JWTCookieProvider::createCookie parameters secure, httpOnly, partitioned may be ignored

[Tatikoma]

How to reproduce:

// defaultHttpOnly and defaultSecure is true by default, its added for greater transparency
$provider = new JWTCookieProvider(defaultHttpOnly: true, defaultSecure: true, defaultPartitioned: true);
$cookie = $provider->createCookie(jwt: $jwt, name: test, httpOnly: false, secure: false, partitioned: false);

var_dump($cookie->isHttpOnly(), $cookie->isSecure(), $cookie->isPartitioned());

Expected result:

false, false, false

Actual result:

true, true, true

The bug is located in file Security/Http/Cookie/JWTCookieProvider.php at line 74. https://github.com/lexik/LexikJWTAuthenticationBundle/blob/v3.1.1/Security/Http/Cookie/JWTCookieProvider.php#L74

return Cookie::create(
            $name ?: $this->defaultName,
            $jwt,
            $expiresAt,
            $path ?: $this->defaultPath,
            $domain ?: $this->defaultDomain,
            $secure ?? $this->defaultSecure,
            $httpOnly ?? $this->defaultHttpOnly,
            false,
            $sameSite ?: $this->defaultSameSite,
            $partitioned ?? $this->defaultPartitioned
        );

The problem if left part of expression is false, then right part of expression ll be used. This way if default value is true it cannot be overridden to false.

var_dump(false ?: true); // bool true

The correct code is:

return Cookie::create(
            $name ?: $this->defaultName,
            $jwt,
            $expiresAt,
            $path ?: $this->defaultPath,
            $domain ?: $this->defaultDomain,
            !is_null($secure) ? $secure : $this->defaultSecure,
            !is_null($httpOnly) ? $httpOnly : $this->defaultHttpOnly,
            false,
            $sameSite ?: $this->defaultSameSite,
            !is_null($partitioned) ? $partitioned : $this->defaultPartitioned
        );