Add CSRF protection to logout url in the user controller

Author: rosier

config/services.yaml

@@ -33,6 +33,8 @@ services:
     App\EventSubscriber\CommentNotificationSubscriber:
         $sender: '%app.notifications.email_sender%'
 
+    Symfony\Component\Security\Http\Logout\LogoutUrlGenerator: '@security.logout_url_generator'
+
 when@test:
     services:
         test.user_password_hasher:

src/Controller/UserController.php

@@ -22,6 +22,7 @@
 use Symfony\Component\Routing\Annotation\Route;
 use Symfony\Component\Security\Http\Attribute\CurrentUser;
 use Symfony\Component\Security\Http\Attribute\IsGranted;
+use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 
 /**
  * Controller used to manage current user. The #[CurrentUser] attribute
@@ -63,6 +64,7 @@ public function changePassword(
         Request $request,
         UserPasswordHasherInterface $passwordHasher,
         EntityManagerInterface $entityManager,
+        LogoutUrlGenerator $logoutUrlGenerator,
     ): Response {
         $form = $this->createForm(ChangePasswordType::class);
         $form->handleRequest($request);
@@ -74,7 +76,7 @@ public function changePassword(
             $user->setPassword($passwordHasher->hashPassword($user, $plainPassword));
             $entityManager->flush();
 
-            return $this->redirectToRoute('security_logout');
+            return $this->redirect($logoutUrlGenerator->getLogoutPath());
         }
 
         return $this->render('user/change_password.html.twig', [

tests/Controller/UserControllerTest.php

@@ -93,9 +93,10 @@ public function testChangePassword(): void
             'change_password[newPassword][second]' => $newUserPassword,
         ]);
 
-        $this->assertResponseRedirects(
+        $this->assertResponseRedirects();
+        $this->assertStringStartsWith(
             '/en/logout',
-            Response::HTTP_FOUND,
+            $client->getResponse()->headers->get('Location') ?? '',
             'Changing password logout the user.'
         );
     }