Skip to content

[Security] : Aligning CSRF tokenId with other code sample#19808

Open
ThomasLandauer wants to merge 3 commits intosymfony:5.4from
ThomasLandauer:patch-6
Open

[Security] : Aligning CSRF tokenId with other code sample#19808
ThomasLandauer wants to merge 3 commits intosymfony:5.4from
ThomasLandauer:patch-6

Conversation

@ThomasLandauer
Copy link
Copy Markdown
Contributor

@ThomasLandauer ThomasLandauer commented Apr 20, 2024
edited
Loading

Page: https://symfony.com/doc/5.x/security.html

Second commit: Aligning CSRF token filed name at https://symfony.com/doc/5.x/security/custom_authenticator.html#passport-badges with https://symfony.com/doc/5.x/security.html#csrf-protection-in-login-forms

Question: I think the other names should be changed too (adding underscore): _username and _password

@ThomasLandauer
[Security]: Aligning CSRF tokenId with other code sample
d80b3c4 
Page: https://symfony.com/doc/5.x/security.html

* I'm making this compatible with the `tokenId` used at https://symfony.com/doc/5.x/security/custom_authenticator.html#passport-badges
* Where what the info coming from that it "must" be called `authenticate`? The docblock of `CsrfTokenBadge` just says it's an "arbitrary string"
@carsonbot carsonbot added this to the 5.4 milestone Apr 20, 2024
@carsonbot carsonbot changed the title [Security]: Aligning CSRF tokenId with other code sample [Security] : Aligning CSRF tokenId with other code sample Apr 20, 2024
@OskarStark OskarStark requested a review from wouterj April 20, 2024 13:22
wouterj
wouterj requested changes Apr 21, 2024
View reviewed changes
Copy link
Copy Markdown
Member

@wouterj wouterj left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi! I'm afraid both changes are incorrect, I explained it in a bit more detail in the diff... but I think you this shows that we have to improve the docs on CSRF a bit.

I made a small suggestion in the comments, do you want to update this PR if you agree?

security.rst Outdated
token and store it as a hidden field of the form. By default, the HTML field
must be called ``_csrf_token`` and the string used to generate the value must
be ``authenticate``:
is called ``_csrf_token`` and takes an arbitrary string as argument ``tokenId``:
Copy link
Copy Markdown
Member

@wouterj wouterj Apr 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This section is talking about the build-in form login authenticator. You must define it as authenticate to make it work with this authenticator.

I think we can improve the wording on https://symfony.com/doc/current/security/csrf.html#csrf-protection-in-login-forms, but the change in this document must be reverted. A suggested rewording for the linked section:

- See :ref:`form_login-csrf` for a login form that is protected from CSRF
+ When using the ``form_login`` authenticator, see :ref:`form_login-csrf` to protected from
  attacks. You can also configure the
  :ref:`CSRF protection for the logout action <reference-security-logout-csrf>`.

+ When implementing a custom authenticator, use the ``CsrfTokenBadge`` on the
+ :doc:`security passport </security/custom_authenticator>`.

Copy link
Copy Markdown
Contributor Author

@ThomasLandauer ThomasLandauer Apr 21, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, I changed it, please take a look now.

For your suggested change, I'll come back to it after we found a solution for the below conversation.

security/custom_authenticator.rst
$username = $request->request->get('username');
$csrfToken = $request->request->get('csrf_token');
$password = $request->request->get('password');
$csrfToken = $request->request->get('_csrf_token');
Copy link
Copy Markdown
Member

@wouterj wouterj Apr 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also revert this change. The underscore prefix is only something used in the build-in authenticator (it's a convention in Symfony to prefix things with an underscore to avoid conflicts with application names).

When implementing a custom authenticator, you can name the field whatever you like and it's better to not use the underscore prefix as this counters the anti-conflict purpose of the prefix.

Copy link
Copy Markdown
Contributor Author

@ThomasLandauer ThomasLandauer Apr 21, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

OK, but now the docs are inconsistent (i.e. the HTML shown on one page doesn't work with the PHP code shown on the other page).

Solution? => Show the right HTML code here too!

To make this possible, the list at https://symfony.com/doc/5.x/security/custom_authenticator.html#passport-badges needs to be changed to sub-headings. Then the PHP code block we're talking about can be moved upwards under the (new) "CsrfTokenBadge" heading (=where it belongs anyway). Then I can add this HTML, resulting in a complete copy-pastable sample:

<input type="hidden" name="csrf_token" value="{{ csrf_token('login') }}">
<input type="text" name="username">
<input type="password" name="password">

What do you think?

@xabbuh xabbuh modified the milestones: 5.4, 6.4 Dec 16, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@wouterj wouterj wouterj requested changes

Assignees

No one assigned

Labels

Security Status: Needs Review

Projects

None yet

Milestone

6.4

Development

Successfully merging this pull request may close these issues.

4 participants

@ThomasLandauer @wouterj @xabbuh @carsonbot