[Security] Implement stateless headers/cookies-based CSRF protection

nicolas-grekas · nicolas-grekas · commit 6a49eed7c6fc · 2024-10-08T15:08:31.000+02:00
diff --git a/Extension/Csrf/Type/FormTypeCsrfExtension.php b/Extension/Csrf/Type/FormTypeCsrfExtension.php
@@ -19,6 +19,7 @@
 use Symfony\Component\Form\FormInterface;
 use Symfony\Component\Form\FormView;
 use Symfony\Component\Form\Util\ServerParams;
+use Symfony\Component\OptionsResolver\Options;
 use Symfony\Component\OptionsResolver\OptionsResolver;
 use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 use Symfony\Contracts\Translation\TranslatorInterface;
@@ -35,6 +36,8 @@ public function __construct(
         private ?TranslatorInterface $translator = null,
         private ?string $translationDomain = null,
         private ?ServerParams $serverParams = null,
+        private array $fieldAttr = [],
+        private ?string $defaultTokenId = null,
     ) {
     }
 
@@ -73,6 +76,7 @@ public function finishView(FormView $view, FormInterface $form, array $options):
             $csrfForm = $factory->createNamed($options['csrf_field_name'], HiddenType::class, $data, [
                 'block_prefix' => 'csrf_token',
                 'mapped' => false,
+                'attr' => $this->fieldAttr + ['autocomplete' => 'off'],
             ]);
 
             $view->children[$options['csrf_field_name']] = $csrfForm->createView($view);
@@ -81,13 +85,24 @@ public function finishView(FormView $view, FormInterface $form, array $options):
 
     public function configureOptions(OptionsResolver $resolver): void
     {
+        if ($defaultTokenId = $this->defaultTokenId) {
+            $defaultTokenManager = $this->defaultTokenManager;
+            $defaultTokenId = static fn (Options $options) => $options['csrf_token_manager'] === $defaultTokenManager ? $defaultTokenId : null;
+        }
+
         $resolver->setDefaults([
             'csrf_protection' => $this->defaultEnabled,
             'csrf_field_name' => $this->defaultFieldName,
             'csrf_message' => 'The CSRF token is invalid. Please try to resubmit the form.',
             'csrf_token_manager' => $this->defaultTokenManager,
-            'csrf_token_id' => null,
+            'csrf_token_id' => $defaultTokenId,
         ]);
+
+        $resolver->setAllowedTypes('csrf_protection', 'bool');
+        $resolver->setAllowedTypes('csrf_field_name', 'string');
+        $resolver->setAllowedTypes('csrf_message', 'string');
+        $resolver->setAllowedTypes('csrf_token_manager', CsrfTokenManagerInterface::class);
+        $resolver->setAllowedTypes('csrf_token_id', ['null', 'string']);
     }
 
     public static function getExtendedTypes(): iterable
