Symfony 2 Add CSRF Token when using a form without a class

Question

Firstly I'm a complete noobie with Symfony 2. The question sounds simple, if I try and put some context into why and how I need this it will start to get confusing.

In essence I've created a form, which I manually process, validate and insert using Doctrine etc. I am manually creating the form within a controller action (it's built dynamically from retrieved values from another object). I'm assuming there maybe better ways to do this, but as I'm new to Symfony and days of trawling the net, I can't see any solutions to what I need to do.

Therefore I'm not simply building a form against a class/entity etc and so I will manually need to add a CSRF token or some kind of protection.

In normal circumstances you would create the FormType and configure default options to have csrf_protection. Then a simple case of:

{{ form_widget(form._token) }}

and the csrf token is there.

As I'm dynamically building the form I am not sure how I can manually create a csrf token for my form. Has anyone had any experience of creating forms without a class and adding csrf protection?

Kind regards Paul Pounder

Answer 1

I think what you are looking for is the following :

This will render a CSRF token. Use this function if you want CSRF protection without creating a form

{{ csrf_token("intention") }}

For example:

<a href="{{ path('remove_stuff', {token: csrf_token('intention')}) }}">Remove</a>

source

To validate this token from a controller, you can do:

if ($this->get('token') !== $this->get('security.csrf.token_manager')->getToken('intention')->getValue()) {
    throw new \Symfony\Component\Security\Core\Exception\InvalidCsrfTokenException('Invalid CSRF token');
}

To simplify check the token on Symfony 2.6 or newer

if ($this->isCsrfTokenValid('intention', $submittedToken)) {
    // ... do something, like deleting an object
}  

Answer 2

Connection between Form Type and token:

{{ csrf_token("task_item_intention") }}

and in Form Type:

class TaskType extends AbstractType
{
// ...

public function setDefaultOptions(OptionsResolverInterface $resolver)
{
    $resolver->setDefaults(array(
        'data_class'      => 'Acme\TaskBundle\Entity\Task',
        'csrf_protection' => true,
        'csrf_field_name' => '_token',
        // a unique key to help generate the secret token
        'intention'       => 'task_item_intention',
    ));
}

// ...
}

Answer 3

In (my) normal circumstances you create a form and do not specifically configure CSRF - it happens automatically, and you use form_rest(form) or form_end(form) to render the hidden input with CSRF token. I do not believe that this is any different for a form not backed by a model.