From 97636c37d83beeeb6dcc7b9c3c754086072af103 Mon Sep 17 00:00:00 2001
From: Nicolas Grekas <nicolas.grekas@gmail.com>
Date: Fri, 13 Sep 2024 10:33:46 +0200
Subject: [PATCH] Tweak login forms to enable double-submit CSRF protection

---
 src/Resources/skeleton/authenticator/login_form.tpl.php         | 2 ++
 src/Resources/skeleton/security/formLogin/login_form.tpl.php    | 2 ++
 .../fixtures/security/make-form-login/expected/login.html.twig  | 2 ++
 .../security/make-form-login/expected/login_no_logout.html.twig | 2 ++
 4 files changed, 8 insertions(+)

diff --git a/src/Resources/skeleton/authenticator/login_form.tpl.php b/src/Resources/skeleton/authenticator/login_form.tpl.php
index 2fdef9745..47069b25d 100644
--- a/src/Resources/skeleton/authenticator/login_form.tpl.php
+++ b/src/Resources/skeleton/authenticator/login_form.tpl.php
@@ -24,6 +24,8 @@
 
     <input type="hidden" name="_csrf_token"
            value="{{ csrf_token('authenticate') }}"
+           autocomplete="off"
+           data-controller="csrf-protection"
     >
 <?php if($support_remember_me && !$always_remember_me): ?>
 
diff --git a/src/Resources/skeleton/security/formLogin/login_form.tpl.php b/src/Resources/skeleton/security/formLogin/login_form.tpl.php
index ca64abdd9..f3d5f9fb9 100644
--- a/src/Resources/skeleton/security/formLogin/login_form.tpl.php
+++ b/src/Resources/skeleton/security/formLogin/login_form.tpl.php
@@ -24,6 +24,8 @@
 
         <input type="hidden" name="_csrf_token"
                value="{{ csrf_token('authenticate') }}"
+               autocomplete="off"
+               data-controller="csrf-protection"
         >
 
         {#
diff --git a/tests/fixtures/security/make-form-login/expected/login.html.twig b/tests/fixtures/security/make-form-login/expected/login.html.twig
index 07b5cd416..38271d729 100644
--- a/tests/fixtures/security/make-form-login/expected/login.html.twig
+++ b/tests/fixtures/security/make-form-login/expected/login.html.twig
@@ -22,6 +22,8 @@
 
         <input type="hidden" name="_csrf_token"
                value="{{ csrf_token('authenticate') }}"
+               autocomplete="off"
+               data-controller="csrf-protection"
         >
 
         {#
diff --git a/tests/fixtures/security/make-form-login/expected/login_no_logout.html.twig b/tests/fixtures/security/make-form-login/expected/login_no_logout.html.twig
index febede20a..fd02a7caa 100644
--- a/tests/fixtures/security/make-form-login/expected/login_no_logout.html.twig
+++ b/tests/fixtures/security/make-form-login/expected/login_no_logout.html.twig
@@ -16,6 +16,8 @@
 
         <input type="hidden" name="_csrf_token"
                value="{{ csrf_token('authenticate') }}"
+               autocomplete="off"
+               data-controller="csrf-protection"
         >
 
         {#