Skip to content

Cleaned csrf_protection_controller for very basic eslint rules#1380

Closed
lyrixx wants to merge 1 commit intosymfony:mainfrom
lyrixx:cs-csrf-protection-controller
Closed

Cleaned csrf_protection_controller for very basic eslint rules#1380
lyrixx wants to merge 1 commit intosymfony:mainfrom
lyrixx:cs-csrf-protection-controller

Conversation

@lyrixx
Copy link
Copy Markdown
Member

@lyrixx lyrixx commented Feb 17, 2025
edited
Loading

Q A
License MIT
Doc issue/PR

Fixed the following issues:

assets/controllers/csrf_protection_controller.js
   2:25  error  Unnecessary escape character: \/                                  no-useless-escape
   8:5   error  'generateCsrfToken' was used before it was defined                no-use-before-define
  16:13  error  'generateCsrfHeaders' was used before it was defined              no-use-before-define
  17:26  error  Array.prototype.map() expects a return value from arrow function  array-callback-return
  18:5   error  Assignment to property of function parameter 'event'              no-param-reassign
  24:3   error  'removeCsrfToken' was used before it was defined                  no-use-before-define
  39:30  error  Unexpected chained assignment

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) February 17, 2025 09:59
@github-actions
Copy link
Copy Markdown

github-actions bot commented Feb 17, 2025

Thanks for the PR 😍

How to test these changes in your application

  1. Define the SYMFONY_ENDPOINT environment variable:

    # On Unix-like (BSD, Linux and macOS)
export SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1380/index.json
# On Windows
SET SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1380/index.json

  2. Install the package(s) related to this recipe:

    composer req symfony/flex
composer req 'symfony/stimulus-bundle:^2.20'

  3. Don't forget to unset the SYMFONY_ENDPOINT environment variable when done:

    # On Unix-like (BSD, Linux and macOS)
unset SYMFONY_ENDPOINT
# On Windows
SET SYMFONY_ENDPOINT=

Diff between recipe versions

In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes.
I'm going keep this comment up to date with any updates of the attached patch.

