Skip to content

[SecurityBundle] Add shortcut option to enable logout CSRF protection #46580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 21, 2022
Merged

[SecurityBundle] Add shortcut option to enable logout CSRF protection #46580

merged 1 commit into from
Jul 21, 2022

Conversation

wouterj
Copy link
Member

@wouterj wouterj commented Jun 4, 2022

Q A
Branch? 6.2
Bug fix? no
New feature? yes
Deprecations? no
Tickets n/a
License MIT
Doc PR todo

In the new security system, enabling login CSRF protection was simplified to enable_csrf: true, but we didn't change enabling logout CSRF protection. This means that users have to set some very low level configuration options to enable logout CSRF:

security:
  firewalls:
    main:
      logout:
        csrf_token_generator: security.csrf.token_generator

This PR introduced an enable_csrf option to make this equal to enabling login CSRF protection:

security:
  firewalls:
    main:
      logout:
        enable_csrf: true
        # when enabled, the default token generator will be used and
        # csrf_token_generator can be used to use a custom generator

The feature is fully backwards compatible without BC breaks (i.e. setting a token generator automatically enables CSRF).

@wouterj wouterj requested a review from chalasr as a code owner June 4, 2022 10:54
@carsonbot carsonbot added this to the 6.2 milestone Jun 4, 2022
@carsonbot
Copy link

Hey!

I think @TimoBakx has recently worked with this code. Maybe they can help review this?

Cheers!

Carsonbot

@fabpot
Copy link
Member

fabpot commented Jul 20, 2022

@wouterj Do you have time to finish this PR?

@wouterj wouterj force-pushed the security-logout-csrf branch from 568d1c4 to df7f680 Compare July 21, 2022 11:11
@wouterj wouterj force-pushed the security-logout-csrf branch from df7f680 to 380fe72 Compare July 21, 2022 11:21
@wouterj
Copy link
Member Author

wouterj commented Jul 21, 2022

Sorry, forgot about this one. Ready now :) (the remaining test failures are not related to this PR)

@fabpot
Copy link
Member

fabpot commented Jul 21, 2022

Thank you @wouterj.

@fabpot fabpot merged commit 951352e into symfony:6.2 Jul 21, 2022
@fabpot fabpot mentioned this pull request Jul 21, 2022
Closed
@wouterj wouterj deleted the security-logout-csrf branch July 21, 2022 11:44
@fabpot fabpot mentioned this pull request Oct 24, 2022
Merged
@MatTheCat MatTheCat mentioned this pull request Nov 26, 2022
Merged
fabpot added a commit that referenced this pull request Nov 26, 2022
@fabpot
bug #48341 [SecurityBundle] Fix logout.csrf_token_generator default…
25026b3 
… value (MatTheCat)

This PR was merged into the 6.2 branch.

Discussion
----------

[SecurityBundle] Fix `logout.csrf_token_generator` default value

| Q             | A
| ------------- | ---
| Branch?       | 6.2
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #48339
| License       | MIT
| Doc PR        | N/A

The token **manager** service ID configuration node is called <code>csrf_token_**generator**</code>. As such it has been wrongly assumed in #46580 `security.csrf.token_generator` was a good default value, whereas `security.csrf.token_manager` should be used (this is reflected by [the documentation](https://symfony.com/doc/current/reference/configuration/security.html#csrf-token-generator)).

`csrf_token_generator` should ideally be deprecated and renamed `csrf_token_manager`.

Commits
-------

df539e2 [SecurityBundle] Fix `logout.csrf_token_generator` default value
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@chalasr chalasr chalasr approved these changes

Assignees
No one assigned
Labels
Feature SecurityBundle Status: Reviewed
Projects
None yet
Milestone
6.2
Development

Successfully merging this pull request may close these issues.
4 participants
@wouterj @carsonbot @fabpot @chalasr