Skip to content

[Security][SecurityBundle] Change Exception thrown by IsCsrfTokenValid Attribute #57622

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 5 commits into
base: 7.3
Choose a base branch
from
Open

[Security][SecurityBundle] Change Exception thrown by IsCsrfTokenValid Attribute #57622

wants to merge 5 commits into from

Conversation

eltharin
Copy link
Contributor

@eltharin eltharin commented Jul 2, 2024
edited
Loading

Q A
Branch? 7.2
Bug fix? yes
New feature? no
Deprecations? no
Issues Fix #57343
License MIT

Change InvalidCsrfTokenException behavior :

Actually, when InvalidCsrfTokenException throw, a 403 Response is return or if there is a userAuthenticator, response is converted to 301-Redirect To Login,
For example, For a Basic Contact Form, if the CSRF is bad, I'm redirected to Login Page => Why ?
InvalidCsrfTokenException extends from AuthenticationException but a Csrf Error is not necessarily an authentication error.
And is 403 error code really associated to a CSRF error ?

repo to reproduce : https://github.com/eltharin/reproducer_symfony_57343/tree/main

So I propose to change parent from AuthenticationException to BadRequestHttpException for have a 400 Bad Request Error whitch is most adapted to CSRF error and to not have a redirection to login page;

@eltharin eltharin requested a review from chalasr as a code owner July 2, 2024 08:48
@carsonbot carsonbot added this to the 7.2 milestone Jul 2, 2024
@eltharin eltharin changed the title change Parent Exception InvalidCsrfTokenException - improve behavior Jul 2, 2024
@carsonbot carsonbot changed the title InvalidCsrfTokenException - improve behavior [Security][SecurityBundle] InvalidCsrfTokenException - improve behavior Jul 4, 2024
@OskarStark OskarStark changed the title [Security][SecurityBundle] InvalidCsrfTokenException - improve behavior [Security][SecurityBundle] Improve behavior of InvalidCsrfTokenException Jul 4, 2024
@eltharin eltharin force-pushed the csrfExceptionBehavior branch from 390fe9d to 5224b66 Compare July 11, 2024 11:18
@eltharin eltharin force-pushed the csrfExceptionBehavior branch 2 times, most recently from df7f6f2 to 58f68f4 Compare July 26, 2024 11:37
@eltharin
Copy link
Contributor Author

seems test fail because it take old test with depedencies ??

@stof
Copy link
Member

stof commented Aug 6, 2024

The InvalidCsrfTokenException in security/core is meant to be used for invalid CSRF tokens during the authentication. In that case, extending AuthenticationException is the thing we want.

To me, the issue is that the IsCsrfTokenValid attribute should not be reusing that exception.

@stof
Copy link
Member

stof commented Aug 6, 2024

Side note, the IsCsrfTokenValid attribute should probably not have been added in security/http. It should probably have been part of security/csrf instead.

@eltharin
Copy link
Contributor Author

eltharin commented Aug 6, 2024
edited
Loading

So I can keep in place InvalidCsrfTokenException and create another on in Security/Csrf extending BadRequestException and link it to the Exception throw in IsCsrfTokenValidAttributeListener ?
thanks for review

@eltharin
Copy link
Contributor Author

eltharin commented Aug 6, 2024

change is OK, do I move IsCsrfTokenValidAttributeListener in Security/Csrf ?

@eltharin eltharin changed the title [Security][SecurityBundle] Improve behavior of InvalidCsrfTokenException [Security][SecurityBundle] Change Exception thown by IsCsrfTokenValid Attribute Aug 7, 2024
@eltharin eltharin mentioned this pull request Aug 13, 2024
Open
@eltharin eltharin changed the title [Security][SecurityBundle] Change Exception thown by IsCsrfTokenValid Attribute [Security][SecurityBundle] Change Exception thrown by IsCsrfTokenValid Attribute Aug 14, 2024
@fabpot fabpot modified the milestones: 7.2, 7.3 Nov 20, 2024
@eltharin eltharin force-pushed the csrfExceptionBehavior branch from 22c900f to 9f653c4 Compare January 9, 2025 20:21
@kbond kbond added the ❄️ Feature Freeze Important Pull Requests to finish before the next Symfony "feature freeze" label Apr 17, 2025
kbond
kbond reviewed Apr 17, 2025
View reviewed changes
Copy link
Member

@kbond kbond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should move the attribute/listener

@eltharin eltharin force-pushed the csrfExceptionBehavior branch from bc01d90 to 9717ef8 Compare April 17, 2025 07:25
kbond
kbond reviewed Apr 18, 2025
View reviewed changes
Copy link
Member

@kbond kbond left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for working on this @eltharin!

Before going further with moving the listener/attribute to security-csrf, let's see what other @symfony/mergers think. Maybe we should just focus this PR on fixing the bug and the move in a follow-up PR (or not at all).

src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
@@ -11,6 +11,7 @@ CHANGELOG
* Add ability to fetch LDAP roles
* Add `OAuth2TokenHandlerFactory` for `AccessTokenFactory`
* Add discovery support to `OidcTokenHandler` and `OidcUserInfoTokenHandler`
* Change Exception thrown by IsCsrfTokenValid Attribute
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This should be in security-csrf & security-http

src/Symfony/Component/Security/Csrf/EventListener/IsCsrfTokenValidAttributeListener.php Outdated
@@ -9,17 +9,17 @@
* file that was distributed with this source code.
*/

namespace Symfony\Component\Security\Http\EventListener;
namespace Symfony\Component\Security\Csrf\EventListener;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Unfortunately, it isn't this simple, we need to keep it in both places, deprecating the one in http. See #46094 for how we did this with the Security helper.

@eltharin eltharin force-pushed the csrfExceptionBehavior branch from 9717ef8 to bfe93b9 Compare April 21, 2025 05:56
@eltharin
Copy link
Contributor Author

Ok I revert the move and wait and see

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kbond kbond kbond left review comments

@chalasr chalasr Awaiting requested review from chalasr chalasr is a code owner

Assignees
No one assigned
Labels
Bug Security SecurityBundle ❄️ Feature Freeze Important Pull Requests to finish before the next Symfony "feature freeze" Status: Needs Review
Projects
None yet
Milestone
7.3
Development

Successfully merging this pull request may close these issues.

Using IsCsrfTokenValid attribute with invalid token redirects user to login page
6 participants
@eltharin @stof @kbond @fabpot @OskarStark @carsonbot