
 
 use PHPUnit\Framework\TestCase;
 use Symfony\Component\Security\Core\Authentication\Provider\RememberMeAuthenticationProvider;
+use Symfony\Component\Security\Core\Authentication\Token\RememberMeToken;
 use Symfony\Component\Security\Core\Exception\DisabledException;
+use Symfony\Component\Security\Core\User\User;
 
 class RememberMeAuthenticationProviderTest extends TestCase
 {
@@ -23,6 +25,7 @@ public function testSupports()
 
         $this->assertTrue($provider->supports($this->getSupportedToken()));
         $this->assertFalse($provider->supports($this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\TokenInterface')->getMock()));
+        $this->assertFalse($provider->supports($this->getMockBuilder('Symfony\Component\Security\Core\Authentication\Token\RememberMeToken')->disableOriginalConstructor()->getMock()));
     }
 
     public function testAuthenticateWhenTokenIsNotSupported()
@@ -44,6 +47,17 @@ public function testAuthenticateWhenSecretsDoNotMatch()
         $provider->authenticate($token);
     }
 
+    public function testAuthenticateThrowsOnNonUserInterfaceInstance()
+    {
+        $this->expectException('Symfony\Component\Security\Core\Exception\LogicException');
+        $this->expectExceptionMessage('Method "Symfony\Component\Security\Core\Authentication\Token\RememberMeToken::getUser()" must return a "Symfony\Component\Security\Core\User\UserInterface" instance, "string" returned.');
+
+        $provider = $this->getProvider();
+        $token = new RememberMeToken(new User('dummyuser', null), 'foo', 'test');
+        $token->setUser('stringish-user');
+        $provider->authenticate($token);
+    }
+
     public function testAuthenticateWhenPreChecksFails()
     {
         $this->expectException('Symfony\Component\Security\Core\Exception\DisabledException');

User/UserInterface.php

@@ -19,10 +19,10 @@
  * password (for checking against a submitted password), assigning roles
  * and so on.
  *
- * Regardless of how your user are loaded or where they come from (a database,
- * configuration, web service, etc), you will have a class that implements
- * this interface. Objects that implement this interface are created and
- * loaded by different objects that implement UserProviderInterface
+ * Regardless of how your users are loaded or where they come from (a database,
+ * configuration, web service, etc.), you will have a class that implements
+ * this interface. Objects that implement this interface are created and 
+ * loaded by different objects that implement UserProviderInterface.
  *
  * @see UserProviderInterface
  *