From acd85bfc2bcdcb216af76d5f48208f217d5ffc39 Mon Sep 17 00:00:00 2001
From: Marijn Doeve <marijn@doeve.me>
Date: Mon, 21 Apr 2025 14:09:02 +0200
Subject: [PATCH] Fix csrf-tokens

---
 composer.json                   |  1 +
 composer.lock                   |  2 +-
 config/packages/csrf.yaml       | 11 -----------
 config/packages/framework.yaml  |  4 +++-
 templates/login/login.html.twig |  8 +++++---
 templates/quiz/question.twig    |  1 +
 6 files changed, 11 insertions(+), 16 deletions(-)
 delete mode 100644 config/packages/csrf.yaml

diff --git a/composer.json b/composer.json
index cc7878b..8e2d615 100644
--- a/composer.json
+++ b/composer.json
@@ -25,6 +25,7 @@
         "symfony/mailer": "7.2.*",
         "symfony/runtime": "7.2.*",
         "symfony/security-bundle": "7.2.*",
+        "symfony/security-csrf": "7.2.*",
         "symfony/twig-bundle": "7.2.*",
         "symfony/uid": "7.2.*",
         "symfony/yaml": "7.2.*",
diff --git a/composer.lock b/composer.lock
index 02afb03..7dced64 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
         "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
         "This file is @generated automatically"
     ],
-    "content-hash": "004d85a41be91c2fbf8264e757a53a9e",
+    "content-hash": "ee8228c69be95e84852d15ba67d0920e",
     "packages": [
         {
             "name": "doctrine/collections",
diff --git a/config/packages/csrf.yaml b/config/packages/csrf.yaml
deleted file mode 100644
index 2fd4760..0000000
--- a/config/packages/csrf.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-# Enable stateless CSRF protection for forms and logins/logouts
-framework:
-  form:
-    csrf_protection:
-      token_id: submit
-  
-  csrf_protection:
-    stateless_token_ids:
-      - submit
-      - authenticate
-      - logout
diff --git a/config/packages/framework.yaml b/config/packages/framework.yaml
index ecfa21b..d829b41 100644
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -4,7 +4,9 @@ framework:
   
   # Note that the session will be started ONLY if you read or write from it.
   session: true
-  
+  form:
+    csrf_protection:
+      enabled: true
   #esi: true
   #fragments: true
 
diff --git a/templates/login/login.html.twig b/templates/login/login.html.twig
index 023da61..850b3c3 100644
--- a/templates/login/login.html.twig
+++ b/templates/login/login.html.twig
@@ -15,15 +15,17 @@
                 <input type="email" value="{{ last_username }}" name="_username" id="username" class="form-control"
                        autocomplete="email" required autofocus>
             </div>
+
             <div class="mb-3">
                 <label for="password" class="form-label">{{ 'Password'|trans }}</label>
                 <input type="password" name="_password" id="password" class="form-control"
                        autocomplete="current-password"
                        required>
             </div>
-            <input type="hidden" name="_csrf_token"
-                   value="{{ csrf_token('authenticate') }}"
-            >
+
+            <input type="hidden" name="_csrf_token" data-controller="csrf-protection"
+                   value="{{ csrf_token('authenticate') }}">
+
             <div class="mb-3 form-check">
                 <input type="checkbox" name="_remember_me" id="_remember_me" class="form-check-input">
                 <label for="_remember_me" class="form-check-label">{{ 'Remember me'|trans }}</label>
diff --git a/templates/quiz/question.twig b/templates/quiz/question.twig
index 88033c0..569dbf7 100644
--- a/templates/quiz/question.twig
+++ b/templates/quiz/question.twig
@@ -2,6 +2,7 @@
 {% block body %}
     {{ question.question }}<br/>
     <form method="post">
+        <input type="hidden" name="token" value="{{ csrf_token('question') }}">
         {% for answer in question.answers %}
             <div>
                 <button class="btn btn-outline-success"