refactor: migrated logout to controller (#3257)

nginx.conf

@@ -129,7 +129,7 @@ server {
             rewrite admin/api/(.*)                                  /admin/api/index.php last;
 
             # Administration pages
-            rewrite admin/(attachments|backup|category|comments|configuration|elasticsearch|export|faq|faqs|forms|glossary|group|import|instance|instances|media-browser|news|password|questions|session-keep-alive|statistics|sticky-faqs|stopwords|system|tags|update|user) /admin/front.php last;
+            rewrite admin/(attachments|backup|category|comments|configuration|elasticsearch|export|faq|faqs|forms|glossary|group|import|instance|instances|logout|media-browser|news|password|questions|session-keep-alive|statistics|sticky-faqs|stopwords|system|tags|update|user) /admin/front.php last;
 
             # REST API v3.0 and v3.1
             rewrite ^api/v3\.[01]/(.*)                              /api/index.php last;

phpmyfaq/.htaccess

@@ -143,7 +143,8 @@ Header set Access-Control-Allow-Headers "Content-Type, Authorization"
     # Administration API
     RewriteRule ^admin/api/(.*) admin/api/index.php [L,QSA]
     # Administration pages
-    RewriteRule ^admin/(attachments|backup|category|comments|configuration|elasticsearch|export|faq|faqs|forms|glossary|group|import|instance|instances|media-browser|news|password|questions|session-keep-alive|statistics|sticky-faqs|stopwords|system|tags|update|user) admin/front.php [L,QSA]
+    RewriteRule ^admin/(attachments|backup|category|comments|configuration|elasticsearch|export|faq|faqs|forms|glossary|group|import|instance|instances|logout|media-browser|news|password|questions|session-keep-alive|statistics|sticky-faqs|stopwords|system|tags|update|user) admin/front.php [L,QSA]
+    #RewriteRule ^admin/(.*) admin/front.php [L,QSA]
     # Private APIs
     RewriteRule ^api/(autocomplete|bookmark/delete|bookmark/create|user/data/update|user/password/update|user/request-removal|user/remove-twofactor|contact|voting|register|captcha|share|comment/create|faq/create|question/create|webauthn/prepare|webauthn/register|webauthn/prepare-login|webauthn/login) api/index.php [L,QSA]
     # Setup APIs

phpmyfaq/assets/templates/admin/header.twig

@@ -80,7 +80,7 @@
         </li>
         <li><hr class="dropdown-divider"></li>
         <li>
-          <a class="dropdown-item" href="index.php?action=logout&csrf={{ csrfTokenLogout }}">{{ msgLogout }}</a>
+          <a class="dropdown-item" href="./logout?csrf={{ csrfTokenLogout }}">{{ msgLogout }}</a>
         </li>
       </ul>
     </li>
@@ -99,7 +99,7 @@
         <div class="nav">
 
           <!-- Dashboard -->
-          <a class="nav-link" href="index.php">
+          <a class="nav-link" href="./">
             <div class="pmf-admin-nav-link-icon"><i class="bi bi-speedometer h6"></i></div>
             Dashboard
           </a>

phpmyfaq/assets/templates/admin/index.twig

@@ -80,7 +80,7 @@
           </li>
           <li><hr class="dropdown-divider"></li>
           <li>
-            <a class="dropdown-item" href="index.php?action=logout&csrf={{ csrfTokenLogout }}">{{ msgLogout }}</a>
+            <a class="dropdown-item" href="./logout?csrf={{ csrfTokenLogout }}">{{ msgLogout }}</a>
           </li>
         </ul>
       </li>

phpmyfaq/assets/templates/admin/session-keepalive.twig

@@ -23,7 +23,7 @@
       const duration = expire - sessionStart;
 
       if (duration <= 0) {
-        parent.location.href = './index.php?action=logout&csrf={{ csrfToken }}';
+        parent.location.href = './logout?csrf={{ csrfToken }}';
         return;
       }
 

phpmyfaq/src/admin-routes.php

@@ -17,6 +17,7 @@
 
 use phpMyFAQ\Controller\Administration\AdminLogController;
 use phpMyFAQ\Controller\Administration\AttachmentsController;
+use phpMyFAQ\Controller\Administration\AuthenticationController;
 use phpMyFAQ\Controller\Administration\BackupController;
 use phpMyFAQ\Controller\Administration\CategoryController;
 use phpMyFAQ\Controller\Administration\CommentsController;
@@ -55,6 +56,11 @@
         'controller' => [AttachmentsController::class, 'index'],
         'methods' => 'GET'
     ],
+    'admin.auth.logout' => [
+        'path' => '/logout',
+        'controller' => [AuthenticationController::class, 'logout'],
+        'methods' => 'GET'
+    ],
     'admin.backup' => [
         'path' => '/backup',
         'controller' => [BackupController::class, 'index'],

phpmyfaq/src/phpMyFAQ/Controller/Administration/AuthenticationController.php

@@ -0,0 +1,40 @@
+<?php
+
+declare(strict_types=1);
+
+namespace phpMyFAQ\Controller\Administration;
+
+use phpMyFAQ\Filter;
+use phpMyFAQ\Session\Token;
+use Symfony\Component\HttpFoundation\RedirectResponse;
+use Symfony\Component\HttpFoundation\Request;
+use Symfony\Component\HttpFoundation\Response;
+use Symfony\Component\Routing\Attribute\Route;
+
+class AuthenticationController extends AbstractAdministrationController
+{
+    /**
+     * @throws \Exception
+     */
+    #[Route('/logout', name: 'admin.auth.logout', methods: ['GET'])]
+    public function logout(Request $request): Response
+    {
+        $this->userIsAuthenticated();
+
+        $redirect = new RedirectResponse('./');
+
+        $csrfToken = Filter::filterVar($request->get('csrf'), FILTER_SANITIZE_SPECIAL_CHARS);
+        if (!Token::getInstance($this->container->get('session'))->verifyToken('admin-logout', $csrfToken)) {
+            return $redirect->send();
+        }
+
+        $this->currentUser->deleteFromSession(true);
+        $ssoLogout = $this->configuration->get('security.ssoLogoutRedirect');
+        if ($this->configuration->get('security.ssoSupport') && !empty($ssoLogout)) {
+            $redirect->isRedirect($ssoLogout);
+            $redirect->send();
+        }
+
+        return $redirect->send();
+    }
+}