[Security] Add a method in the security helper to ease programmatic logout #41406
Conversation
1c11464 to
0b8ee6f
Compare
c4646e3 to
23aad7b
Compare
src/Symfony/Bundle/SecurityBundle/Resources/config/security.php
Outdated
Show resolved
Hide resolved
|
Thanks for your returns, I'm working on it. |
e824ed6 to
c135401
Compare
src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Outdated
Show resolved
Hide resolved
src/Symfony/Bundle/SecurityBundle/DependencyInjection/SecurityExtension.php
Outdated
Show resolved
Hide resolved
94c7372 to
5d42598
Compare
|
I wonder if there should be a way to bypass CSRF? One of the use cases where I've needed programmatic logout is when handling user invitations.. There if you click the invite email and you are already logged in we show "accept invite" or "create new account". If you click that we log you out and send you back to the invite page which then shows a registration form. In this case, we authenticate the request has the token from the email anyway, and we absolutely do not need a CSRF token.. Of course we could add one on the "create new account" button I guess if needed, just doesn't seem necessary. |
|
I think most use cases for this method are in similar situations. I'll think of a way to bypass it, will probably end up with a bool parameter. Thanks! |
|
@chalasr thanks, LGTM now I think - haven't reviewed the whole code in depth though, but on the surface the API makes sense to me. |
efc530c to
ea80c5c
Compare
|
I'm not 100% sure, but I'm leaning towards not allowing to bypass CSRF. If an application enabled logout CSRF as a way to prevent login csrf, I would expect all ways of logging out to be protected by CSRF. With this boolean, I no longer can be sure. Of course, @Seldaek understands login CSRF and knows that CSRF would only be "added noise" in this specific scenario, but I think the framework has a duty to protect those unaware of login CSRF to be as safe as possible. |
ea80c5c to
080d861
Compare
|
CSRF protection is pointless if logout happens on a GET request, or as a side effect of a state change of another resource which might itself already be CSRF protected using a different token, or Jordi's use case. |
|
Yeah IMO there's a clear need for the bypass.. But I could live with csrf being enabled by default instead of bypassed by default. |
|
I think that having the default value (for CSRF validation) set to |
080d861 to
e5e7d5e
Compare
|
Thank you @johnkrovitch. |
|
You're welcome. Thank you all |
This PR was merged into the 6.2 branch. Discussion ---------- docs: add docs for programmatic logout This PR adds documentation for the new feature "programmatic logout" merge in the PR symfony/symfony#41406 Commits ------- ac46df4 [#17328] Minor changes 5611f88 docs: add docs for programmatic logout
…to SecurityBundle (chalasr) This PR was merged into the 6.2 branch. Discussion ---------- [Security][SecurityBundle] Move the `Security` helper to SecurityBundle | Q | A | ------------- | --- | Branch? | 6.2 | Bug fix? | no | New feature? | yes | Deprecations? | yes | Tickets | Fixes symfony/symfony#46066 (comment) | License | MIT | Doc PR | todo The `Security` helper is a high-level service providing an easy access to commonly-needed features coming from various low-level abstractions. Basically, it's a facade. Based on this, it makes sense to me to make it available only via the full-stack framework, as proposed by Wouter in symfony/symfony#46066 (comment). This unlocks #46066, symfony/symfony#41274 and symfony/symfony#41406. /cc @wouterj @johnkrovitch @Kocal Commits ------- 7b91bcb068 [Security] Move the `Security` helper to SecurityBundle
This PR aims to ease the programmatic login using the Security helper, to fix (#40663).
A simple method has been added to the Security helper.
Thanks !