Skip to content

[Turbo] Fix check_header configuration #1439

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Jul 26, 2025
Merged

[Turbo] Fix check_header configuration #1439

merged 1 commit into from
Jul 26, 2025
+3 −3

Conversation

Kocal
Copy link
Member

@Kocal Kocal commented Jul 25, 2025
edited
Loading

Q A
License MIT
Doc issue/PR symfony/symfony-docs#...

Since b06f1ce, the (stateless) CSRF configuration now lives in config/packages/csrf.yaml file:

# Enable stateless CSRF protection for forms and logins/logouts
framework:
    form:
        csrf_protection:
            token_id: submit

    csrf_protection:
        stateless_token_ids:
            - submit
            - authenticate
            - logout

Some spaces from target and content were removed since we want to add check_header: true for framework.csrf_protection configuration , which is one-level under framework.form.csrf_protection

@symfony-recipes-bot symfony-recipes-bot enabled auto-merge (squash) July 25, 2025 18:40
@github-actions GitHub Actions
Copy link

Thanks for the PR 😍

How to test these changes in your application

  1. Define the SYMFONY_ENDPOINT environment variable:

    # On Unix-like (BSD, Linux and macOS)
export SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1439/index.json
# On Windows
SET SYMFONY_ENDPOINT=https://raw.githubusercontent.com/symfony/recipes/flex/pull-1439/index.json

  2. Install the package(s) related to this recipe:

    composer req symfony/flex
composer req 'symfony/ux-turbo:^2.20'

  3. Don't forget to unset the SYMFONY_ENDPOINT environment variable when done:

    # On Unix-like (BSD, Linux and macOS)
unset SYMFONY_ENDPOINT
# On Windows
SET SYMFONY_ENDPOINT=

Diff between recipe versions

In order to help with the review stage, I'm in charge of computing the diff between the various versions of patched recipes.
I'm going keep this comment up to date with any updates of the attached patch.

symfony/ux-turbo

2.19 vs 2.20 
diff --git a/symfony/ux-turbo/2.19/manifest.json b/symfony/ux-turbo/2.20/manifest.json
index 1fa03bf..ec536fb 100644
--- a/symfony/ux-turbo/2.19/manifest.json
+++ b/symfony/ux-turbo/2.20/manifest.json
@@ -1,5 +1,18 @@
 {
     "bundles": {
         "Symfony\\UX\\Turbo\\TurboBundle": ["all"]
-    }
+    },
+    "aliases": ["turbo"],
+    "conflict": {
+        "symfony/framework-bundle": "<7.2",
+        "symfony/security-csrf": "<7.2"
+    },
+    "add-lines": [
+        {
+            "file": "config/packages/csrf.yaml",
+            "position": "after_target",
+            "target": "    csrf_protection:",
+            "content": "        check_header: true"
+        }
+    ]
 }

@fabpot fabpot disabled auto-merge July 26, 2025 13:10
@fabpot fabpot merged commit 87f1e0b into symfony:main Jul 26, 2025
2 checks passed
@Err0r404
Copy link

Not sure if this is the right place but I have an error that maybe related to that PR

composer require webapp                                                               at 17:18:42
./composer.json has been updated
Running composer update symfony/webapp-pack
Loading composer repositories with package information
Updating dependencies
Nothing to modify in lock file
Writing lock file
Installing dependencies from lock file (including require-dev)
Nothing to install, update or remove
Generating autoload files
117 packages you are using are looking for funding.
Use the `composer fund` command to find out more!

Symfony operations: 22 recipes (f5bf4d9dfe5fbc9ae0f74ec733781358)
  - Configuring symfony/webapp-pack (>=1.0): From github.com/symfony/recipes:main
  - Configuring doctrine/deprecations (>=1.0): From github.com/symfony/recipes:main
  - Configuring doctrine/doctrine-bundle (>=2.13): From github.com/symfony/recipes:main
  -  WARNING  doctrine/doctrine-bundle (>=2.13): From github.com/symfony/recipes:main
    The recipe for this package contains some Docker configuration.

    This may create/update compose.yaml or update Dockerfile (if it exists).

