Skip to content

[Turbo] Correctly fix framework.csrf_protection.check_header configuration #1440

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 27, 2025
Merged

[Turbo] Correctly fix framework.csrf_protection.check_header configuration #1440

merged 1 commit into from
Jul 27, 2025

Conversation

Kocal
Copy link
Member

@Kocal Kocal commented Jul 26, 2025
edited
Loading

Q A
License MIT
Doc issue/PR symfony/symfony-docs#...

Following #1439 (comment)

Old alternative with `position: 'bottom'`

The solution is fragile and kind of ugly (note the extra line before check_header: true, as it generates the following file:

# Enable stateless CSRF protection for forms and logins/logouts
framework:
    form:
        csrf_protection:
            token_id: submit

    csrf_protection:
        stateless_token_ids:
            - submit
            - authenticate
            - logout

        check_header: true

But it works:

➜  app-flex-1440 git:(main) ✗ sfc debug:config framework csrf_protection

Current configuration for "framework.csrf_protection"
=====================================================

stateless_token_ids:
    - submit
    - authenticate
    - logout
check_header: true
enabled: null
cookie_name: csrf-token

There are other alternatives, like:

  1. introducing position before_target for add-lines modifier but it requires to update Flex code and people to upgrade Flex
  2. or drop UX Turbo recipe and add # check_header: true (with a comment) to the csrf.yaml from Form recipe

Applied @xabbuh 's suggestion from #1440 (comment)

@github-actions GitHub Actions
Copy link

github-actions bot commented Jul 26, 2025
edited
Loading

Thanks for the PR 😍

How to test these changes in your application

  1. Define the SYMFONY_ENDPOINT environment variable:

    # On Unix-like (BSD, Linux and macOS)
export SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1440/index.json
# On Windows
SET SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1440/index.json

  2. Install the package(s) related to this recipe:

    composer req symfony/flex
composer req 'symfony/ux-turbo:^2.20'

  3. Don't forget to unset the SYMFONY_ENDPOINT environment variable when done:

    # On Unix-like (BSD, Linux and macOS)
unset SYMFONY_ENDPOINT
# On Windows
SET SYMFONY_ENDPOINT=

Diff between recipe versions

In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes.
I'm going keep this comment up to date with any updates of the attached patch.

symfony/ux-turbo

2.19 vs 2.20 
diff --git a/symfony/ux-turbo/2.20/config/packages/ux_turbo.yaml b/symfony/ux-turbo/2.20/config/packages/ux_turbo.yaml
new file mode 100644
index 0000000..c2a6a44
--- /dev/null
+++ b/symfony/ux-turbo/2.20/config/packages/ux_turbo.yaml
@@ -0,0 +1,4 @@
+# Enable stateless CSRF protection for forms and logins/logouts
+framework:
+    csrf_protection:
+        check_header: true
diff --git a/symfony/ux-turbo/2.19/manifest.json b/symfony/ux-turbo/2.20/manifest.json
index 1fa03bf..7dd9f95 100644
--- a/symfony/ux-turbo/2.19/manifest.json
+++ b/symfony/ux-turbo/2.20/manifest.json
@@ -1,5 +1,13 @@
 {
     "bundles": {
         "Symfony\\UX\\Turbo\\TurboBundle": ["all"]
+    },
+    "copy-from-recipe": {
+        "config/": "%CONFIG_DIR%/"
+    },
+    "aliases": ["turbo"],
+    "conflict": {
+        "symfony/framework-bundle": "<7.2",
+        "symfony/security-csrf": "<7.2"
     }
 }

@Kocal Kocal marked this pull request as ready for review July 26, 2025 16:05
@Kocal Kocal force-pushed the fix-framework-csrf-bis branch from b2f5098 to 2941b64 Compare July 26, 2025 16:07
@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) July 26, 2025 16:07
@grelf111
Copy link

grelf111 commented Jul 26, 2025
edited
Loading

After running composer require symfony/webapp-pack, Symfony Flex installs the latest symfony/framework-bundle recipe, which now generates an invalid YAML file:

File: config/packages/csrf.yaml
framework:
csrf_protection:
enabled: true
token_id: submit
❌ This causes a fatal YAML parse error:

A colon cannot be used in an unquoted mapping value at line 3 (near "token_id: submit")
✅ Expected: submit should be wrapped in quotes:

token_id: 'submit'
Tested with:

Symfony version: [7.3.1]

PHP version: 8.3

Symfony CLI or Composer install

Please fix or update the recipe in recipes/symfony/framework-bundle.

@xabbuh xabbuh mentioned this pull request Jul 26, 2025
Closed
@xabbuh
Copy link
Member

xabbuh commented Jul 26, 2025

The thing is that this solution only works if the developer didn't change/rearrange the content of the file. I don't have a better idea though that doesn't involve updating Flex to be more flexible when it comes to adding lines to existing config files. :/

@Kocal
Copy link
Member Author

Kocal commented Jul 26, 2025
edited
Loading

What about dropping the UX Turbo recipe, and directly add # check_header: true to the csrf.yaml from Form recipe?

That's far from being ideal, but better that the solution proposed in this PR.

@xabbuh
Copy link
Member

xabbuh commented Jul 26, 2025

The UX Turbo recipe could also create a new file with just the following content instead of trying to patch the existing file:

# Enable stateless CSRF protection for forms and logins/logouts
framework:
    csrf_protection:
        check_header: true

@Kocal
Copy link
Member Author

Kocal commented Jul 26, 2025

Indeed, didn't think about this but I feel like this is the best alternative we have without touching Flex.

I'm updating the PR

auto-merge was automatically disabled July 26, 2025 21:15

Head branch was pushed to by a user without write access

@Kocal Kocal force-pushed the fix-framework-csrf-bis branch from 2941b64 to f05c33d Compare July 26, 2025 21:15
@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) July 26, 2025 21:15
xabbuh
xabbuh approved these changes Jul 27, 2025
View reviewed changes
Copy link
Member

@xabbuh xabbuh left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@symfony-recipes-bot symfony-recipes-bot merged commit 58a3678 into symfony:main Jul 27, 2025
2 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

@xabbuh xabbuh xabbuh approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@Kocal @grelf111 @xabbuh @fabpot @symfony-recipes-bot