From d80b3c4d3131effc68262f0578e03e8a2c792d4e Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Sat, 20 Apr 2024 14:39:33 +0200 Subject: [PATCH 1/3] [Security]: Aligning CSRF `tokenId` with other code sample Page: https://symfony.com/doc/5.x/security.html * I'm making this compatible with the `tokenId` used at https://symfony.com/doc/5.x/security/custom_authenticator.html#passport-badges * Where what the info coming from that it "must" be called `authenticate`? The docblock of `CsrfTokenBadge` just says it's an "arbitrary string" --- security.rst | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/security.rst b/security.rst index c611fe4654c..d00464b9353 100644 --- a/security.rst +++ b/security.rst @@ -960,8 +960,7 @@ First, you need to enable CSRF on the form login: Then, use the ``csrf_token()`` function in the Twig template to generate a CSRF token and store it as a hidden field of the form. By default, the HTML field -must be called ``_csrf_token`` and the string used to generate the value must -be ``authenticate``: +is called ``_csrf_token`` and takes an arbitrary string as argument ``tokenId``: .. code-block:: html+twig @@ -971,7 +970,7 @@ be ``authenticate``:
{# ... the login fields #} - +
From 12e045d37d0ac585590081841815f0cf176113a1 Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Sat, 20 Apr 2024 14:42:01 +0200 Subject: [PATCH 2/3] Update custom_authenticator.rst --- security/custom_authenticator.rst | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/security/custom_authenticator.rst b/security/custom_authenticator.rst index e79d8a002a1..4edb1ab1016 100644 --- a/security/custom_authenticator.rst +++ b/security/custom_authenticator.rst @@ -349,9 +349,9 @@ would initialize the passport like this:: { public function authenticate(Request $request): Passport { - $password = $request->request->get('password'); $username = $request->request->get('username'); - $csrfToken = $request->request->get('csrf_token'); + $password = $request->request->get('password'); + $csrfToken = $request->request->get('_csrf_token'); // ... validate no parameter is empty From 92a8fe849e1af1c734998a2fe73450989e9eb6ef Mon Sep 17 00:00:00 2001 From: Thomas Landauer Date: Mon, 22 Apr 2024 00:01:42 +0200 Subject: [PATCH 3/3] Update security.rst --- security.rst | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/security.rst b/security.rst index d00464b9353..ff0ba9812af 100644 --- a/security.rst +++ b/security.rst @@ -958,9 +958,9 @@ First, you need to enable CSRF on the form login: .. _csrf-login-template: -Then, use the ``csrf_token()`` function in the Twig template to generate a CSRF -token and store it as a hidden field of the form. By default, the HTML field -is called ``_csrf_token`` and takes an arbitrary string as argument ``tokenId``: +Then, add a hidden field to the form. In order to work with the built-in ``FormLoginAuthenticator``, +the HTML field must be called ``_csrf_token``, and the argument of Twig's ``csrf_token()`` function +must be called ``authenticate``: .. code-block:: html+twig pFad - Phonifier reborn

Pfad - The Proxy pFad of © 2024 Garber Painting. All rights reserved.

Note: This service is not intended for secure transactions such as banking, social media, email, or purchasing. Use at your own risk. We assume no liability whatsoever for broken pages.


Alternative Proxies:

Alternative Proxy

pFad Proxy

pFad v3 Proxy

pFad v4 Proxy