From d80b3c4d3131effc68262f0578e03e8a2c792d4e Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Sat, 20 Apr 2024 14:39:33 +0200
Subject: [PATCH 1/3] [Security]: Aligning CSRF `tokenId` with other code
 sample

Page: https://symfony.com/doc/5.x/security.html

* I'm making this compatible with the `tokenId` used at https://symfony.com/doc/5.x/security/custom_authenticator.html#passport-badges
* Where what the info coming from that it "must" be called `authenticate`? The docblock of `CsrfTokenBadge` just says it's an "arbitrary string"
---
 security.rst | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/security.rst b/security.rst
index c611fe4654c..d00464b9353 100644
--- a/security.rst
+++ b/security.rst
@@ -960,8 +960,7 @@ First, you need to enable CSRF on the form login:
 
 Then, use the ``csrf_token()`` function in the Twig template to generate a CSRF
 token and store it as a hidden field of the form. By default, the HTML field
-must be called ``_csrf_token`` and the string used to generate the value must
-be ``authenticate``:
+is called ``_csrf_token`` and takes an arbitrary string as argument ``tokenId``:
 
 .. code-block:: html+twig
 
@@ -971,7 +970,7 @@ be ``authenticate``:
     <form action="{{ path('app_login') }}" method="post">
         {# ... the login fields #}
 
-        <input type="hidden" name="_csrf_token" value="{{ csrf_token('authenticate') }}">
+        <input type="hidden" name="_csrf_token" value="{{ csrf_token('login') }}">
 
         <button type="submit">login</button>
     </form>

From 12e045d37d0ac585590081841815f0cf176113a1 Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Sat, 20 Apr 2024 14:42:01 +0200
Subject: [PATCH 2/3] Update custom_authenticator.rst

---
 security/custom_authenticator.rst | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/security/custom_authenticator.rst b/security/custom_authenticator.rst
index e79d8a002a1..4edb1ab1016 100644
--- a/security/custom_authenticator.rst
+++ b/security/custom_authenticator.rst
@@ -349,9 +349,9 @@ would initialize the passport like this::
     {
         public function authenticate(Request $request): Passport
         {
-            $password = $request->request->get('password');
             $username = $request->request->get('username');
-            $csrfToken = $request->request->get('csrf_token');
+            $password = $request->request->get('password');
+            $csrfToken = $request->request->get('_csrf_token');
 
             // ... validate no parameter is empty
 

From 92a8fe849e1af1c734998a2fe73450989e9eb6ef Mon Sep 17 00:00:00 2001
From: Thomas Landauer <thomas@landauer.at>
Date: Mon, 22 Apr 2024 00:01:42 +0200
Subject: [PATCH 3/3] Update security.rst

---
 security.rst | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/security.rst b/security.rst
index d00464b9353..ff0ba9812af 100644
--- a/security.rst
+++ b/security.rst
@@ -958,9 +958,9 @@ First, you need to enable CSRF on the form login:
 
 .. _csrf-login-template:
 
-Then, use the ``csrf_token()`` function in the Twig template to generate a CSRF
-token and store it as a hidden field of the form. By default, the HTML field
-is called ``_csrf_token`` and takes an arbitrary string as argument ``tokenId``:
+Then, add a hidden field to the form. In order to work with the built-in ``FormLoginAuthenticator``,
+the HTML field must be called ``_csrf_token``, and the argument of Twig's ``csrf_token()`` function
+must be called ``authenticate``:
 
 .. code-block:: html+twig