CODEWITHSUNDEEP
symfonyfosuserbundle
jstuardo
jstuardo

Reputation: 4383

Invalid CSRF token when resetting password

I have a resetting password feature in my site, however, form is not working. When trying to set the password, a "Invalid CSRF token" is shown.

This my actual resetting password form:

<div class="login-form">
            <form name="fos_user_resetting_form" method="post" action="{{ path('fos_user_resetting_reset', {'token': token}) }}" class="needs-validation" novalidate>
                <div class="form-group">
                    <label for="fos_user_resetting_form_plainPassword_first" class="required">{{ 'form.password'|trans }}</label>
                    <div class="input-group">
                        <div class="input-group-addon"><i class="fa fa-key"></i></div>
                        <input type="password" class="form-control" id="fos_user_resetting_form_plainPassword_first" name="fos_user_resetting_form[plainPassword][first]" required="required" autocomplete="new-password" />
                        <div class="invalid-tooltip">Por favor, ingrese la nueva contraseña.</div>
                    </div>
                </div>
                <div class="form-group"> 
                    <label for="fos_user_resetting_form_plainPassword_second" class="required">{{ 'form.password_confirmation'|trans }}</label>
                    <div class="input-group">
                        <div class="input-group-addon"><i class="fa fa-key"></i></div>
                        <input type="password" class="form-control" id="fos_user_resetting_form_plainPassword_second" name="fos_user_resetting_form[plainPassword][second]" required="required" autocomplete="new-password" />
                        <div class="invalid-tooltip" id="confirm_password_error">Por favor, ingrese la nueva contraseña.</div>
                    </div>
                </div>
                <div>
                    <button type="submit" id="_submit" name="_submit" class="btn btn-success btn-flat m-b-30 m-t-30">{{ 'resetting.reset.submit'|trans }}</button>
                </div>
            </form>
        </div>

I Know I need to add a _csrf_token hidden input to form, but, how?

I tried with 

            {% if csrf_token %}
                <input type="hidden" name="_csrf_token" value="{{ csrf_token }}" />
            {% endif %}

With:

            {% if _token %}
                <input type="hidden" name="_csrf_token" value="{{ _token }}" />
            {% endif %}

With:

<input type="hidden" id="fos_user_resetting_form__token" name="fos_user_resetting_form[_token]" value="{{ _token }}" />

And other attempts... but none works. In all cases, twig error is shown with 'Variable "_token" does not exist.'

When using Symfony debug toolbar, I see clearly the variable is called "_token". I don't know what else to try.

EDIT: when seeing Symfony Profiler, this is shown. Variable "_token" does exist, but I don't find a way to use it in the view.

when using the default FOSUserBundle form, the value of _token is rendered. I could not find how it is actually rendered, since it uses {{ form_widget(form) }} and when I saw the corresponding Form Type, I did not see any clue about this.

enter image description here

Thanks Jaime

Upvotes: 1

Views: 1287

Answers (3)

113408
113408

Reputation: 3444

For anyone trying to add the csrf token without generating the whole form, you can use in your twig template {{ fos_csrf_provider.refreshToken('resetting') }}. Example :

<!-- Form -->
                    <form id="change-password-form" action="{{ path("user_resetting_reset",{'token': token}) }}" method="post" name="change-password-form">
                        <div class="form-group">
                            <input id="change_password_first_password"  class="input form-control" required type="password" name="first" placeholder="{% trans %}New password{% endtrans %}">
                        </div>
                        <div class="form-group">
                            <input id="change_password_second_password" class="input form-control" required type="password" name="second" placeholder="{% trans %}Retype new password{% endtrans %}">
                        </div>
                        <input type="hidden" id="profile_token" name="_token" value="{{ fos_csrf_provider.refreshToken('resetting') }}" />
                        <button type="submit" class="btn btn-block ui-gradient-green shadow-md">Reset</button>
                    </form>
<!-- Form -->

Upvotes: 0

jstuardo
jstuardo

Reputation: 4383

Finally, it was easier than I thought.

I added simply {{ form_widget(form._token) }} where the token should be in the form. That way, the correct token value was rendered for the hidden input field.

Regards Jaime

Upvotes: 2

Johan
Johan

Reputation: 3611

Have you tried the following? From How to Implement CSRF Protection

<input type="hidden" name="_csrf_token"
    value="{{ csrf_token('authenticate') }}"
>

Upvotes: 0

Related Questions