Tweak login forms to enable double-submit CSRF protection

nicolas-grekas · nicolas-grekas · commit dcd5357797f0 · 2024-09-13T10:33:46.000+02:00
diff --git a/src/Resources/skeleton/authenticator/login_form.tpl.php b/src/Resources/skeleton/authenticator/login_form.tpl.php
@@ -24,6 +24,8 @@
 
     <input type="hidden" name="_csrf_token"
            value="{{ csrf_token('authenticate') }}"
+           autocomplete="off"
+           data-controller="csrf-protection"
     >
 <?php if($support_remember_me && !$always_remember_me): ?>
 
diff --git a/tests/fixtures/security/make-form-login/expected/login.html.twig b/tests/fixtures/security/make-form-login/expected/login.html.twig
@@ -22,6 +22,8 @@
 
         <input type="hidden" name="_csrf_token"
                value="{{ csrf_token('authenticate') }}"
+               autocomplete="off"
+               data-controller="csrf-protection"
         >
 
         {#
diff --git a/tests/fixtures/security/make-form-login/expected/login_no_logout.html.twig b/tests/fixtures/security/make-form-login/expected/login_no_logout.html.twig
@@ -16,6 +16,8 @@
 
         <input type="hidden" name="_csrf_token"
                value="{{ csrf_token('authenticate') }}"
+               autocomplete="off"
+               data-controller="csrf-protection"
         >
 
         {#

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,8 @@`
`24`	`24`
`25`	`25`	`<input type="hidden" name="_csrf_token"`
`26`	`26`	`value="{{ csrf_token('authenticate') }}"`
	`27`	`+ autocomplete="off"`
	`28`	`+ data-controller="csrf-protection"`
`27`	`29`	`>`
`28`	`30`	`<?php if($support_remember_me && !$always_remember_me): ?>`
`29`	`31`
Original file line number	Diff line number	Diff line change
`@@ -22,6 +22,8 @@`
`22`	`22`
`23`	`23`	`<input type="hidden" name="_csrf_token"`
`24`	`24`	`value="{{ csrf_token('authenticate') }}"`
	`25`	`+ autocomplete="off"`
	`26`	`+ data-controller="csrf-protection"`
`25`	`27`	`>`
`26`	`28`
`27`	`29`	`{#`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,8 @@`
`16`	`16`
`17`	`17`	`<input type="hidden" name="_csrf_token"`
`18`	`18`	`value="{{ csrf_token('authenticate') }}"`
	`19`	`+ autocomplete="off"`
	`20`	`+ data-controller="csrf-protection"`
`19`	`21`	`>`
`20`	`22`
`21`	`23`	`{#`