1

I am trying to change the approach of rendering templates. I was using a server-side template engine. Now that I need to return only JSON from backend instead of HTML, I need to move my templating to front-end.

The problem for me as a newbie, is when the template contains a form. In other words, when the final JSON should also contain a csrf token. Please to take the example of CRUD application for books (one entity Book(id_book, name)). The template for Reading a record shows the book name and allow deletion of a book.

In Symfony2 controller, I use createFormBuilder() method that creates the delete form object, to which I apply createView()method. The object returned by the latter is used by form_widget()in the template engine (Twig). At the end:

<div id="bookName">{{book.name}}</div>
<div id="bookDelete">
      <form action="{{ path('book_delete', { 'id': book.id }) }}" method="post">
          <input type="hidden" name="_method" value="DELETE" />
          {{ form_widget(delete_form) }}
          <button type="submit"></button>
      </form>
</div>

Which will return:

<div id="bookName">Symfony2 In Depth</div>
<div id="bookDelete">
    <form action="/web/app_dev.php/deletes" method="post">
         <input type="hidden" name="_method" value="DELETE">
         <div id="form">
             <input type="hidden" id="form_id" name="form[id]" value="15">
             <input type="hidden" id="form__token" name="form[_token]" value="dd6573ae916ae30f78ba35a8c67e5d42a2764c1c">
        </div>
        <button type="submit"></button>
    </form>

What I imagine when moving template rendering to front-end is a final JSON from server looking like:

{
'id':15,
'name': 'Symfony2 in Depth',
'csrf_token' : 'dd6573ae916ae30f78ba35a8c67e5d42a2764c1c'    
}

Question is how to implement the same Symfony2 internal mechanism to render csrf token for DELETE form, as part of the final JSON to read a book entity? Is it acceptable to get rid of {{ form_widget(delete_form) }} and all its long objects, and only serialize csrf token with book name? What does this will affect? I feel it is good for performance but how?

Your usual guidance is much appreciated.

Adib Aroui
  • 4,981
  • 5
  • 42
  • 94

1 Answers1

3

You can create you twig file something like:

{
    'id': '{{ form.id.vars.value }}'
    'name': '{{ form.name.vars.value }}'
    'csrf_token': '{{ form._token.vars.value }}'
}

Anyway I dont recommend you use csrf token when you are using API, it is better if you disabled. If you want to disable for all application in the config.yml:

framework:
    csrf_protection:
        enabled:        false

Or just for one form in the Type form add:

public function configureOptions(OptionsResolver $resolver)
{
    $resolver->setDefaults(array(
        'csrf_protection' => false,
    ));
}
Alfonso Machado Benito
  • 41
  • 4
  • Well, how can I prevent from the vulnerability when disabling csrf_token? book deletion is something critical and malicious users shouldn't be able to delete. Anyways thank you for recommending me to remove the token from API, it is a nice idea since csrf token is kept the same for one user during its session, so I will put it in javascript variable on first render and use it further . Any remarks regarding this? – Adib Aroui Jul 25 '15 at 15:36
  • I mean, depends of you have a internal API or public API. If you are developing a public api don't have sence and if you have a internal API and you use OAuth for authentication the token of the user allow you to prevent the vulnerability, do you understand me? – Alfonso Machado Benito Jul 27 '15 at 09:52
  • Tnx Alfonso for your time. I think I am building an internal and public API at the same time(it is a public website for content created by private authenticated users, i.e a CRUD app where authentication is done via login form ). Regarding the fact that my app can be csrf exempt, I read in SO different opinions that I dont fully understand (e.g http://stackoverflow.com/questions/7600347/rails-api-design-without-disabling-csrf-protection)... – Adib Aroui Jul 27 '15 at 14:14
  • .... anyways, my confusion is still big because I am a newb and I need to learn more and more so that I can fully understand all involved concepts (csrf, api...). Anyways , thank you for making me also know OAuth, I will be back here after some of my confusion cleared. – Adib Aroui Jul 27 '15 at 14:14
  • Your welcome, and dont forget to thanks my answer :-P – Alfonso Machado Benito Jul 27 '15 at 14:54