Skip to content

Commit

Permalink
[Security][SecurityBundle] Use csrf_token_id instead of deprecated in…
Browse files Browse the repository at this point in the history 
…tention
  • Loading branch information
@jakzal @fabpot
jakzal authored and fabpot committed Nov 28, 2015
1 parent 953ed3c commit 0450865
Show file tree
Hide file tree
Showing 10 changed files with 53 additions and 11 deletions.
9 changes: 9 additions & 0 deletions UPGRADE-2.8.md
View file
Expand Up @@ -455,6 +455,15 @@ Security
* The `VoterInterface::supportsClass` and `supportsAttribute` methods were
deprecated and will be removed from the interface in 3.0.

* The `intention` option is deprecated for all the authentication listeners,
and will be removed in 3.0. Use the `csrf_token_id` option instead.

SecurityBundle
--------------

* The `intention` firewall listener setting is deprecated, and will be removed in 3.0.
Use the `csrf_token_id` option instead.

Config
------

Expand Down
1 change: 1 addition & 0 deletions src/Symfony/Bundle/SecurityBundle/CHANGELOG.md
View file
Expand Up @@ -6,6 +6,7 @@ CHANGELOG

* deprecated the `key` setting of `anonymous`, `remember_me` and `http_digest`
in favor of the `secret` setting.
* deprecated the `intention` firewall listener setting in favor of the `csrf_token_id`.

2.6.0
-----
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/DependencyInjection/Security/Factory/FormLoginFactory.php
View file
Expand Up @@ -29,7 +29,7 @@ public function __construct()
$this->addOption('username_parameter', '_username');
$this->addOption('password_parameter', '_password');
$this->addOption('csrf_parameter', '_csrf_token');
$this->addOption('intention', 'authenticate');
$this->addOption('csrf_token_id', 'authenticate');
$this->addOption('post_only', true);
}

Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
View file
Expand Up @@ -299,7 +299,7 @@ private function createFirewall(ContainerBuilder $container, $id, $firewall, &$a
$listener = $container->setDefinition($listenerId, new DefinitionDecorator('security.logout_listener'));
$listener->replaceArgument(3, array(
'csrf_parameter' => $firewall['logout']['csrf_parameter'],
'intention' => $firewall['logout']['csrf_token_id'],
'csrf_token_id' => $firewall['logout']['csrf_token_id'],
'logout_path' => $firewall['logout']['path'],
));
$listeners[] = new Reference($listenerId);
Expand Down
4 changes: 2 additions & 2 deletions .../Bundle/SecurityBundle/Tests/Functional/Bundle/CsrfFormLoginBundle/Form/UserLoginType.php
View file
Expand Up @@ -79,12 +79,12 @@ public function buildForm(FormBuilderInterface $builder, array $options)
*/
public function configureOptions(OptionsResolver $resolver)
{
/* Note: the form's intention must correspond to that for the form login
/* Note: the form's csrf_token_id must correspond to that for the form login
* listener in order for the CSRF token to validate successfully.
*/

$resolver->setDefaults(array(
'intention' => 'authenticate',
'csrf_token_id' => 'authenticate',
));
}
}
2 changes: 2 additions & 0 deletions src/Symfony/Component/Security/CHANGELOG.md
View file
Expand Up @@ -18,6 +18,8 @@ CHANGELOG
`Symfony\Component\Security\Core\Authorization\Voter\VoterInterface`.
* deprecated `getSupportedAttributes()` and `getSupportedClasses()` methods of
`Symfony\Component\Security\Core\Authorization\Voter\AbstractVoter`, use `supports()` instead.
* deprecated the `intention` option for all the authentication listeners,
use the `csrf_token_id` option instead.

2.7.0
-----
Expand Down
14 changes: 12 additions & 2 deletions src/Symfony/Component/Security/Http/Firewall/LogoutListener.php
View file
Expand Up @@ -57,11 +57,21 @@ public function __construct(TokenStorageInterface $tokenStorage, HttpUtils $http
throw new InvalidArgumentException('The CSRF token manager should be an instance of CsrfProviderInterface or CsrfTokenManagerInterface.');
}

if (isset($options['intention'])) {
if (isset($options['csrf_token_id'])) {
throw new \InvalidArgumentException(sprintf('You should only define an option for one of "intention" or "csrf_token_id" for the "%s". Use the "csrf_token_id" as it replaces "intention".', __CLASS__));
}

@trigger_error('The "intention" option for the '.__CLASS__.' is deprecated since version 2.8 and will be removed in 3.0. Use the "csrf_token_id" option instead.', E_USER_DEPRECATED);

