Add CSRF protection

Author: chalasr

src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php

@@ -455,6 +455,8 @@ private function createFirewall(ContainerBuilder $container, string $id, array $
                     false === $firewall['stateless'] && isset($firewall['context']) ? $firewall['context'] : null,
                 ])
             ;
+
+            $config->replaceArgument(12, $firewall['logout']);
         }
 
         // Determine default entry point

src/Symfony/Bundle/SecurityBundle/Resources/config/security.php

@@ -87,6 +87,7 @@
                     'security.firewall.map' => service('security.firewall.map'),
                     'security.user_checker' => service('security.user_checker'),
                     'security.firewall.event_dispatcher_locator' => service('security.firewall.event_dispatcher_locator'),
+                    'security.csrf.token_manager' => service('security.csrf.token_manager')->ignoreOnInvalid(),
                 ]),
                 abstract_arg('authenticators'),
             ])
@@ -207,6 +208,7 @@
                 null,
                 [], // listeners
                 null, // switch_user
+                null, // logout
             ])
 
         ->set('security.logout_url_generator', LogoutUrlGenerator::class)

src/Symfony/Bundle/SecurityBundle/Security/FirewallConfig.php

@@ -16,33 +16,21 @@
  */
 final class FirewallConfig
 {
-    private string $name;
-    private string $userChecker;
-    private ?string $requestMatcher;
-    private bool $securityEnabled;
-    private bool $stateless;
-    private ?string $provider;
-    private ?string $context;
-    private ?string $entryPoint;
-    private ?string $accessDeniedHandler;
-    private ?string $accessDeniedUrl;
-    private array $authenticators;
-    private ?array $switchUser;
-
-    public function __construct(string $name, string $userChecker, string $requestMatcher = null, bool $securityEnabled = true, bool $stateless = false, string $provider = null, string $context = null, string $entryPoint = null, string $accessDeniedHandler = null, string $accessDeniedUrl = null, array $authenticators = [], array $switchUser = null)
-    {
-        $this->name = $name;
-        $this->userChecker = $userChecker;
-        $this->requestMatcher = $requestMatcher;
-        $this->securityEnabled = $securityEnabled;
-        $this->stateless = $stateless;
-        $this->provider = $provider;
-        $this->context = $context;
-        $this->entryPoint = $entryPoint;
-        $this->accessDeniedHandler = $accessDeniedHandler;
-        $this->accessDeniedUrl = $accessDeniedUrl;
-        $this->authenticators = $authenticators;
-        $this->switchUser = $switchUser;
+    public function __construct(
+        private readonly string $name,
+        private readonly string $userChecker,
+        private readonly ?string $requestMatcher = null,
+        private readonly bool $securityEnabled = true,
+        private readonly bool $stateless = false,
+        private readonly ?string $provider = null,
+        private readonly ?string $context = null,
+        private readonly ?string $entryPoint = null,
+        private readonly ?string $accessDeniedHandler = null,
+        private readonly ?string $accessDeniedUrl = null,
+        private readonly array $authenticators = [],
+        private readonly ?array $switchUser = null,
+        private readonly ?array $logout = null
+    ) {
     }
 
     public function getName(): string
@@ -111,4 +99,9 @@ public function getSwitchUser(): ?array
     {
         return $this->switchUser;
     }
+
+    public function getLogout(): ?array
+    {
+        return $this->logout;
+    }
 }

src/Symfony/Bundle/SecurityBundle/Security/Security.php

@@ -14,11 +14,15 @@
 use Psr\Container\ContainerInterface;
 use Symfony\Component\HttpFoundation\Request;
 use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
 use Symfony\Component\Security\Core\Exception\LogicException;
+use Symfony\Component\Security\Core\Exception\LogoutException;
 use Symfony\Component\Security\Core\Security as LegacySecurity;
 use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Csrf\CsrfToken;
 use Symfony\Component\Security\Http\Authenticator\AuthenticatorInterface;
 use Symfony\Component\Security\Http\Event\LogoutEvent;
+use Symfony\Component\Security\Http\ParameterBagUtils;
 use Symfony\Contracts\Service\ServiceProviderInterface;
 