symfony/stimulus-bundle

2.8 vs 2.9 
diff --git a/symfony/stimulus-bundle/2.9/assets/bootstrap.js b/symfony/stimulus-bundle/2.9/assets/bootstrap.js
new file mode 100644
index 0000000..2689398
--- /dev/null
+++ b/symfony/stimulus-bundle/2.9/assets/bootstrap.js
@@ -0,0 +1,2 @@
+// register any custom, 3rd party controllers here
+// app.register('some_controller_name', SomeImportedController);
diff --git a/symfony/stimulus-bundle/2.9/assets/controllers/hello_controller.js b/symfony/stimulus-bundle/2.9/assets/controllers/hello_controller.js
new file mode 100644
index 0000000..e847027
--- /dev/null
+++ b/symfony/stimulus-bundle/2.9/assets/controllers/hello_controller.js
@@ -0,0 +1,16 @@
+import { Controller } from '@hotwired/stimulus';
+
+/*
+ * This is an example Stimulus controller!
+ *
+ * Any element with a data-controller="hello" attribute will cause
+ * this controller to be executed. The name "hello" comes from the filename:
+ * hello_controller.js -> "hello"
+ *
+ * Delete this file or adapt it for your use!
+ */
+export default class extends Controller {
+    connect() {
+        this.element.textContent = 'Hello Stimulus! Edit me in assets/controllers/hello_controller.js';
+    }
+}
diff --git a/symfony/stimulus-bundle/2.9/assets/controllers.json b/symfony/stimulus-bundle/2.9/assets/controllers.json
new file mode 100644
index 0000000..a1c6e90
--- /dev/null
+++ b/symfony/stimulus-bundle/2.9/assets/controllers.json
@@ -0,0 +1,4 @@
+{
+    "controllers": [],
+    "entrypoints": []
+}
diff --git a/symfony/stimulus-bundle/2.8/manifest.json b/symfony/stimulus-bundle/2.9/manifest.json
index ff66e87..60e0ddb 100644
--- a/symfony/stimulus-bundle/2.8/manifest.json
+++ b/symfony/stimulus-bundle/2.9/manifest.json
@@ -2,5 +2,46 @@
     "bundles": {
         "Symfony\\UX\\StimulusBundle\\StimulusBundle": ["all"]
     },
-    "aliases": ["stimulus", "stimulus-bundle"]
+    "copy-from-recipe": {
+        "assets/": "assets/"
+    },
+    "aliases": ["stimulus", "stimulus-bundle"],
+    "conflict": {
+        "symfony/webpack-encore-bundle": "<2.0",
+        "symfony/flex": "<1.20.0 || >=2.0.0,<2.3.0"
+    },
+    "add-lines": [
+        {
+            "file": "webpack.config.js",
+            "content": "\n    // enables the Symfony UX Stimulus bridge (used in assets/bootstrap.js)\n    .enableStimulusBridge('./assets/controllers.json')",
+            "position": "after_target",
+            "target": ".splitEntryChunks()"
+        },
+        {
+            "file": "assets/app.js",
+            "content": "import './bootstrap.js';",
+            "position": "top",
+            "warn_if_missing": true
+        },
+        {
+            "file": "assets/bootstrap.js",
+            "content": "import { startStimulusApp } from '@symfony/stimulus-bridge';\n\n// Registers Stimulus controllers from controllers.json and in the controllers/ directory\nexport const app = startStimulusApp(require.context(\n    '@symfony/stimulus-bridge/lazy-controller-loader!./controllers',\n    true,\n    /\\.[jt]sx?$/\n));",
+            "position": "top",
+            "requires": "symfony/webpack-encore-bundle"
+        },
+        {
+            "file": "assets/bootstrap.js",
+            "content": "import { startStimulusApp } from '@symfony/stimulus-bundle';\n\nconst app = startStimulusApp();",
+            "position": "top",
+            "requires": "symfony/asset-mapper"
+        },
+        {
+            "file": "templates/base.html.twig",
+            "content": "            {{ ux_controller_link_tags() }}",
+            "position": "after_target",
+            "target": "{% block stylesheets %}",
+            "warn_if_missing": true,
+            "requires": "symfony/asset-mapper"
+        }
+    ]
 }
2.9 vs 2.13 
diff --git a/symfony/stimulus-bundle/2.9/manifest.json b/symfony/stimulus-bundle/2.13/manifest.json
index 60e0ddb..4701215 100644
--- a/symfony/stimulus-bundle/2.9/manifest.json
+++ b/symfony/stimulus-bundle/2.13/manifest.json
@@ -34,14 +34,6 @@
             "content": "import { startStimulusApp } from '@symfony/stimulus-bundle';\n\nconst app = startStimulusApp();",
             "position": "top",
             "requires": "symfony/asset-mapper"
-        },
-        {
-            "file": "templates/base.html.twig",
-            "content": "            {{ ux_controller_link_tags() }}",
-            "position": "after_target",
-            "target": "{% block stylesheets %}",
-            "warn_if_missing": true,
