handling the The CSRF token in symfony's forms when in public REST context

Question

I'm developer my first symfony (3) app. it is a REST service publicly accessible . I'm doing this using FOSRestBundle. I'll have to ad some admin forms soon or later, and I'll probably want to create them directly (without passing by the extra work of consuming my own web services)

I wonder how to handle the CSRF token in this case . I see different solutions:

• globally deactivate the CSRF token : I don't want to do this
• create two set of forms, one with the token activated : form my admin forms, the other one for the REST API. => in this case, the rest API can't have a fallback _format=html
• find a way to give the api consumer an auth, with an API_GROUP, and disable the token for this group
  • it seem to me the best solution, but I don't know how to do it transparently, without affecting the auth of my future admin, and without needing to give credentials in the REST request.
• use an event listener in order to hack symfony's auth mechanism and give an auth if a call is made to the REST API (all but _format=html)

Which one of this (or other) solution seem the best to you, and how would you code it?

Answer 1

I found a way, perhaps not the best one, but it works :

$_format = $request->attributes->get('_format');
if ('html' == $_format) {
    $form = $this->createForm(ItopInstanceUserType::class, $itopInstanceUser);
} else {
    $form = $this->createForm(ItopInstanceUserType::class, $itopInstanceUser, ['csrf_protection' => false]);
}

Answer 2

For me, forget CSRF token managed by yourself, check subjects like Oauth authentication.

Take a look here: https://github.com/FriendsOfSymfony/FOSOAuthServerBundle/blob/master/Resources/doc/index.md

FOSOAuthServerBundle works perfectly with FOSRestBundle.