[stimulus-bundle] Fix broken CSRF header generation with Turbo forms #1377
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for the PR 😍 How to test these changes in your application
Diff between recipe versionsIn order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes. symfony/stimulus-bundle2.8 vs 2.9diff --git a/symfony/stimulus-bundle/2.9/assets/bootstrap.js b/symfony/stimulus-bundle/2.9/assets/bootstrap.js
new file mode 100644
index 0000000..2689398
--- /dev/null
+++ b/symfony/stimulus-bundle/2.9/assets/bootstrap.js
@@ -0,0 +1,2 @@
+// register any custom, 3rd party controllers here
+// app.register('some_controller_name', SomeImportedController);
diff --git a/symfony/stimulus-bundle/2.9/assets/controllers/hello_controller.js b/symfony/stimulus-bundle/2.9/assets/controllers/hello_controller.js
new file mode 100644
index 0000000..e847027
--- /dev/null
+++ b/symfony/stimulus-bundle/2.9/assets/controllers/hello_controller.js
@@ -0,0 +1,16 @@
+import { Controller } from '@hotwired/stimulus';
+
+/*
+ * This is an example Stimulus controller!
+ *
+ * Any element with a data-controller="hello" attribute will cause
+ * this controller to be executed. The name "hello" comes from the filename:
+ * hello_controller.js -> "hello"
+ *
+ * Delete this file or adapt it for your use!
+ */
+export default class extends Controller {
+ connect() {
+ this.element.textContent = 'Hello Stimulus! Edit me in assets/controllers/hello_controller.js';
+ }
+}
diff --git a/symfony/stimulus-bundle/2.9/assets/controllers.json b/symfony/stimulus-bundle/2.9/assets/controllers.json
new file mode 100644
index 0000000..a1c6e90
--- /dev/null
+++ b/symfony/stimulus-bundle/2.9/assets/controllers.json
@@ -0,0 +1,4 @@
+{
+ "controllers": [],
+ "entrypoints": []
+}
diff --git a/symfony/stimulus-bundle/2.8/manifest.json b/symfony/stimulus-bundle/2.9/manifest.json
index ff66e87..60e0ddb 100644
--- a/symfony/stimulus-bundle/2.8/manifest.json
+++ b/symfony/stimulus-bundle/2.9/manifest.json
@@ -2,5 +2,46 @@
"bundles": {
"Symfony\\UX\\StimulusBundle\\StimulusBundle": ["all"]
},
- "aliases": ["stimulus", "stimulus-bundle"]
+ "copy-from-recipe": {
+ "assets/": "assets/"
+ },
+ "aliases": ["stimulus", "stimulus-bundle"],
+ "conflict": {
+ "symfony/webpack-encore-bundle": "<2.0",
+ "symfony/flex": "<1.20.0 || >=2.0.0,<2.3.0"
+ },
+ "add-lines": [
+ {
+ "file": "webpack.config.js",
+ "content": "\n // enables the Symfony UX Stimulus bridge (used in assets/bootstrap.js)\n .enableStimulusBridge('./assets/controllers.json')",
+ "position": "after_target",
+ "target": ".splitEntryChunks()"
+ },
+ {
+ "file": "assets/app.js",
+ "content": "import './bootstrap.js';",
+ "position": "top",
+ "warn_if_missing": true
+ },
+ {
+ "file": "assets/bootstrap.js",
+ "content": "import { startStimulusApp } from '@symfony/stimulus-bridge';\n\n// Registers Stimulus controllers from controllers.json and in the controllers/ directory\nexport const app = startStimulusApp(require.context(\n '@symfony/stimulus-bridge/lazy-controller-loader!./controllers',\n true,\n /\\.[jt]sx?$/\n));",
+ "position": "top",
+ "requires": "symfony/webpack-encore-bundle"
+ },
+ {
+ "file": "assets/bootstrap.js",
+ "content": "import { startStimulusApp } from '@symfony/stimulus-bundle';\n\nconst app = startStimulusApp();",
+ "position": "top",
+ "requires": "symfony/asset-mapper"
+ },
+ {
+ "file": "templates/base.html.twig",
+ "content": " {{ ux_controller_link_tags() }}",
+ "position": "after_target",
+ "target": "{% block stylesheets %}",
+ "warn_if_missing": true,
+ "requires": "symfony/asset-mapper"
+ }
+ ]
}2.9 vs 2.13diff --git a/symfony/stimulus-bundle/2.9/manifest.json b/symfony/stimulus-bundle/2.13/manifest.json
index 60e0ddb..4701215 100644
--- a/symfony/stimulus-bundle/2.9/manifest.json
+++ b/symfony/stimulus-bundle/2.13/manifest.json
@@ -34,14 +34,6 @@
"content": "import { startStimulusApp } from '@symfony/stimulus-bundle';\n\nconst app = startStimulusApp();",
"position": "top",
"requires": "symfony/asset-mapper"
- },
- {
- "file": "templates/base.html.twig",
