Silex FormServiceProvider and form.secret parameter

Question

I am using the FormServiceProvider from Silex and reading through the documentation it explains how it has one parameter called form.secret which I assumed meant constructing the provider with this:

$app->register(new Silex\Provider\FormServiceProvider(), [
    'form.secret' => 'SECRET HERE'
]); 

The problem is however when I look through the source code for this file I cannot see a constructor where this parameter would get used. Only seeing it set internally within the container to md5(__DIR__) .

https://github.com/silexphp/Silex/blob/master/src/Silex/Provider/FormServiceProvider.php#L48

Or would it be simply a case of not providing form.secret when constructing and simply setting $app['form.secret'] = 'SECRET HERE' after the provider has been registered?

Am I right in this assumption or I am I missing something?

Answer 1

You can see it being used in line 100 , when $app["form.csrf_provider"] is first accessed:

$app['form.csrf_provider'] = function ($app) {
    if (isset($app['session'])) {
        return new SessionCsrfProvider($app['session'], $app['form.secret']);
    }

    return new DefaultCsrfProvider($app['form.secret']);
};

Since whatever you pass is ignored and overwritten with the md5 call you mention, correct usage would be:

$app->register(new FormServiceProvider());
$app["form.secret"] = "foo";