symfony · xabbuh · Oct 14, 2025
@@ -69,7 +69,7 @@ public function authenticate(RequestEvent $event): void
         $request = $event->getRequest();
 
         if (null !== $this->csrfTokenManager) {
-            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter'], $request->request->all());
+            $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
 
             if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
                 throw new LogoutException('Invalid CSRF token.');

@@ -50,23 +50,26 @@ public function testHandleUnmatchedPath()
         $this->assertFalse($logoutEventDispatched, 'LogoutEvent should not have been dispatched.');
     }
 
-    public function testHandleMatchedPathWithCsrfValidation()
+    /**
+     * @dataProvider requestWithCsrfTokenProvider
+     */
+    public function testHandleMatchedPathWithCsrfValidation(Request $request)
     {
         $tokenManager = $this->getTokenManager();
         $dispatcher = $this->getEventDispatcher();
 
         [$listener, $tokenStorage, $httpUtils, $options] = $this->getListener($dispatcher, $tokenManager);
 
-        $request = new Request();
-        $request->query->set('_csrf_token', 'token');
-
         $httpUtils->expects($this->once())
             ->method('checkRequestPath')
             ->with($request, $options['logout_path'])
             ->willReturn(true);
 
         $tokenManager->expects($this->once())
             ->method('isTokenValid')
+            ->with($this->callback(static function (CsrfToken $token): bool {
+                return 'token' === $token->getValue();
+            }))
             ->willReturn(true);
 
         $response = new Response();
@@ -89,47 +92,12 @@ public function testHandleMatchedPathWithCsrfValidation()
         $this->assertSame($response, $event->getResponse());
     }
 
-    public function testHandleMatchedPathWithCsrfInQueryParamAndBody()
+    public function requestWithCsrfTokenProvider()
     {
-        $tokenManager = $this->getTokenManager();
-        $dispatcher = $this->getEventDispatcher();
-
-        [$listener, $tokenStorage, $httpUtils, $options] = $this->getListener($dispatcher, $tokenManager);
-
-        $request = new Request();
-        $request->query->set('_csrf_token', 'token');
-        $request->request->set('_csrf_token', 'token2');
-
-        $httpUtils->expects($this->once())
-            ->method('checkRequestPath')
-            ->with($request, $options['logout_path'])
-            ->willReturn(true);
-
-        $tokenManager->expects($this->once())
-            ->method('isTokenValid')
-            ->with($this->callback(function ($token) {
-                return $token instanceof CsrfToken && 'token2' === $token->getValue();
-            }))
-            ->willReturn(true);
-
-        $response = new Response();
-        $dispatcher->addListener(LogoutEvent::class, function (LogoutEvent $event) use ($response) {
-            $event->setResponse($response);
-        });
-
-        $tokenStorage->expects($this->once())
-            ->method('getToken')
-            ->willReturn($token = $this->getToken());
-
-        $tokenStorage->expects($this->once())
-            ->method('setToken')
-            ->with(null);
-
-        $event = new RequestEvent($this->createMock(HttpKernelInterface::class), $request, HttpKernelInterface::MAIN_REQUEST);
-
-        $listener($event);
-
-        $this->assertSame($response, $event->getResponse());
+        return [
+            'GET' => [Request::create('/', 'GET', ['_csrf_token' => 'token'])],
+            'POST' => [Request::create('/', 'POST', ['_csrf_token' => 'token'])],
+        ];
     }
 
     public function testHandleMatchedPathWithoutCsrfValidation()