 /**
@@ -69,17 +73,30 @@ public function login(UserInterface $user, string $authenticatorName = null, str
      */
     public function logout(): ?Response
     {
+        /** @var TokenStorageInterface $tokenStorage */
+        $tokenStorage = $this->container->get('security.token_storage');
+
+        if (!($token = $tokenStorage->getToken()) || !$token->getUser()) {
+            throw new LogicException('Unable to logout as there is no logged-in user.');
+        }
+
         $request = $this->container->get('request_stack')->getMainRequest();
-        $logoutEvent = new LogoutEvent($request, $this->container->get('security.token_storage')->getToken());
-        $firewallConfig = $this->container->get('security.firewall.map')->getFirewallConfig($request);
 
-        if (!$firewallConfig) {
-            throw new LogicException('It is not possible to logout, as the request is not behind a firewall.');
+        if (!$firewallConfig = $this->container->get('security.firewall.map')->getFirewallConfig($request)) {
+            throw new LogicException('Unable to logout as the request is not behind a firewall.');
         }
-        $firewallName = $firewallConfig->getName();
 
-        $this->container->get('security.firewall.event_dispatcher_locator')->get($firewallName)->dispatch($logoutEvent);
-        $this->container->get('security.token_storage')->setToken();
+        if ($this->container->has('security.csrf.token_manager') && $logoutConfig = $firewallConfig->getLogout()) {
+            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $logoutConfig['csrf_parameter']);
+            if (!\is_string($csrfToken) || false === $this->container->get('security.csrf.token_manager')->isTokenValid(new CsrfToken($logoutConfig['csrf_token_id'], $csrfToken))) {
+                throw new LogoutException('Invalid CSRF token.');
+            }
+        }
+
+        $logoutEvent = new LogoutEvent($request, $token);
+        $this->container->get('security.firewall.event_dispatcher_locator')->get($firewallConfig->getName())->dispatch($logoutEvent);
+
+        $tokenStorage->setToken();
 
         return $logoutEvent->getResponse();
     }

src/Symfony/Bundle/SecurityBundle/Tests/DependencyInjection/CompleteConfigurationTest.php

@@ -141,6 +141,7 @@ public function testFirewalls()
                 '',
                 [],
                 null,
+                null,
             ],
             [
                 'secure',
@@ -165,6 +166,14 @@ public function testFirewalls()
                     'parameter' => '_switch_user',
                     'role' => 'ROLE_ALLOWED_TO_SWITCH',
                 ],
+                [
+                    'csrf_parameter' => '_csrf_token',
+                    'csrf_token_id' => 'logout',
+                    'path' => '/logout',
+                    'target' => '/',
+                    'invalidate_session' => true,
+                    'delete_cookies' => [],
+                ],
             ],
             [
                 'host',
@@ -181,6 +190,7 @@ public function testFirewalls()
                     'http_basic',
                 ],
                 null,
+                null,
             ],
             [
                 'with_user_checker',
@@ -197,6 +207,7 @@ public function testFirewalls()
                     'http_basic',
                 ],
                 null,
+                null,
             ],
         ], $configs);
 

src/Symfony/Bundle/SecurityBundle/Tests/Functional/SecurityTest.php

@@ -20,6 +20,7 @@
 use Symfony\Component\Security\Core\User\InMemoryUser;
 use Symfony\Component\Security\Core\User\PasswordAuthenticatedUserInterface;
 use Symfony\Component\Security\Core\User\UserInterface;
+use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
 
 class SecurityTest extends AbstractWebTestCase
 {
@@ -88,31 +89,36 @@ public function userWillBeMarkedAsChangedIfRolesHasChangedProvider()
      * @testWith    ["json_login"]
      *              ["Symfony\\Bundle\\SecurityBundle\\Tests\\Functional\\Bundle\\AuthenticatorBundle\\ApiAuthenticator"]
      */
-    public function testLoginWithBuiltInAuthenticator(string $authenticator)
+    public function testLogin(string $authenticator)
     {
-        $client = $this->createClient(['test_case' => 'SecurityHelper', 'root_config' => 'config.yml', 'debug' => true]);
+        $client = $this->createClient(['test_case' => 'SecurityHelper', 'root_config' => 'config.yml']);
         static::getContainer()->get(WelcomeController::class)->authenticator = $authenticator;
         $client->request('GET', '/welcome');
         $response = $client->getResponse();
 
