From d6cfb3699eb034cfa733639529a4bd27c12a4227 Mon Sep 17 00:00:00 2001
From: Henry Snoek <snoek09@gmail.com>
Date: Tue, 20 Oct 2015 22:02:36 +0200
Subject: [PATCH 1/5] document old way of checking validity of CSRF token

---
 book/controller.rst | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/book/controller.rst b/book/controller.rst
index 1d15b914d7b..f95969001f8 100644
--- a/book/controller.rst
+++ b/book/controller.rst
@@ -794,6 +794,22 @@ Just like when creating a controller for a route, the order of the arguments of
 order of the arguments, Symfony will still pass the correct value to each
 variable.
 
+Checking the Validity of a CSRF Token
+-------------------------------------
+
+Sometimes you want to use CSRF protection in an action where you don't want to use a
+Symfony form.
+
+If, for example, you're doing a DELETE action, you can use the
+:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\CsrfProviderAdapter::isTokenValid`
+method to check the CSRF token::
+
+    use Symfony\Component\Security\Csrf\CsrfToken;
+
+    $this->get('security.csrf.token_manager')->isTokenValid(
+        new CsrfToken('token_id', 'TOKEN')
+    );
+
 Final Thoughts
 --------------
 

From eda73326989fa0897eb88dd0d501cbfb34829771 Mon Sep 17 00:00:00 2001
From: Henry Snoek <snoek09@gmail.com>
Date: Thu, 22 Oct 2015 19:36:34 +0200
Subject: [PATCH 2/5] fix code example

---
 book/controller.rst | 9 +++------
 1 file changed, 3 insertions(+), 6 deletions(-)

diff --git a/book/controller.rst b/book/controller.rst
index f95969001f8..b4c29fcf36a 100644
--- a/book/controller.rst
+++ b/book/controller.rst
@@ -801,14 +801,11 @@ Sometimes you want to use CSRF protection in an action where you don't want to u
 Symfony form.
 
 If, for example, you're doing a DELETE action, you can use the
-:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\CsrfProviderAdapter::isTokenValid`
+:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\DefaultCsrfProvider::isCsrfTokenValid`
 method to check the CSRF token::
 
-    use Symfony\Component\Security\Csrf\CsrfToken;
-
-    $this->get('security.csrf.token_manager')->isTokenValid(
-        new CsrfToken('token_id', 'TOKEN')
-    );
+    $csrf = $this->container->get('form.csrf_provider');
+    $csrf->isCsrfTokenValid('authenticate', new CsrfToken('token_id', 'TOKEN'));
 
 Final Thoughts
 --------------

From 73209d05ff21c223374a21668a40492fa591db1f Mon Sep 17 00:00:00 2001
From: Henry Snoek <snoek09@gmail.com>
Date: Thu, 22 Oct 2015 19:44:00 +0200
Subject: [PATCH 3/5] use generateCsrfToken()

---
 book/controller.rst | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/book/controller.rst b/book/controller.rst
index b4c29fcf36a..b03ca33d099 100644
--- a/book/controller.rst
+++ b/book/controller.rst
@@ -805,7 +805,10 @@ If, for example, you're doing a DELETE action, you can use the
 method to check the CSRF token::
 
     $csrf = $this->container->get('form.csrf_provider');
-    $csrf->isCsrfTokenValid('authenticate', new CsrfToken('token_id', 'TOKEN'));
+    $intention = 'authenticate';
+    $token = $csrf->generateCsrfToken($intention);
+
+    $csrf->isCsrfTokenValid($intention, $token);
 
 Final Thoughts
 --------------

From 7b574210b3c61d58f736993bd46ebb9d7ae95827 Mon Sep 17 00:00:00 2001
From: Henry Snoek <snoek09@gmail.com>
Date: Tue, 1 Dec 2015 13:10:20 +0100
Subject: [PATCH 4/5] link to interface

---
 book/controller.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/book/controller.rst b/book/controller.rst
index b03ca33d099..f67a929c330 100644
--- a/book/controller.rst
+++ b/book/controller.rst
@@ -801,7 +801,7 @@ Sometimes you want to use CSRF protection in an action where you don't want to u
 Symfony form.
 
 If, for example, you're doing a DELETE action, you can use the
-:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\DefaultCsrfProvider::isCsrfTokenValid`
+:method:`Symfony\\Component\\Form\\Extension\\Csrf\\CsrfProvider\\CsrfProviderInterface::isCsrfTokenValid`
 method to check the CSRF token::
 
     $csrf = $this->container->get('form.csrf_provider');

From fb1c73de1c79187c471abaa8b9e19603092de808 Mon Sep 17 00:00:00 2001
From: Henry Snoek <snoek09@gmail.com>
Date: Tue, 15 Dec 2015 19:48:07 +0100
Subject: [PATCH 5/5] more realistic example

---
 book/controller.rst | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/book/controller.rst b/book/controller.rst
index f67a929c330..70a72db5fb2 100644
--- a/book/controller.rst
+++ b/book/controller.rst
@@ -808,7 +808,9 @@ method to check the CSRF token::
     $intention = 'authenticate';
     $token = $csrf->generateCsrfToken($intention);
 
-    $csrf->isCsrfTokenValid($intention, $token);
+    if (!$csrf->isCsrfTokenValid($intention, $token)) {
+        // CSRF token invalid! Do something, like redirect with an error.
+    }
 
 Final Thoughts
 --------------