From 5fdc49fecd73fa0c2ee42b5ec2ef80a33f40f066 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Rub=C3=A9n=20Rubio?= <ruben.rubio.barrera@gmail.com>
Date: Mon, 19 Jun 2017 13:27:59 +0200
Subject: [PATCH] Return null when csrfToken is not valid

I am not 100% sure of this change, but throwing an `InvalidCsrfTokenException` when the csrfToken is not valid makes the framework redirect to the url returned by `getLoginUrl` method, and from there, it keeps redirecting in a loop until the browser kills the redirections.

According to the documentation for `getCredentials` method, it should return `null` when there is some parameter missing, so I guess `null` is the correct value to return when the csrfToken validation fails.
---
 security/guard_authentication.rst | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/security/guard_authentication.rst b/security/guard_authentication.rst
index 52f8d644a87..c1b940e92a3 100644
--- a/security/guard_authentication.rst
+++ b/security/guard_authentication.rst
@@ -505,7 +505,7 @@ and add the following logic::
             $csrfToken = $request->request->get('_csrf_token');
             
             if (false === $this->csrfTokenManager->isTokenValid(new CsrfToken('authenticate', $csrfToken))) {
-                throw new InvalidCsrfTokenException('Invalid CSRF token.');
+                return null;
             }
             
             // ... all your normal logic