$options['csrf_token_id'] = $options['intention'];
}

$this->tokenStorage = $tokenStorage;
$this->httpUtils = $httpUtils;
$this->options = array_merge(array(
'csrf_parameter' => '_csrf_token',
'intention' => 'logout',
'csrf_token_id' => 'logout',
'logout_path' => '/logout',
), $options);
$this->successHandler = $successHandler;
Expand Down Expand Up @@ -101,7 +111,7 @@ public function handle(GetResponseEvent $event)
if (null !== $this->csrfTokenManager) {
$csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);

if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['intention'], $csrfToken))) {
if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
throw new LogoutException('Invalid CSRF token.');
}
}
Expand Down
14 changes: 12 additions & 2 deletions src/Symfony/Component/Security/Http/Firewall/SimpleFormAuthenticationListener.php
View file
Expand Up @@ -70,14 +70,24 @@ public function __construct(TokenStorageInterface $tokenStorage, AuthenticationM
throw new InvalidArgumentException('The CSRF token manager should be an instance of CsrfProviderInterface or CsrfTokenManagerInterface.');
}

if (isset($options['intention'])) {
if (isset($options['csrf_token_id'])) {
throw new \InvalidArgumentException(sprintf('You should only define an option for one of "intention" or "csrf_token_id" for the "%s". Use the "csrf_token_id" as it replaces "intention".', __CLASS__));
}

@trigger_error('The "intention" option for the '.__CLASS__.' is deprecated since version 2.8 and will be removed in 3.0. Use the "csrf_token_id" option instead.', E_USER_DEPRECATED);

$options['csrf_token_id'] = $options['intention'];
}

$this->simpleAuthenticator = $simpleAuthenticator;
$this->csrfTokenManager = $csrfTokenManager;

$options = array_merge(array(
'username_parameter' => '_username',
'password_parameter' => '_password',
'csrf_parameter' => '_csrf_token',
'intention' => 'authenticate',
'csrf_token_id' => 'authenticate',
'post_only' => true,
), $options);

Expand All @@ -104,7 +114,7 @@ protected function attemptAuthentication(Request $request)
if (null !== $this->csrfTokenManager) {
$csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);

if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['intention'], $csrfToken))) {
if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
}
}
Expand Down
14 changes: 12 additions & 2 deletions src/Symfony/Component/Security/Http/Firewall/UsernamePasswordFormAuthenticationListener.php
View file
Expand Up @@ -48,11 +48,21 @@ public function __construct(TokenStorageInterface $tokenStorage, AuthenticationM
throw new InvalidArgumentException('The CSRF token manager should be an instance of CsrfProviderInterface or CsrfTokenManagerInterface.');
}

if (isset($options['intention'])) {
if (isset($options['csrf_token_id'])) {
throw new \InvalidArgumentException(sprintf('You should only define an option for one of "intention" or "csrf_token_id" for the "%s". Use the "csrf_token_id" as it replaces "intention".', __CLASS__));
}

@trigger_error('The "intention" option for the '.__CLASS__.' is deprecated since version 2.8 and will be removed in 3.0. Use the "csrf_token_id" option instead.', E_USER_DEPRECATED);

$options['csrf_token_id'] = $options['intention'];
}

parent::__construct($tokenStorage, $authenticationManager, $sessionStrategy, $httpUtils, $providerKey, $successHandler, $failureHandler, array_merge(array(
'username_parameter' => '_username',
'password_parameter' => '_password',
'csrf_parameter' => '_csrf_token',
'intention' => 'authenticate',
'csrf_token_id' => 'authenticate',
'post_only' => true,
), $options), $logger, $dispatcher);

Expand All @@ -79,7 +89,7 @@ protected function attemptAuthentication(Request $request)
if (null !== $this->csrfTokenManager) {
$csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);

if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['intention'], $csrfToken))) {
if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
throw new InvalidCsrfTokenException('Invalid CSRF token.');
}
}
Expand Down
2 changes: 1 addition & 1 deletion src/Symfony/Component/Security/Http/Tests/Firewall/LogoutListenerTest.php
View file
Expand Up @@ -213,7 +213,7 @@ private function getListener($successHandler = null, $tokenManager = null)
$successHandler ?: $this->getSuccessHandler(),
$options = array(
'csrf_parameter' => '_csrf_token',
'intention' => 'logout',
'csrf_token_id' => 'logout',
'logout_path' => '/logout',
'target_url' => '/',
),
Expand Down

3 comments on commit 0450865

@linaori
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Mind calming down a bit?

@nicolas-grekas
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The intention of this patch is to deprecate an option. This is perfectly fine in point releases and it should be totally transparent (ie. if you don't care, it works the same unless you move to 3.0). If something has been broken, please report an issue. Please mind your tone.

@nicolas-grekas
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

https://github.com/symfony/symfony/issues/new

Please sign in to comment.