From 850762581434ad45494f5cd37b5d8d09e4079219 Mon Sep 17 00:00:00 2001
From: kdefarge <1819360+kdefarge@users.noreply.github.com>
Date: Sun, 17 Aug 2025 21:52:40 +0200
Subject: [PATCH] Restore eraseCredentials() for Symfony 7.3 compatibility and
 manually clear plainPassword after hashing

- Re-adds the eraseCredentials() method to the User entity, which is still required by the UserInterface in Symfony 7.3.
  Although deprecated since Symfony 7.1, it must remain until Symfony 8.0 for compatibility.

- Adds a manual clearing of the plainPassword field in the password processor after hashing.
  Since eraseCredentials() is no longer called automatically, sensitive data must now be cleared explicitly to avoid leaving passwords in memory or logs.
---
 symfony/user.md | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/symfony/user.md b/symfony/user.md
index 4e504e23bed..484b8cf621b 100644
--- a/symfony/user.md
+++ b/symfony/user.md
@@ -139,6 +139,17 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     {
         return (string) $this->email;
     }
+
+    /**
+     * @see UserInterface
+     *
+     * Required until Symfony 8.0, where eraseCredentials() will be removed from the interface.
+     * No-op since plainPassword is cleared manually in the password processor.
+     */
+    public function eraseCredentials(): void
+    {
+        // Intentionally left blank
+    }
 }
 ```
 
@@ -251,6 +262,9 @@ final readonly class UserPasswordHasher implements ProcessorInterface
         );
         $data->setPassword($hashedPassword);
 
+        // To avoid leaving sensitive data like the plain password in memory or logs, we manually clear it after hashing.
+        $data->setPlainPassword(null);
+
         return $this->processor->process($data, $operation, $uriVariables, $context);
     }
 }