Skip to content

[postponed] feat: rename UserAuthenticationController to RestAuthenticationController (11.4 breaking)#356

Open
bbrala wants to merge 1 commit into
palantirnet:mainfrom
bbrala:rector/replace-userauthenticationcontroller-3530640
Open

[postponed] feat: rename UserAuthenticationController to RestAuthenticationController (11.4 breaking)#356
bbrala wants to merge 1 commit into
palantirnet:mainfrom
bbrala:rector/replace-userauthenticationcontroller-3530640

Conversation

@bbrala

@bbrala bbrala commented Jun 3, 2026

Copy link
Copy Markdown
Collaborator

🔴 Blocker: targets a reverted core change

What

Adds a RenameClassRector entry to the opt-in DRUPAL_114_BREAKING set
(config/drupal-11/drupal-11.4-breaking.php):

Drupal\user\Controller\UserAuthenticationController
  → Drupal\rest\Controller\RestAuthenticationController

Source: #3530640 · CR #3552724

Why breaking (not the default deprecation set)

UserAuthenticationController is deprecated in drupal:11.4.0 and removed in
drupal:12.0.0. Its replacement, RestAuthenticationController, was added to
the rest module in the same commit as the deprecation
(drupal-core
c0e71efe93, 11.x only) and does not exist on any older minor. Rewriting the
structural use / extends / ::class references to it would produce a
"class not found" fatal on Drupal < 11.4, and a class rename is not an
Expr→Expr transformation so it cannot be BC-wrapped. The rest module must
also be enabled at runtime for the new controller's routes to exist.

This mirrors the other entries already in this opt-in set (the
menu_link_content migrate-process renames, HelpSearch, NodeViewController).

Caveat (documented in the config comment + CHANGELOG)

Only PHP class references are rewritten. Route name strings
(user.login.httprest.login, user.logout.httprest.logout,
user.login_status.httprest.login_status, user.pass.httprest.pass)
passed to Url::fromRoute() etc. are not touched and must be updated
manually.

Verification

  • php -l clean; targeted dry-run confirms the rename fires.

  • rector-live-test against real D11 contrib subclasses:

    Module Installs Result
    login_emailusername (3.0.x) 9,019 ✅ subclass reparented onto RestAuthenticationController
    email_tfa (3.0.x) 243 ✅ subclass reparented

    rest_password correctly produced no change (references the class only in a
    docblock comment).

…ller (11.4 breaking)

Drupal\user\Controller\UserAuthenticationController is deprecated in
drupal:11.4.0 and removed in drupal:12.0.0; use
Drupal\rest\Controller\RestAuthenticationController instead.

The replacement controller was added to the rest module in the same
commit as the deprecation (drupal-core c0e71efe93, 11.x only) and does
not exist on any older minor, so the structural use/extends/::class
rewrite would fatal on Drupal < 11.4 and cannot be BC-wrapped. The rest
module must also be enabled at runtime. It therefore goes in the opt-in
DRUPAL_114_BREAKING set as a RenameClassRector entry, alongside the
existing menu_link_content migrate-process renames.

Route name strings (user.login.http -> rest.login, etc.) are not
rewritten and must be updated manually; this is documented in the config
comment and CHANGELOG.

Verified against real contrib via rector-live-test: login_emailusername
(9,019 installs) and email_tfa both have their controller subclasses
correctly reparented onto RestAuthenticationController.
@bbrala

bbrala commented Jun 4, 2026

Copy link
Copy Markdown
Collaborator Author

🔴 Blocker: targets a reverted core change

The mechanics here are solid — correct placement in the DRUPAL_114_BREAKING opt-in set (not the BC-wrappable deprecation set), good config comment, good CHANGELOG entry, structurally identical to the existing menu_link_content/HelpSearch/NodeViewController entries. If the underlying core change existed, this would be a straightforward approve.

But it doesn't. Verified against repos/drupal-core at HEAD b0d5f3a7 (2026-06-03):

PR claim Core HEAD reality
RestAuthenticationController added in c0e71efe93 (11.x) c0e71efe93 (2026-04-30) was reverted by 539a0b893f "Revert task: #3530640 …" (2026-05-27). The revert is on HEAD.
Replacement class exists core/modules/rest/src/Controller/RestAuthenticationController.phpdoes not exist
UserAuthenticationController is @deprecated in drupal:11.4.0 No such annotation. Only unrelated 10.3.0 deprecations remain; no 11.4.0 class-level deprecation, no trigger_error referencing CR 3552724.
Nothing re-landed after the revert Confirmed — no commit touches that path after 2026-05-27.

So the rename points at a class that isn't in core, on the basis of a deprecation that no longer exists.

On the verification section

The live-test results ("subclass reparented onto RestAuthenticationController ✅") only prove RenameClassRector performs the text substitution — which it always does, blindly, regardless of whether the target class exists. It doesn't validate that the result compiles against core. Against today's 11.x, each of those rewrites would produce a class-not-found fatal.

Recommendation

Hold until #3530640 actually re-lands (non-reverted) in core. When re-checking:

  • git log 11.x -- core/modules/rest/src/Controller/RestAuthenticationController.php should show the file present at HEAD.
  • Confirm the class-level @deprecated in drupal:11.4.0 is back on UserAuthenticationController.
  • Re-verify the CR number (deprecation @see pointed at 3552724, not issue 3530640).

The diff itself needs no changes — when the core change returns, this can merge essentially as-is. The issue is purely timing.

@mglaman mglaman left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Breaking-set placement is correct. RestAuthenticationController is added to the rest module at 11.4.0 and exists on no earlier minor, so the structural rename would fatal below it (and only when rest is enabled) — DRUPAL_114_BREAKING is right.

The route-string caveat is the one worth naming: user.login.http → rest.login and friends are strings, not class references, so the rule correctly leaves them untouched and the PR documents them as a manual follow-up. The live-test against login_emailusername and email_tfa confirming the reparent, plus the docblock-only rest_password reference correctly producing no change, is good diligence.

Approving.

@bbrala bbrala changed the title feat: rename UserAuthenticationController to RestAuthenticationController (11.4 breaking) [postponed] feat: rename UserAuthenticationController to RestAuthenticationController (11.4 breaking) Jun 5, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants