Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Beta3 to RC1 composer update fails with logout csrf Uncaught Error #48339

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ChrisRiddell opened this issue Nov 26, 2022 · 4 comments
Closed

Beta3 to RC1 composer update fails with logout csrf Uncaught Error #48339

ChrisRiddell opened this issue Nov 26, 2022 · 4 comments
Labels
Bug Status: Needs Review
Milestone
6.2

Comments

@ChrisRiddell
Copy link

Symfony version(s) affected

6.2.0RC1

Description

When doing composer update from 6.2 beta3 to RC1 it throws an Uncaught Error

Executing script cache:clear [KO]
 [KO]
Script cache:clear returned with error code 255
!!  
!!   // Clearing the cache for the dev environment with debug true                  
!!  
!!  
!!  In LogoutUrlGenerator.php line 50:
!!                                                                                 
!!    Symfony\Component\Security\Http\Logout\LogoutUrlGenerator::registerListener  
!!    (): Argument #5 ($csrfTokenManager) must be of type ?Symfony\Component\Secu  
!!    rity\Csrf\CsrfTokenManagerInterface, Symfony\Component\Security\Csrf\TokenG  
!!    enerator\UriSafeTokenGenerator given, called in /Users/chris/Desktop/xxxx/var/cache/dev/ContainerBakDEKc/App_KernelDevDebugContainer.php on   
!!    line 1267

How to reproduce

security.yml

        main:
            lazy: true
            provider: app_user_provider

            form_login:
                login_path: app_login
                check_path: app_login
                enable_csrf: true

            remember_me:
                secret:   '%kernel.secret%' # required
                lifetime: 604800 # 1 week in seconds

            logout:
                path: app_logout
                enable_csrf: true

composer.json

    "require": {
        "php": ">=8.1",
        "ext-ctype": "*",
        "ext-iconv": "*",
        "doctrine/annotations": "^1.0",
        "doctrine/doctrine-bundle": "^2.7",
        "doctrine/doctrine-migrations-bundle": "^3.2",
        "doctrine/orm": "^2.13",
        "phpdocumentor/reflection-docblock": "^5.3",
        "phpstan/phpdoc-parser": "^1.13",
        "symfony/console": "6.2.*",
        "symfony/dotenv": "6.2.*",
        "symfony/flex": "^2",
        "symfony/form": "6.2.*",
        "symfony/framework-bundle": "6.2.*",
        "symfony/property-access": "6.2.*",
        "symfony/property-info": "6.2.*",
        "symfony/proxy-manager-bridge": "6.2.*",
        "symfony/rate-limiter": "6.2.*",
        "symfony/runtime": "6.2.*",
        "symfony/security-bundle": "6.2.*",
        "symfony/serializer": "6.2.*",
        "symfony/twig-bundle": "6.2.*",
        "symfony/validator": "6.2.*",
        "symfony/webpack-encore-bundle": "^1.16",
        "symfony/yaml": "6.2.*",
        "twig/extra-bundle": "^2.12|^3.0",
        "twig/twig": "^2.12|^3.0"
    },

This should work following
https://symfony.com/blog/new-in-symfony-6-2-security-improvements-part-2#simpler-logout-csrf-protection

Possible Solution

No response

Additional Context

No response
@MatTheCat
Copy link
Contributor

MatTheCat commented Nov 26, 2022
edited
Loading

Good catch 👍

Seems there is a confusion between token managers and generators: https://symfony.com/doc/current/reference/configuration/security.html#csrf-token-generator

I think logout.csrf_token_generator default value should be updated to security.csrf.token_manager, and then be renamed to logout.csrf_token_manager.

@javiereguiluz maybe the blog post should also be updated?

@MatTheCat MatTheCat mentioned this issue Nov 26, 2022
Merged
@wouterj
Copy link
Member

wouterj commented Nov 26, 2022

Hi. Thank you for trying out the pre-releases!

If you manually remove the cache (e.g. rm -rf var/cache/*), does this error still occur? Sometimes cache is broken between minor versions, it's not something we guarantee compatibility (and regenerating it from scratch has no impact on the app).

If it does still occur, can you please create a minimal reproducer so someone can further investigate this issue?

@wouterj wouterj added this to the 6.2 milestone Nov 26, 2022
@ChrisRiddell
Copy link
Author

It does @wouterj the most easiest way to reproduce is the following commands

symfony new my_project_directory --version="6.2.*@dev" --webapp

edit the security.yml and add the following to main you don’t need any other setup

logout:
                path: app_logout
                enable_csrf: true

run composer update

As it seems to throw that error no matter what if that csrf is true under the logout config.

@fabpot fabpot closed this as completed Nov 26, 2022
fabpot added a commit that referenced this issue Nov 26, 2022
@fabpot
bug #48341 [SecurityBundle] Fix logout.csrf_token_generator default…
25026b3 
… value (MatTheCat)

This PR was merged into the 6.2 branch.

Discussion
----------

[SecurityBundle] Fix `logout.csrf_token_generator` default value

| Q             | A
| ------------- | ---
| Branch?       | 6.2
| Bug fix?      | yes
| New feature?  | no
| Deprecations? | no
| Tickets       | Fix #48339
| License       | MIT
| Doc PR        | N/A

The token **manager** service ID configuration node is called <code>csrf_token_**generator**</code>. As such it has been wrongly assumed in #46580 `security.csrf.token_generator` was a good default value, whereas `security.csrf.token_manager` should be used (this is reflected by [the documentation](https://symfony.com/doc/current/reference/configuration/security.html#csrf-token-generator)).

`csrf_token_generator` should ideally be deprecated and renamed `csrf_token_manager`.

Commits
-------

df539e2 [SecurityBundle] Fix `logout.csrf_token_generator` default value
@wouterj
Copy link
Member

wouterj commented Nov 26, 2022

Thanks for the reproducing steps!

@MatTheCat has fixed the error and when updating symfony/security-bundle to 6.2-dev, the error is no longer there, so that confirms this is fixed now 👍

@MatTheCat MatTheCat mentioned this issue Nov 29, 2022
Merged
fabpot added a commit that referenced this issue Dec 22, 2022
@fabpot
feature #48387 [SecurityBundle] Rename `firewalls.logout.csrf_token_g…
9df40aa 
…enerator` to `firewalls.logout.csrf_token_manager` (MatTheCat)

This PR was merged into the 6.3 branch.

Discussion
----------

[SecurityBundle] Rename `firewalls.logout.csrf_token_generator` to `firewalls.logout.csrf_token_manager`

| Q             | A
| ------------- | ---
| Branch?       | 6.3
| Bug fix?      | no
| New feature?  | no
| Deprecations? | yes
| Tickets       | N/A
| License       | MIT
| Doc PR        | symfony/symfony-docs#17482

A long time ago, #6554 replaced `CsrfProviderInterface` by `CsrfTokenGeneratorInterface`, and #9216 split the latter into `CsrfTokenManagerInterface` and `TokenGeneratorInterface`. #9587 later introduced `csrf_token_generator`, which was already wrong at the time.

Given that token generators exist, it feels weird to have to set <code>csrf_token_**generator**</code> to <code>security.csrf.token_**manager**</code> as mentioned in [the documentation](https://symfony.com/doc/current/reference/configuration/security.html#csrf-token-generator).

As this confusion recently led to #48339, I propose to rename `firewalls.logout.csrf_token_generator` to `firewalls.logout.csrf_token_manager`.

Commits
-------

0a0a98a [SecurityBundle] Rename `firewalls.logout.csrf_token_generator` to `firewalls.logout.csrf_token_manager`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug Status: Needs Review
Projects
None yet
Milestone
6.2
Development

No branches or pull requests
5 participants
@fabpot @wouterj @MatTheCat @carsonbot @ChrisRiddell