Thanks to visit codestin.com
Credit goes to github.com

Skip to content

[Security][DX] RFC: A simple way to do programmatic logout #40663

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Seldaek opened this issue Mar 31, 2021 · 8 comments · Fixed by #41406
Closed

[Security][DX] RFC: A simple way to do programmatic logout #40663

Seldaek opened this issue Mar 31, 2021 · 8 comments · Fixed by #41406
Labels
DX DX = Developer eXperience (anything that improves the experience of using Symfony) Security Stalled

Comments

@Seldaek
Copy link
Member

Seldaek commented Mar 31, 2021
edited
Loading

Description
There are various reasons why an app may need to logout a user without the user having to be redirected to the logout page, and currently there is no easy way to do this without copying some code from core which is subject to change and thus may leave one with outdated logic.

Example
Related to #40662, IMO a great API to have would be Security::programmaticLogout(Request $request)

This would figure out which firewall is relevant for the given $request, and trigger a logout event on that firewall's event dispatcher.

Why?
By digging through internals, it appears the best way to do this is the following:

        $logoutEvent = new LogoutEvent($request, $this->tokenStorage->getToken());
        $this->eventDispatcher->dispatch($logoutEvent);

        $response = $logoutEvent->getResponse();
        if (!$response instanceof Response) {
            throw new \RuntimeException('No logout listener set the Response, make sure at least the DefaultLogoutListener is registered.');
        }

        $this->tokenStorage->setToken(null);

        return $response;

This is copied from

symfony/src/Symfony/Component/Security/Http/Firewall/LogoutListener.php

Lines 121 to 131 in f963ae4

$logoutEvent = new LogoutEvent($request, $this->tokenStorage->getToken());
$this->eventDispatcher->dispatch($logoutEvent);
$response = $logoutEvent->getResponse();
if (!$response instanceof Response) {
throw new \RuntimeException('No logout listener set the Response, make sure at least the DefaultLogoutListener is registered.');
}
$this->tokenStorage->setToken(null);
$event->setResponse($response);
I did not invent anything, but I had to find out, and now I have to copy paste this in my app to be able to call it.

On top of that, some added complexity one has to figure out is that the event dispatcher here isn't just any event dispatcher, but you have to inject the correct event dispatcher for the firewall you want to do the logout on, and so you have to define that in the service yourself.. Firewall-specific event dispatchers are mentioned in passing in the docs but it's not exactly a common concept so this is all overall not great DX, and having an easy and more visible place to do this would be nice I think.
@carsonbot carsonbot added DX DX = Developer eXperience (anything that improves the experience of using Symfony) Security labels Mar 31, 2021
@X-Coder264
Copy link
Contributor

👍

We had the need for this recently on a project and the way we went about it was to implement Symfony\Component\Security\Core\User\EquatableInterface on our User class and have a column in the user table which would have a random value for a user and when we needed to force a logout the value would be updated with a new random value which would log the user out because the user session data would no longer match the new data (https://symfony.com/doc/current/security/user_provider.html#understanding-how-users-are-refreshed-from-the-session). Obviously this is really "hacky" as this is a non direct way of doing a logout, but it's the least hacky thing we could've done (that did not require us to copy Symfony internal code into our application) and is a good indicator that something simpler for this use-case is missing in Symfony.

@hktr92
Copy link

hktr92 commented Apr 29, 2021

That's a good idea. We've had to implement custom logic during logout process, so we had to research for 4h and dig through the source code to better understand how to do it.

So we've implemented the public function onSymfonyComponentSecurityHttpEventLogoutEvent(LogoutEvent $logoutEvent): void method and register it in services.yaml which performs the custom processing (e.g. remove cookies, do api call to propagate the event, etc). So there can be a more DX-friendly approach on this one.

johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue May 19, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
5a69bac 
…ogout (symfony#40663)
@johnkrovitch johnkrovitch mentioned this issue May 19, 2021
Closed
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue May 19, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
6c8a7ce 
…ogout (symfony#40663)
@johnkrovitch johnkrovitch mentioned this issue May 25, 2021
Merged
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue May 26, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
0b8ee6f 
…ogout (symfony#40663)
@TavoNiievez TavoNiievez mentioned this issue May 29, 2021
Merged
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue May 31, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
c4646e3 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue May 31, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
23aad7b 
…ogout (symfony#40663)
@carsonbot
Copy link

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

@buffcode
Copy link
Contributor

No it has not. Still no simple and reliable way to logout a user programmatically.

