Automated Drupal 10 compatibility fixes

I'm looking into getting this module working on D10. Here's something that will need to be addressed: https://www.drupal.org/node/3187914 →

I'm trying to write some tests for the module but I'm having a hard time with the csrf_token_seed

I'm also seeing this as I'm building out tests.

Calling Drupal\Core\Session\SessionManager::getId() outside of an actual existing session is deprecated in drupal:9.2.0 and will be removed in drupal:10.0.0. This is often used for anonymous users. See https://www.drupal.org/node/3006306

So that's something that will need to be addressed as well. :(

I made another issue for adding test coverage that I wrote as part of checking out the D10 compatibility: 📌 Add automated test coverage for anonymous_token Fixed

The tests pass on D9.5 but with the following warnings:

  2x: Calling Drupal\Core\Session\SessionManager::getId() outside of an actual existing session is deprecated in drupal:9.2.0 and will be removed in drupal:10.0.0. This is often used for anonymous users. See https://www.drupal.org/node/3006306
    2x in AnonymousTokenTest::testAnonymousToken from Drupal\Tests\anonymous_token\Functional

  1x: Calling Drupal\Core\Session\MetadataBag::clearCsrfTokenSeed() is deprecated in drupal:9.2.0 and will be removed in drupal:10.0.0. Use \Drupal\Core\Session\MetadataBag::stampNew() instead. See https://www.drupal.org/node/3187914
    1x in AnonymousTokenTest::testAnonymousToken from Drupal\Tests\anonymous_token\Functional

The test fails on D10 due to MetadataBag::clearCsrfTokenSeed being undefined. The SessionManager::getId() thing doesn't seem to cause a failure. I would still think that needs to be addressed. Sessions are not something I usually think about.

Here's a patch that addresses the items in #6 and updates the core version requirement, which starts at 9.2 because that's when MetadataBag::stampNew was added.

I queued the patch for testing against D10.1 and as I recalled you can't up core version requirement in a patch and run tests with the patch. I think I can open an MR and get tests to run there though so I'm going to try that.

Hooray! The tests are passing on D9.5 and D10.1. This is ready for a real review.

I wanted to explain one change that may be a bit mysterious.

+++ b/src/Access/AnonymousCsrfTokenGenerator.php
@@ -68,7 +69,7 @@ class AnonymousCsrfTokenGenerator extends CsrfTokenGenerator {
   public function get($value = '') {
     if ($this->session->isStarted() === FALSE) {
-      $this->session->set('anon_session_id', $this->session->getId());
+      $this->session->set('anon_session_id', Crypt::randomBytesBase64());
     }
     return parent::get($value);

I made this change because of the deprecation in Drupal\Core\Session\SessionManager::getId() described in #6. Per the comment with the AnonymousCsrfTokenGenerator::get() method, the important thing here is that we add SOMETHING to the sessions so that the session persists. I think we could add anything, but Crypt::randomBytesBase64() looks pretty popular in the csrf space. It doesn't look like anon_session_id has any special significance beyond just being SOMETHING that we add such that the session persists. I'm not an expert here though, to be honest.

All the others changes should be clear though. Thanks!

Thank you so much @danflanagan8 for this beautiful patch, have tried it for 2.x-dev, and works well
moving it to RTBC

Attaching upgrade status report image, that it makes it compatible with drupal 10

Adding patch version as well for immediate use,
inspired by the #9 merge request from danflanagan8

Thanks all, I'm adding a new major version branch, given the Core deprecations.

Automatically closed - issue fixed for 2 weeks with no activity.