-            "requires": "symfony/asset-mapper"
         }
     ]
 }
2.13 vs 2.20 
diff --git a/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
new file mode 100644
index 0000000..16ad6b6
--- /dev/null
+++ b/symfony/stimulus-bundle/2.20/assets/controllers/csrf_protection_controller.js
@@ -0,0 +1,88 @@
+const nameCheck = /^[-_a-zA-Z0-9]{4,22}$/;
+const tokenCheck = /^[-_/+a-zA-Z0-9]{24,}$/;
+
+export function generateCsrfToken(formElement) {
+  const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]');
+
+  if (!csrfField) {
+    return;
+  }
+
+  let csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
+  let csrfToken = csrfField.value;
+
+  if (!csrfCookie && nameCheck.test(csrfToken)) {
+    csrfField.setAttribute('data-csrf-protection-cookie-value', (csrfCookie = csrfToken));
+    csrfToken = btoa(
+      String.fromCharCode.apply(null, (window.crypto || window.msCrypto).getRandomValues(new Uint8Array(18))),
+    );
+    csrfField.defaultValue = csrfToken;
+    csrfField.dispatchEvent(new Event('change', { bubbles: true }));
+  }
+
+  if (csrfCookie && tokenCheck.test(csrfToken)) {
+    const cookie = `${csrfCookie}_${csrfToken}=${csrfCookie}; path=/; samesite=strict`;
+    document.cookie = window.location.protocol === 'https:' ? `__Host-${cookie}; secure` : cookie;
+  }
+}
+
+export function generateCsrfHeaders(formElement) {
+  const headers = {};
+  const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]');
+
+  if (!csrfField) {
+    return headers;
+  }
+
+  const csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
+
+  if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
+    headers[csrfCookie] = csrfField.value;
+  }
+
+  return headers;
+}
+
+export function removeCsrfToken(formElement) {
+  const csrfField = formElement.querySelector('input[data-controller="csrf-protection"], input[name="_csrf_token"]');
+
+  if (!csrfField) {
+    return;
+  }
+
+  const csrfCookie = csrfField.getAttribute('data-csrf-protection-cookie-value');
+
+  if (tokenCheck.test(csrfField.value) && nameCheck.test(csrfCookie)) {
+    const cookie = `${csrfCookie}_${csrfField.value}=0; path=/; samesite=strict; max-age=0`;
+
+    document.cookie = window.location.protocol === 'https:' ? `__Host-${cookie}; secure` : cookie;
+  }
+}
+
+// Generate and double-submit a CSRF token in a form field and a cookie, as defined by Symfony's SameOriginCsrfTokenManager
+document.addEventListener(
+  'submit',
+  (event) => {
+    generateCsrfToken(event.target);
+  },
+  true,
+);
+
+// When @hotwired/turbo handles form submissions, send the CSRF token in a header in addition to a cookie
+// The `framework.csrf_protection.check_header` config option needs to be enabled for the header to be checked
+document.addEventListener('turbo:submit-start', (event) => {
+  const h = generateCsrfHeaders(event.detail.formSubmission.formElement);
+  // eslint-disable-next-line array-callback-return
+  Object.keys(h).map((k) => {
+    // eslint-disable-next-line no-param-reassign
+    event.detail.formSubmission.fetchRequest.headers[k] = h[k];
+  });
+});
+
+// When @hotwired/turbo handles form submissions, remove the CSRF cookie once a form has been submitted
+document.addEventListener('turbo:submit-end', (event) => {
+  removeCsrfToken(event.detail.formSubmission.formElement);
+});
+
+/* stimulusFetch: 'lazy' */
+export default 'csrf-protection-controller';
diff --git a/symfony/stimulus-bundle/2.13/manifest.json b/symfony/stimulus-bundle/2.20/manifest.json
index 4701215..4289495 100644
--- a/symfony/stimulus-bundle/2.13/manifest.json
+++ b/symfony/stimulus-bundle/2.20/manifest.json
@@ -7,6 +7,8 @@
     },
     "aliases": ["stimulus", "stimulus-bundle"],
     "conflict": {
+        "symfony/framework-bundle": "<7.2",
+        "symfony/security-csrf": "<7.2",
         "symfony/webpack-encore-bundle": "<2.0",
         "symfony/flex": "<1.20.0 || >=2.0.0,<2.3.0"
     },

@whataboutpereira
Copy link
Copy Markdown

whataboutpereira commented Feb 20, 2025

ESLint suggests using .forEach instead of .map there, so perhaps ignoring the error isn't the best path.

@lyrixx lyrixx closed this Jul 24, 2025
auto-merge was automatically disabled July 24, 2025 09:41

Pull request was closed

@lyrixx lyrixx deleted the cs-csrf-protection-controller branch July 24, 2025 09:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nicolas-grekas nicolas-grekas Awaiting requested review from nicolas-grekas

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lyrixx @whataboutpereira