    Do you want to include Docker configuration from recipes?
    [y] Yes
    [n] No
    [p] Yes permanently, never ask again for this project
    [x] No permanently, never ask again for this project
    (defaults to y): n
  - Configuring doctrine/doctrine-migrations-bundle (>=3.1): From github.com/symfony/recipes:main
  - Configuring phpunit/phpunit (>=11.1): From github.com/symfony/recipes:main
  - Configuring symfony/debug-bundle (>=5.3): From github.com/symfony/recipes:main
  - Configuring symfony/messenger (>=6.0): From github.com/symfony/recipes:main
  - Configuring symfony/property-info (>=7.3): From github.com/symfony/recipes:main
  - Configuring symfony/twig-bundle (>=6.4): From github.com/symfony/recipes:main
  - Configuring symfony/web-profiler-bundle (>=7.3): From github.com/symfony/recipes:main
  - Configuring symfony/validator (>=7.0): From github.com/symfony/recipes:main
  - Configuring symfony/stimulus-bundle (>=2.20): From github.com/symfony/recipes:main
  - Configuring symfony/ux-turbo (>=2.20): From github.com/symfony/recipes:main
  - Configuring twig/extra-bundle (>=v3.21.0): From auto-generated recipe
  - Configuring symfony/translation (>=6.3): From github.com/symfony/recipes:main
  - Configuring symfony/security-bundle (>=6.4): From github.com/symfony/recipes:main
  - Configuring symfony/notifier (>=5.0): From github.com/symfony/recipes:main
  - Configuring symfony/monolog-bundle (>=3.7): From github.com/symfony/recipes:main
  - Configuring symfony/maker-bundle (>=1.0): From github.com/symfony/recipes:main
  - Configuring symfony/mailer (>=4.3): From github.com/symfony/recipes:main
  - Configuring symfony/form (>=7.2): From github.com/symfony/recipes:main
  - Configuring symfony/asset-mapper (>=6.4): From github.com/symfony/recipes:main
Executing script importmap:require [KO]
 [KO]
Script importmap:require returned with error code 1
!!
!!  In FileLoader.php line 177:
!!                                                                                                                                    
!!    The file "/var/www/html/config/packages/csrf.yaml" does not contain valid YAML: A colon cannot be used in an unquoted mapping val
!!    ue at line 6 (near "    token_id: submit") in /var/www/html/config/packages/csrf.yaml (which is being imported from "/var/www/htm
!!    l/src/Kernel.php").                                                                                                             
!!                                                                                                                                    
!!
!!  In YamlFileLoader.php line 786:
!!                                                                                                                                    
!!    The file "/var/www/html/config/packages/csrf.yaml" does not contain valid YAML: A colon cannot be used in an unquoted mapping val
!!    ue at line 6 (near "    token_id: submit").                                                                                     
!!                                                                                                                                    
!!
!!  In Parser.php line 800:
!!
!!    A colon cannot be used in an unquoted mapping value at line 6 (near "    token_id: submit").
!!
!!
!!

> cat config/packages/csrf.yaml                                                      took 6s at 17:23:41
# Enable stateless CSRF protection for forms and logins/logouts
framework:
    form:
        csrf_protection:
        check_header: true
            token_id: submit

    csrf_protection:
        stateless_token_ids:
            - submit
            - authenticate
            - logout

Manually fixing indentation give an other error :

  Unrecognized option "check_header" under "framework.form.csrf_protection". Available options are "enabled", "field_attr", "field_
  name", "token_id".

Commenting/Removing the check_header row solve the issue

@Kocal Kocal deleted the fix-turbo-csrf branch July 26, 2025 15:41
@Kocal
Copy link
Member Author

Kocal commented Jul 26, 2025
edited
Loading

Hum, that's because csrf_protection: matches the two csrf_protection: occurences... 😬

I don't see any solution that does not involve to modify Flex.

Instead:

  1. maybe we can remove the UX Turbo recipe but transform the FrameworkBundle recipe to:
# Enable stateless CSRF protection for forms and logins/logouts
framework:
    form:
        csrf_protection:
        check_header: true
            token_id: submit

    csrf_protection:
        # To enable with UX Turbo
        # check_header: true 
        stateless_token_ids:
            - submit
            - authenticate
            - logout
  1. or keep UX Turbo recipe and move framework.csrf_protection above framework.form.csrf_protection config, that's a bit hacky tho

@Kocal Kocal mentioned this pull request Jul 26, 2025
Merged
@Kocal
Copy link
Member Author

Kocal commented Jul 26, 2025

Opened #1439

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@fabpot fabpot fabpot approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@Kocal @Err0r404 @fabpot