         $this->assertInstanceOf(JsonResponse::class, $response);
         $this->assertSame(200, $response->getStatusCode());
         $this->assertSame(['message' => 'Welcome @chalasr!'], json_decode($response->getContent(), true));
+        $this->assertSame('chalasr', static::getContainer()->get('security.helper')->getUser()->getUserIdentifier());
     }
 
-    /**
-     * @testWith    ["json_login"]
-     *              ["Symfony\\Bundle\\SecurityBundle\\Tests\\Functional\\Bundle\\AuthenticatorBundle\\ApiAuthenticator"]
-     */
-    public function testLogout(string $authenticator)
+    public function testLogout()
     {
-        $client = $this->createClient(['test_case' => 'SecurityHelper', 'root_config' => 'config.yml', 'debug' => true]);
-        static::getContainer()->get(WelcomeController::class)->authenticator = $authenticator;
-        $client->request('GET', '/welcome');
-        $this->assertEquals('chalasr', static::getContainer()->get('security.helper')->getUser()->getUserIdentifier());
+        $client = $this->createClient(['test_case' => 'SecurityHelper', 'root_config' => 'config.yml']);
+        $client->request('GET', '/force-logout');
+        $response = $client->getResponse();
+
+        $this->assertSame(200, $response->getStatusCode());
+        $this->assertNull(static::getContainer()->get('security.helper')->getUser());
+        $this->assertSame(['message' => 'Logout successful'], json_decode($response->getContent(), true));
+    }
 
-        $client->request('GET', '/auto-logout');
+    public function testLogoutWithCsrf()
+    {
+        $client = $this->createClient(['test_case' => 'SecurityHelper', 'root_config' => 'config_logout_csrf.yml']);
+        $client->request('GET', '/force-logout');
         $response = $client->getResponse();
+
         $this->assertSame(200, $response->getStatusCode());
         $this->assertNull(static::getContainer()->get('security.helper')->getUser());
         $this->assertSame(['message' => 'Logout successful'], json_decode($response->getContent(), true));
@@ -245,12 +251,16 @@ public function welcome()
 
 class LogoutController
 {
-    public function __construct(private Security $security)
+    public function __construct(private Security $security, private ?CsrfTokenManagerInterface $csrfTokenManager = null)
     {
     }
 
-    public function logout()
+    public function logout(Request $request)
     {
+        $this->security->login(new InMemoryUser('chalasr', '', ['ROLE_USER']), 'json_login', 'default');
+        if ($this->csrfTokenManager) {
+            $request->query->set('_csrf_token', (string) $this->csrfTokenManager->getToken('logout'));
+        }
         $this->security->logout();
 
         return new JsonResponse(['message' => 'Logout successful']);

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/SecurityHelper/config_logout_csrf.yml

@@ -0,0 +1,42 @@
+imports:
+    - { resource: ./../config/framework.yml }
+
+services:
+    # alias the service so we can access it in the tests
+    functional_test.security.helper:
+        alias: security.helper
+        public: true
+
+    functional.test.security.token_storage:
+        alias: security.token_storage
+        public: true
+
+    Symfony\Bundle\SecurityBundle\Tests\Functional\WelcomeController:
+        arguments: ['@security.helper']
+        public: true
+
+    Symfony\Bundle\SecurityBundle\Tests\Functional\LogoutController:
+        arguments: ['@security.helper', '@security.csrf.token_manager']
+        public: true
+
+    Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ApiAuthenticator: ~
+
+security:
+    enable_authenticator_manager: true
+    providers:
+        in_memory:
+            memory:
+                users: []
+
+    firewalls:
+        default:
+            json_login:
+                username_path: user.login
+                password_path: user.password
+            logout:
+                path: /regular-logout
+            custom_authenticators:
+                - 'Symfony\Bundle\SecurityBundle\Tests\Functional\Bundle\AuthenticatorBundle\ApiAuthenticator'
+
+    access_control:
+        - { path: ^/foo, roles: PUBLIC_ACCESS }

src/Symfony/Bundle/SecurityBundle/Tests/Functional/app/SecurityHelper/routing.yml

@@ -2,6 +2,6 @@ welcome:
     path: /welcome
     controller: Symfony\Bundle\SecurityBundle\Tests\Functional\WelcomeController::welcome
 
-logout:
-    path: /auto-logout
+force-logout:
+    path: /force-logout
     controller: Symfony\Bundle\SecurityBundle\Tests\Functional\LogoutController::logout