CSRF is broken in Symfony 7.2 and newest Easy Admin Bundle.

[tskorupka]

Describe the bug
Wanted to use Symfony 7.2 with newest Easy Admin Bundle.

There is an issue with CSRF, or I just improperly set it up, csrf-token input field value is equal to csrf-token, does not get replaced with autogenerated value.

Funny thing is that, locally everything works just fine, prod environment is broken.

To Reproduce

• New project of symfony 7.2 and easy admin bundle
• Configure framework csrf protection

# ~/config/packages/csrf.yaml
# Enable stateless CSRF protection for forms and logins/logouts (login is enabled in security.yaml file.)
framework:
    form:
        csrf_protection:
            enabled: true
            token_id: submit

    csrf_protection:
        stateless_token_ids:
            - submit

(OPTIONAL) Additional context
Could not add, sorry.

[msphn]

I couldn't get it to work for either.

[tskorupka]

Afaik removing

    csrf_protection:
        stateless_token_ids:
            - submit

solves the issue, is it something expected?

Then final file is

# ~/config/packages/csrf.yaml
# Enable stateless CSRF protection for forms and logins/logouts (login is enabled in security.yaml file.)
framework:
    form:
        csrf_protection:
            enabled: true

[fracsi]

Stateless tokens need additional client side code.
Stimulus-bundle recipe contains a js solution for it.
EA does not use stimulus, currently you have to add that code manually to your app (modified for your use case of course)

[tskorupka]

@fracsi thanks for answering responding under this post, does it mean that if I do have enabled csrf protection for stateless tokens, does it mean that basic forms should be not working?

My point is there that, either csrf protection basic forms and stateless should work just fine, enabled at the same time.

[javiereguiluz]

Sadly, the docs for this Symfony feature are missing (see symfony/symfony-docs#20306). I won't be able to fix this so feel free to send a Pull Request with the needed fixes and, if necessary, some description explaining the changes. Thanks!

[javiereguiluz]

Nicolas recently contributed a fix related to CSRF (see #6724). Did it fix the issue for you?

[barbieswimcrew]

Unfortunately, it looks to me like the fix only partially solves the problem. In my project I have disabled csrf_protection as follows:

framework:
    csrf_protection: false

This leads to the known error: An error has occurred resolving the options of the form "EasyCorp\Bundle\EasyAdminBundle\Form\Type\CrudFormType": The option "csrf_token_id" does not exist.

I have symfony v7.2.2 and easyadmin v4.23.1. As soon as I remove the two lines $formOptions->set(‘csrf_token_id’, ‘’); added by the mentioned fix (see #6724), everything seems to work as it should. Likewise, if I enable csrf_protection.

[gregoire-jianda]

Another side effect of #6724 arises with tests. I usually switch CRSF off for tests (makes testing FormTypes a lot easier) :

when@test:
    framework:
        csrf_protection: false

But since 4.22.1 this leads to an error on every CRUD test involving a form :

ErrorException: An error has occurred resolving the options of the form "EasyCorp\Bundle\EasyAdminBundle\Form\Type\CrudFormType": The option "csrf_token_id" does not exist.

[nicolas-grekas]

It should be possible to revert #6724 after symfony/symfony#59728

[justingivens]

As @tskorupka mentioned locally works but not in production.

Which makes it seems like it's related to an HTTP/HTTPS.

Using ngork to get a HTTPS url to test with, login fails with: Invalid CSRF token.