@carsonbot carsonbot removed the Stalled label Oct 30, 2021
@wouterj
Copy link
Member

wouterj commented Oct 30, 2021

@buffcode (or anyone in this issue), are you open to create a PR for this targeting 6.1? Seems like everyone likes this feature, so we now need someone to make it happen

@chalasr
Copy link
Member

chalasr commented Oct 30, 2021

There is #41406 for this.

johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
94f7b86 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
da395a5 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
eaa9ca6 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
edb8b09 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
96d1a38 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
2403861 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
4647eee 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
e824ed6 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
c135401 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
3d17885 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
fd6df4e 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
cd3fd79 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
94c7372 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 2, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
5d42598 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 6, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
4a8ac45 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 6, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
e3491b0 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 6, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
1ef674a 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 11, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
fc0bff7 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Dec 11, 2021
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
bb5322e 
…ogout (symfony#40663)
@carsonbot
Copy link

Thank you for this issue.
There has not been a lot of activity here for a while. Has this been resolved?

@chalasr
Copy link
Member

chalasr commented May 1, 2022

Let’s continue in #41406

@chalasr chalasr closed this as completed May 1, 2022
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jun 8, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
cf48120 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jun 8, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
9a81b2a 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jun 16, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
80aa416 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jun 19, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
a1d59cb 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jul 6, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
1306a00 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jul 6, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
9aabc77 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jul 6, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
297894a 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jul 6, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
31625b4 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jul 6, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
93d6406 
…ogout (symfony#40663)
johnkrovitch added a commit to johnkrovitch/symfony that referenced this issue Jul 6, 2022
@johnkrovitch
[Security] Add a method in the security helper to ease programmatic l…
46bf749 
…ogout (symfony#40663)
chalasr pushed a commit to johnkrovitch/symfony that referenced this issue Jul 7, 2022
@johnkrovitch @chalasr
[Security] Add a method in the security helper to ease programmatic l…
388ae80 
…ogout (symfony#40663)
chalasr pushed a commit to johnkrovitch/symfony that referenced this issue Jul 12, 2022
@johnkrovitch @chalasr
[Security] Add a method in the security helper to ease programmatic l…
2a9b2db 
…ogout (symfony#40663)
chalasr pushed a commit to johnkrovitch/symfony that referenced this issue Jul 19, 2022
@johnkrovitch @chalasr
[Security] Add a method in the security helper to ease programmatic l…
f576173 
…ogout (symfony#40663)
fabpot added a commit that referenced this issue Jul 20, 2022
@fabpot
feature #41406 [Security] Add a method in the security helper to ease…
86f78aa 
… programmatic logout (johnkrovitch, chalasr)

This PR was merged into the 6.2 branch.

Discussion
----------

[Security] Add a method in the security helper to ease programmatic logout

| Q             | A
| ------------- | ---
| Branch?       | 6.x
| Bug fix?      | no
| New feature?  | yes
| Deprecations? | no
| Tickets       | Fix #40663
| License       | MIT
| Doc PR        |

This PR aims to ease the programmatic login using the Security helper, to fix (#40663).

A simple method has been added to the Security helper.

Thanks !

Commits
-------

e5e7d5e Make CSRF validation opt-in
f41a184 Add CSRF protection
f576173 [Security] Add a method in the security helper to ease programmatic logout (#40663)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
DX DX = Developer eXperience (anything that improves the experience of using Symfony) Security Stalled
Projects
None yet
Milestone
No milestone
7 participants
@Seldaek @wouterj @buffcode @chalasr @hktr92 @X-Coder264 @carsonbot