CSRF token is missing

[htuscher]

If you have a fusion based form on your page, only the trustedProperties are rendered as hidden fields.
That's usually not a problem, as long as your frontend user is not logged in.

Cause:
CSRF check is disabled if no user is authenticated. But if it is, it expects a valid CSRF token for every non-safe request.
The fusion form renderer is currently missing the hidden field __csrfToken.

[bwaidelich]

Thanks for reporting.
I currently have no requirement for this, but you are totally right of course and if you want you can push a PR with sth like

    formCsrfTokenField = Neos.Form.FusionRenderer:CsrfHiddenField

after https://github.com/neos/form-fusionrenderer/blob/master/Resources/Private/Fusion/Core/Form.fusion#L13

(probably it needs a custom eel helper - or just extend the provided FormHelper)