- "content": " {{ ux_controller_link_tags() }}",
- "position": "after_target",
- "target": "{% block stylesheets %}",
- "warn_if_missing": true,
- "requires": "symfony/asset-mapper"
}
]
}2.13 vs 2.20diff --git a/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
new file mode 100644
index 0000000..2811f21
--- /dev/null
+++ b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
@@ -0,0 +1,79 @@
+const nameCheck = /^[-_a-zA-Z0-9]{4,22}$/;
+const tokenCheck = /^[-_\/+a-zA-Z0-9]{24,}$/;
+
+// Generate and double-submit a CSRF token in a form field and a cookie, as defined by Symfony's SameOriginCsrfTokenManager
+document.addEventListener('submit', function (event) {
+ generateCsrfToken(event.target);
+}, true);
+
+// When @hotwired/turbo handles form submissions, send the CSRF token in a header in addition to a cookie
+// The `framework.csrf_protection.check_header` config option needs to be enabled for the header to be checked
+document.addEventListener('turbo:submit-start', function (event) {
+ const h = generateCsrfHeaders(event.detail.formSubmission.formElement);
+ Object.keys(h).map(function (k) {
+ event.detail.formSubmission.fetchRequest.headers[k] = h[k];
+ });
+});
+
+// When @hotwired/turbo handles form submissions, remove the CSRF cookie once a form has been submitted
+document.addEventListener('turbo:submit-end', function (event) {
+ removeCsrfToken(event.detail.formSubmission.formElement);
+});
+
+export function generateCsrfToken (formElement) {
+ const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]');
+
+ if (!csrfField) {
+ return;
+ }
+
+ let csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
+ let csrfToken = csrfField.value;
+
+ if (!csrfCookie && nameCheck.test(csrfToken)) {
+ csrfField.setAttribute('data-csrf-protection-cookie-value', csrfCookie = csrfToken);
+ csrfField.defaultValue = csrfToken = btoa(String.fromCharCode.apply(null, (window.crypto || window.msCrypto).getRandomValues(new Uint8Array(18))));
+ csrfField.dispatchEvent(new Event('change', { bubbles: true }));
+ }
+
+ if (csrfCookie && tokenCheck.test(csrfToken)) {
+ const cookie = csrfCookie + '_' + csrfToken + '=' + csrfCookie + '; path=/; samesite=strict';
+ document.cookie = window.location.protocol === 'https:' ? '__Host-' + cookie + '; secure' : cookie;
+ }
+}
+
+export function generateCsrfHeaders (formElement) {
+ const headers = {};
+ const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]');
+
+ if (!csrfField) {
+ return headers;
+ }
+
+ const csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
+
+ if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
+ headers[csrfCookie] = csrfField.value;
+ }
+
+ return headers;
+}
+
+export function removeCsrfToken (formElement) {
+ const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]');
+
+ if (!csrfField) {
+ return;
+ }
+
+ const csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
+
+ if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
+ const cookie = csrfCookie + '_' + csrfField.value + '=0; path=/; samesite=strict; max-age=0';
+
+ document.cookie = window.location.protocol === 'https:' ? '__Host-' + cookie + '; secure' : cookie;
+ }
+}
+
+/* stimulusFetch: 'lazy' */
+export default 'csrf-protection-controller';
diff --git a/symfony/stimulus-bundle/2.13/manifest.json b/symfony/stimulus-bundle/2.20/manifest.json
index 4701215..4289495 100644
--- a/symfony/stimulus-bundle/2.13/manifest.json
+++ b/symfony/stimulus-bundle/2.20/manifest.json
@@ -7,6 +7,8 @@
},
"aliases": ["stimulus", "stimulus-bundle"],
"conflict": {
+ "symfony/framework-bundle": "<7.2",
+ "symfony/security-csrf": "<7.2",
"symfony/webpack-encore-bundle": "<2.0",
"symfony/flex": "<1.20.0 || >=2.0.0,<2.3.0"
}, |
|
@hlecorche I think this is what you intended with the |
|
@aleho Yes, it's a typo. Sorry |
|
My bad, I introduced the issue when merging. |
|
No worries! Works great here (just tested with Turbo form submissions). |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
PR #1375 had a typo, resulting in
Uncaught TypeError: formElement.querySelector is not a function.