Fix csrf-tokens

2026-03-05 20:44:19 +01:00 · 2025-04-21 14:09:02 +02:00
parent 4863fad3ba
commit acd85bfc2b
6 changed files with 11 additions and 16 deletions
--- a/composer.json
+++ b/composer.json
@@ -25,6 +25,7 @@
        "symfony/mailer": "7.2.*",
        "symfony/runtime": "7.2.*",
        "symfony/security-bundle": "7.2.*",
+        "symfony/security-csrf": "7.2.*",
        "symfony/twig-bundle": "7.2.*",
        "symfony/uid": "7.2.*",
        "symfony/yaml": "7.2.*",
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
        "Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
        "This file is @generated automatically"
    ],
-    "content-hash": "004d85a41be91c2fbf8264e757a53a9e",
+    "content-hash": "ee8228c69be95e84852d15ba67d0920e",
    "packages": [
        {
            "name": "doctrine/collections",
--- a/config/packages/csrf.yaml
+++ b/config/packages/csrf.yaml
@@ -1,11 +0,0 @@
-# Enable stateless CSRF protection for forms and logins/logouts
-framework:
-  form:
-    csrf_protection:
-      token_id: submit
-  
-  csrf_protection:
-    stateless_token_ids:
-      - submit
-      - authenticate
-      - logout
--- a/config/packages/framework.yaml
+++ b/config/packages/framework.yaml
@@ -4,7 +4,9 @@ framework:
  
  # Note that the session will be started ONLY if you read or write from it.
  session: true
-  
+  form:
+    csrf_protection:
+      enabled: true
  #esi: true
  #fragments: true

--- a/templates/login/login.html.twig
+++ b/templates/login/login.html.twig
@@ -15,15 +15,17 @@
                <input type="email" value="{{ last_username }}" name="_username" id="username" class="form-control"
                       autocomplete="email" required autofocus>
            </div>
+
            <div class="mb-3">
                <label for="password" class="form-label">{{ 'Password'|trans }}</label>
                <input type="password" name="_password" id="password" class="form-control"
                       autocomplete="current-password"
                       required>
            </div>
-            <input type="hidden" name="_csrf_token"
-                   value="{{ csrf_token('authenticate') }}"
-            >
+
+            <input type="hidden" name="_csrf_token" data-controller="csrf-protection"
+                   value="{{ csrf_token('authenticate') }}">
+
            <div class="mb-3 form-check">
                <input type="checkbox" name="_remember_me" id="_remember_me" class="form-check-input">
                <label for="_remember_me" class="form-check-label">{{ 'Remember me'|trans }}</label>
--- a/templates/quiz/question.twig
+++ b/templates/quiz/question.twig
@@ -2,6 +2,7 @@
 {% block body %}
    {{ question.question }}<br/>
    <form method="post">
+        <input type="hidden" name="token" value="{{ csrf_token('question') }}">
        {% for answer in question.answers %}
            <div>
                <button class="btn btn-outline-success"