The #[IsCsrfTokenValid] attribute eliminates the need for a request parameter in your method. #19867
Conversation
|
Thank you @rcsofttech85. |
| @@ -176,7 +176,7 @@ attribute on the controller action:: | |||
| // ... | |||
|
|
|||
| #[IsCsrfTokenValid('delete-item', tokenKey: 'token')] | |||
There was a problem hiding this comment.
This was asked in the Symfony blog: https://symfony.com/blog/new-in-symfony-7-1-iscsrftokenvalid-attribute#comment-25462
The 'token' value in tokenKey, should be '_token' instead?
There was a problem hiding this comment.
@javiereguiluz no, input type="hidden" name="token" value="{{ csrf_token('delete-item') }}" The value of the token key is determined by what you name it. By default, it's '_token', and when you override its value, you need to mention it in the attribute. Currently, in the documentation, it's correctly mentioned as #[IsCsrfTokenValid('delete-item', tokenKey: 'token')].
The blog you mentioned needs refactoring. Consider changing $request->request->getString('_token') to simply 'token', or alternatively, updating #[IsCsrfTokenValid('delete_example', tokenKey: 'token')] to
#[IsCsrfTokenValid('delete_example')]
There was a problem hiding this comment.
I've updated the blog post. Thanks!
There was a problem hiding this comment.
I've checked.You don't need to mention tokenKey: '_token' because that's the default value. You would only use the second parameter, tokenKey, if it's different from '_token'.
There was a problem hiding this comment.
@rcsofttech85 I'm sorry 🙏 This is fixed now. Thanks a lot for checking it.
#[IsCsrfTokenValid] attribute in Symfony 7.1 does not require you to include a request parameter in the method itself. The attribute uses the request object internally to access the submitted data for validation.
for example