symfony: [5.3 beta2][Security] Can't validate manual CSRF (test env only)

Unorthodoxly solved by:

• Declaring a test route (available only in test env) that gets a token ID and returns a token
• Calling this route before making an API call lets you get the proper randomized token + side benefit of having the request stack initialized properly

Dummy POC implementation now is:

// config/routes/test/routes.yaml
csrf_generator:
  path: /csrf_generator
  controller: App\Controller\Application\Test\TestController::csrfGenerator

<?php
declare(strict_types=1);

namespace App\Controller\Test;

use Symfony\Bundle\FrameworkBundle\Controller\AbstractController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpFoundation\Response;
use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;

final class TestController extends AbstractController
{
    public function __construct(
        private CsrfTokenManagerInterface $csrfTokenManager
    ) {}

    public function csrfGenerator(Request $request): Response
    {
        return new Response($this->csrfTokenManager->getToken($request->query->get('token'))->getValue());
    }
}

protected function callAPI(string $uri, array $data, string $tokenId): ?Crawler
    {
        if ($this->client === null)
            return null;

        $this->client->request('GET', "/csrf_generator?token=$tokenId");

        $csrfToken = $this->client->getResponse()->getContent();

        $apiData = [
            '__data' => $data,
            '__token' => $csrfToken
        ];
        return $this->client->xmlHttpRequest('POST', $uri, [], [], ['CONTENT_TYPE' => 'application/json'], json_encode($apiData));
    }

That was one of my previous leads, thanks for posting your whole solution. Pretty sure it always throws in ensureSessionIsAvailable(), so you always get the session from self::getContainer()->get('session'). Couldn’t make it work in my API Calls though, as it seems to unlog the user, but I haven’t tested it thoroughly.

@Pixelshaped I did find a possible work-around. The issue with the CSRF token not being stored to the session seemed to stem from the fact that there wasn’t a logged-in session. Since the Session service is being deprecated in favor of getting the RequestStack, then calling to get the Session from the RequestStack. The session from the RequestStack was simply the Session instance from the last Request object in the stack.

I will give one caveat to this, I haven’t tested if this works with following redirects or multiple request inside a single test case.

I added this to my abstract WebTestCase that extends from Symfony’s WebTestCase.

abstract class WebTestCase extends SymfonyWebTestCase
{

    protected function getSession(): SessionInterface
    {
        try {
            return self::getContainer()->get('request_stack')->getSession();
        } catch (SessionNotFoundException $e) {
            return self::getContainer()->get('session');
        }
    }

    protected function getCsrfProvider(): CsrfTokenManagerInterface
    {
        return static::getContainer()->get(CsrfTokenManagerInterface::class);
    }

    protected function getCsrfToken(string $tokenId): string
    {
        $this->ensureSessionIsAvailable();

        return (string)$this->getCsrfProvider()->getToken($tokenId);
    }

    protected function ensureSessionIsAvailable(): void
    {
        /** @var RequestStack $requestStack */
        $requestStack = self::getContainer()->get('request_stack');
        try {
            $requestStack->getSession();
        } catch (SessionNotFoundException $e) {
            $session = $this->getSession();
            $masterRequest = new Request();
            $masterRequest->setSession($session);
            $requestStack->push($masterRequest);
            $session->start();
            $session->save();
            $cookie = new Cookie($session->getName(), $session->getId());
            self::$client->getCookieJar()->set($cookie);
        }
    }


}

So, when calling $this->getCsrfToken('<token id>') from inside a test, it checks to see if a Session is already available. If there is, all-good. If not, we push a blank request to the stack and set a session instance on it.

I can confirm that this worked for my use-case where I just needed to get a single CSRF token for the login form. Whether it would work in a more-complex scenario, I’m not sure.

@Pixelshaped The code behind the route isn’t being tested. In our code, we mock the implementations and test only at the service layer. The test in question is the actual login form submission, so no user has been logged-in yet. I did end up using your example. However, having to make a test-only controller to generate the CSRF token instead of simply getting the CsrfTokenManager and generating the token from it directly in the test is a very… crude and hackish way to get the token.

I understand the reasoning for the token-storage changes and I’m not arguing against it. I’m asking for a more-elegant solution given that, even for basic form validation, I shouldn’t have to execute a request to create the form to test the submission logic behind it. This is grossly bloated and simply makes testing even more complicated and brittle. I should be able to run a test to simply test whether data being submitted is valid and not have to completely render a form, populate the form data, then use the crawler to “click” the submit button. I should be able to issue the data directly to the endpoint.