Restore eraseCredentials() for Symfony 7.3 compatibility and manually clear plainPassword after hashing (#2186)

Author: kdefarge

symfony/user.md

@@ -139,6 +139,17 @@ class User implements UserInterface, PasswordAuthenticatedUserInterface
     {
         return (string) $this->email;
     }
+
+    /**
+     * @see UserInterface
+     *
+     * Required until Symfony 8.0, where eraseCredentials() will be removed from the interface.
+     * No-op since plainPassword is cleared manually in the password processor.
+     */
+    public function eraseCredentials(): void
+    {
+        // Intentionally left blank
+    }
 }
 ```
 
@@ -251,6 +262,9 @@ final readonly class UserPasswordHasher implements ProcessorInterface
         );
         $data->setPassword($hashedPassword);
 
+        // To avoid leaving sensitive data like the plain password in memory or logs, we manually clear it after hashing.
+        $data->setPlainPassword(null);
+
         return $this->processor->process($data, $operation, $uriVariables, $context);
     }
 }