From 076fd2088ada33d760758d98ff07ddedbf567946 Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Mon, 23 Jan 2023 19:43:46 +0100
Subject: [PATCH] [Security/Http] Remove CSRF tokens from storage on successful
 login

---
 Resources/config/security.xml          | 1 +
 Tests/Functional/CsrfFormLoginTest.php | 6 ++++++
 Tests/Functional/LogoutTest.php        | 4 +---
 composer.json                          | 2 +-
 4 files changed, 9 insertions(+), 4 deletions(-)

diff --git a/Resources/config/security.xml b/Resources/config/security.xml
index 3491383b..eabe5e54 100644
--- a/Resources/config/security.xml
+++ b/Resources/config/security.xml
@@ -63,6 +63,7 @@
 
         <service id="security.authentication.session_strategy" class="Symfony\Component\Security\Http\Session\SessionAuthenticationStrategy">
             <argument>%security.authentication.session_strategy.strategy%</argument>
+            <argument type="service" id="security.csrf.token_storage" on-invalid="ignore" />
         </service>
         <service id="Symfony\Component\Security\Http\Session\SessionAuthenticationStrategyInterface" alias="security.authentication.session_strategy" />
 
diff --git a/Tests/Functional/CsrfFormLoginTest.php b/Tests/Functional/CsrfFormLoginTest.php
index 1a672d70..08ea67a6 100644
--- a/Tests/Functional/CsrfFormLoginTest.php
+++ b/Tests/Functional/CsrfFormLoginTest.php
@@ -19,12 +19,15 @@ class CsrfFormLoginTest extends AbstractWebTestCase
     public function testFormLoginAndLogoutWithCsrfTokens($config)
     {
         $client = $this->createClient(['test_case' => 'CsrfFormLogin', 'root_config' => $config]);
+        static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');
 
         $form = $client->request('GET', '/login')->selectButton('login')->form();
         $form['user_login[username]'] = 'johannes';
         $form['user_login[password]'] = 'test';
         $client->submit($form);
 
+        $this->assertFalse(static::$container->get('security.csrf.token_storage')->hasToken('foo'));
+
         $this->assertRedirect($client->getResponse(), '/profile');
 
         $crawler = $client->followRedirect();
@@ -48,11 +51,14 @@ public function testFormLoginAndLogoutWithCsrfTokens($config)
     public function testFormLoginWithInvalidCsrfToken($config)
     {
         $client = $this->createClient(['test_case' => 'CsrfFormLogin', 'root_config' => $config]);
+        static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');
 
         $form = $client->request('GET', '/login')->selectButton('login')->form();
         $form['user_login[_token]'] = '';
         $client->submit($form);
 
+        $this->assertTrue(static::$container->get('security.csrf.token_storage')->hasToken('foo'));
+
         $this->assertRedirect($client->getResponse(), '/login');
 
         $text = $client->followRedirect()->text(null, true);
diff --git a/Tests/Functional/LogoutTest.php b/Tests/Functional/LogoutTest.php
index cb7868f3..465027f4 100644
--- a/Tests/Functional/LogoutTest.php
+++ b/Tests/Functional/LogoutTest.php
@@ -36,15 +36,13 @@ public function testSessionLessRememberMeLogout()
     public function testCsrfTokensAreClearedOnLogout()
     {
         $client = $this->createClient(['test_case' => 'LogoutWithoutSessionInvalidation', 'root_config' => 'config.yml']);
-        static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');
 
         $client->request('POST', '/login', [
             '_username' => 'johannes',
             '_password' => 'test',
         ]);
 
-        $this->assertTrue(static::$container->get('security.csrf.token_storage')->hasToken('foo'));
-        $this->assertSame('bar', static::$container->get('security.csrf.token_storage')->getToken('foo'));
+        static::$container->get('security.csrf.token_storage')->setToken('foo', 'bar');
 
         $client->request('GET', '/logout');
 
diff --git a/composer.json b/composer.json
index 1106acfa..4061646f 100644
--- a/composer.json
+++ b/composer.json
@@ -25,7 +25,7 @@
         "symfony/security-core": "^4.4",
         "symfony/security-csrf": "^4.2|^5.0",
         "symfony/security-guard": "^4.2|^5.0",
-        "symfony/security-http": "^4.4.5"
+        "symfony/security-http": "^4.4.50"
     },
     "require-dev": {
         "doctrine/annotations": "^1.10.4",