From 30de8ec56f3eb11e915d1ea60619bc5d08750a25 Mon Sep 17 00:00:00 2001
From: Garion Herman <cheddam@me.com>
Date: Tue, 16 Jul 2024 07:53:06 +0900
Subject: [PATCH] API Make token regeneration optional during autologin session
 renewal [FIXUP]

Co-authored-by: Guy Sartorelli <36352093+GuySartorelli@users.noreply.github.com>
---
 .../CookieAuthenticationHandler.php                |  2 +-
 src/Security/RememberLoginHash.php                 | 14 ++++++--------
 2 files changed, 7 insertions(+), 9 deletions(-)

diff --git a/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php b/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php
index 7586c6ede29..79311363272 100644
--- a/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php
+++ b/src/Security/MemberAuthenticator/CookieAuthenticationHandler.php
@@ -175,7 +175,7 @@ public function authenticateRequest(HTTPRequest $request)
         }
 
         // Renew the token
-        $rememberLoginHash->renew();
+        Deprecation::withNoReplacement(fn() => $rememberLoginHash->renew());
 
         // Send the new token to the client if it was changed
         if ($rememberLoginHash->getToken()) {
diff --git a/src/Security/RememberLoginHash.php b/src/Security/RememberLoginHash.php
index ad58158d061..9564bd0719a 100644
--- a/src/Security/RememberLoginHash.php
+++ b/src/Security/RememberLoginHash.php
@@ -84,12 +84,9 @@ class RememberLoginHash extends DataObject
      * logouts if the new token does not reach the client (e.g. due to a network error).
      *
      * This can be disabled as of CMS 5.3, and renewal will be removed entirely in CMS 6.
-     *
-     * @config
-     *
-     * @var bool
+     * @deprecated 5.3.0 Will be removed without equivalent functionality
      */
-    private static $replace_token_during_session_renewal = true;
+    private static bool $replace_token_during_session_renewal = true;
 
     /**
      * The token used for the hash. Only present during the lifetime of the request
@@ -204,19 +201,20 @@ public static function generate(Member $member)
     /**
      * Generates a new hash for this member but keeps the device ID intact
      *
-     * @deprecated 5.3.0 Token renewal will be removed in 6.0.0
+     * @deprecated 5.3.0 Will be removed without equivalent functionality
      * @return RememberLoginHash
      */
     public function renew()
     {
         // Only regenerate token if configured to do so
+        Deprecation::notice('5.3.0', 'Will be removed without equivalent functionality');
         $replaceToken = RememberLoginHash::config()->get('replace_token_during_session_renewal');
         if ($replaceToken) {
-            $hash       = $this->getNewHash($this->Member());
+            $hash = $this->getNewHash($this->Member());
             $this->Hash = $hash;
         }
 
-        $this->extend('onAfterRenewToken');
+        $this->extend('onAfterRenewToken', $replaceToken);
         $this->write();
 
         return $this;