Using IsCsrfTokenValid attribute with invalid token redirects user to login page

[cyve]

Symfony version(s) affected

7.1.1

Description

Hi,
I tried the new IsCsrfTokenValid attribute on a route to handle a form. When the token is invalid, the user is redirected to the login page instead of an error page. Probably because IsCsrfTokenValidAttributeListener throws a InvalidCsrfTokenException witch extends AuthenticationException.

How to reproduce

Add IsCsrfTokenValid attribute on a route handling a form

#[Route('/add-to-cart', name: 'add_to_cart', methods: ['POST'])]
#[IsCsrfTokenValid('add_to_cart')]
public function __invoke(Request $request): Response
{
}

Load the page and wait for the token to expire (or generate an invalid token)

<form method="post" action="{{ path('add_to_cart') }}">
  <input type="hidden" name="product" value="{{ product.id }}">
  <input type="hidden" name="_token" value="this_token_is_invalid">
</form>

Possible Solution

Maybe we could throw a BadRequestHttpException instead of an InvalidCsrfTokenException in IsCsrfTokenValidAttributeListener ? But I guess there is a good reason for InvalidCsrfTokenException to extend AuthenticationException, so I can't really see the implications.
If this solution looks good to you, I can create a PR.

Additional Context

No response

[eltharin]

I think InvalidCsrfTokenException must extends AccessDeniedException instaed of AuthenticationException to get a 403 response instead a login page redirection.

For the moment it's possible in a custom authenticator to set the start function as mentioned in #16026 (comment)

[xabbuh]

Can you create a small example application that allows to reproduce your issue?

[eltharin]

sure,
https://github.com/eltharin/reproducer_symfony_57343.git
juste have to make a composer install and serve it,
If you go to https://127.0.0.1:8000/test you will be redirect to /login (I don't agree with that but it's another discussion)
if you log with user@fr.fr / password and go to /test you are still redirected to /login
if you change InvalidCsrfTokenException extends AccessDeniedException instaed of AuthenticationException you have an error page with Invalid CSRF Token

do you want I make the PR ? (Bug or New Feature ? )

This symptome is joining issues :
#16026
#54318
I'm working on a PR for add a security option to block the login redirect and show error if we are already logged for those who want to prevent these behavior.

[eltharin]

With reflexion, BadRequestHttpException will be a better choice for extends, beacause a Csrf Error is not automaticly linked to an authentification

[eltharin]

What about the HTTP code ? 403 is for acces denied, Is really CSRF error an acces denied ? For a contact form can we speak about Access ?

[netonevess]

for a temporary solution, I did the following code:
https://github.com/netonevess/Symfony72-csrf-response-modifyer/blob/main/InvalidTokenListener.php

My software was redirecting to the login page once an invalid CSRF using the new attribute #[IsCsrfTokenValid] and now a custom JSON message.

[eltharin]

Yeah I created a Exception Transformer near you made, But it can be better to be in core

[netonevess]

Yeah I created a Exception Transformer near you made, But it can be better to be in core

please help us to improve that one. You can create a PR to this repo