Add CSRF protection to logout url in the user controller

rosier · rosier · commit dd1726452591 · 2022-11-17T18:15:47.000+01:00
diff --git a/config/services.yaml b/config/services.yaml
@@ -34,6 +34,8 @@ services:
     App\EventSubscriber\CommentNotificationSubscriber:
         $sender: '%app.notifications.email_sender%'
 
+    Symfony\Component\Security\Http\Logout\LogoutUrlGenerator: '@security.logout_url_generator'
+
 when@test:
     services:
         test.user_password_hasher:
diff --git a/src/Controller/UserController.php b/src/Controller/UserController.php
@@ -20,6 +20,7 @@
 use Symfony\Component\HttpFoundation\Response;
 use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;
 use Symfony\Component\Routing\Annotation\Route;
+use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;
 
 /**
  * Controller used to manage current user.
@@ -52,7 +53,7 @@ public function edit(Request $request, EntityManagerInterface $entityManager): R
     }
 
     #[Route('/change-password', methods: ['GET', 'POST'], name: 'user_change_password')]
-    public function changePassword(Request $request, UserPasswordHasherInterface $passwordHasher, EntityManagerInterface $entityManager): Response
+    public function changePassword(Request $request, UserPasswordHasherInterface $passwordHasher, EntityManagerInterface $entityManager, LogoutUrlGenerator $logoutUrlGenerator): Response
     {
         $user = $this->getUser();
 
@@ -63,7 +64,7 @@ public function changePassword(Request $request, UserPasswordHasherInterface $pa
             $user->setPassword($passwordHasher->hashPassword($user, $form->get('newPassword')->getData()));
             $entityManager->flush();
 
-            return $this->redirectToRoute('security_logout');
+            return $this->redirect($logoutUrlGenerator->getLogoutPath());
         }
 
         return $this->render('user/change_password.html.twig', [
diff --git a/tests/Controller/UserControllerTest.php b/tests/Controller/UserControllerTest.php
@@ -90,9 +90,10 @@ public function testChangePassword(): void
             'change_password[newPassword][second]' => $newUserPassword,
         ]);
 
-        $this->assertResponseRedirects(
+        $this->assertResponseRedirects();
+        $this->assertStringStartsWith(
             '/en/logout',
-            Response::HTTP_FOUND,
+            $client->getResponse()->headers->get('Location') ?? '',
             'Changing password logout the user.'
         );
     }

Original file line number	Diff line number	Diff line change
`@@ -20,6 +20,7 @@`
`20`	`20`	`use Symfony\Component\HttpFoundation\Response;`
`21`	`21`	`use Symfony\Component\PasswordHasher\Hasher\UserPasswordHasherInterface;`
`22`	`22`	`use Symfony\Component\Routing\Annotation\Route;`
	`23`	`+use Symfony\Component\Security\Http\Logout\LogoutUrlGenerator;`
`23`	`24`
`24`	`25`	`/**`
`25`	`26`	`* Controller used to manage current user.`
`@@ -52,7 +53,7 @@ public function edit(Request $request, EntityManagerInterface $entityManager): R`
`52`	`53`	`}`
`53`	`54`
`54`	`55`	`#[Route('/change-password', methods: ['GET', 'POST'], name: 'user_change_password')]`
`55`		`- public function changePassword(Request $request, UserPasswordHasherInterface $passwordHasher, EntityManagerInterface $entityManager): Response`
	`56`	`+ public function changePassword(Request $request, UserPasswordHasherInterface $passwordHasher, EntityManagerInterface $entityManager, LogoutUrlGenerator $logoutUrlGenerator): Response`
`56`	`57`	`{`
`57`	`58`	`$user = $this->getUser();`
`58`	`59`
`@@ -63,7 +64,7 @@ public function changePassword(Request $request, UserPasswordHasherInterface $pa`
`63`	`64`	`$user->setPassword($passwordHasher->hashPassword($user, $form->get('newPassword')->getData()));`
`64`	`65`	`$entityManager->flush();`
`65`	`66`
`66`		`- return $this->redirectToRoute('security_logout');`
	`67`	`+ return $this->redirect($logoutUrlGenerator->getLogoutPath());`
`67`	`68`	`}`
`68`	`69`
`69`	`70`	`return $this->render('user/change_password.html.twig', [`