vendor/symfony/security-http/Firewall/LogoutListener.php line 37

Open in your IDE?
  1. <?php
  3. /*
  4. * This file is part of the Symfony package.
  5. *
  6. * (c) Fabien Potencier <fabien@symfony.com>
  7. *
  8. * For the full copyright and license information, please view the LICENSE
  9. * file that was distributed with this source code.
  10. */
  12. namespace Symfony\Component\Security\Http\Firewall;
  14. use Symfony\Component\EventDispatcher\EventDispatcher;
  15. use Symfony\Component\HttpFoundation\Request;
  16. use Symfony\Component\HttpFoundation\Response;
  17. use Symfony\Component\HttpKernel\Event\RequestEvent;
  18. use Symfony\Component\Security\Core\Authentication\Token\Storage\TokenStorageInterface;
  19. use Symfony\Component\Security\Core\Exception\LogicException;
  20. use Symfony\Component\Security\Core\Exception\LogoutException;
  21. use Symfony\Component\Security\Csrf\CsrfToken;
  22. use Symfony\Component\Security\Csrf\CsrfTokenManagerInterface;
  23. use Symfony\Component\Security\Http\Event\LogoutEvent;
  24. use Symfony\Component\Security\Http\HttpUtils;
  25. use Symfony\Component\Security\Http\Logout\LogoutHandlerInterface;
  26. use Symfony\Component\Security\Http\Logout\LogoutSuccessHandlerInterface;
  27. use Symfony\Component\Security\Http\ParameterBagUtils;
  28. use Symfony\Contracts\EventDispatcher\EventDispatcherInterface;
  30. /**
  31. * LogoutListener logout users.
  32. *
  33. * @author Fabien Potencier <fabien@symfony.com>
  34. *
  35. * @final
  36. */
  37. class LogoutListener extends AbstractListener
  38. {
  39. private $tokenStorage;
  40. private $options;
  41. private $httpUtils;
  42. private $csrfTokenManager;
  43. private $eventDispatcher;
  45. /**
  46. * @param EventDispatcherInterface $eventDispatcher
  47. * @param array $options An array of options to process a logout attempt
  48. */
  49. public function __construct(TokenStorageInterface $tokenStorage, HttpUtils $httpUtils, $eventDispatcher, array $options = [], ?CsrfTokenManagerInterface $csrfTokenManager = null)
  50. {
  51. if (!$eventDispatcher instanceof EventDispatcherInterface) {
  52. trigger_deprecation('symfony/security-http', '5.1', 'Passing a logout success handler to "%s" is deprecated, pass an instance of "%s" instead.', __METHOD__, EventDispatcherInterface::class);
  54. if (!$eventDispatcher instanceof LogoutSuccessHandlerInterface) {
  55. throw new \TypeError(sprintf('Argument 3 of "%s" must be instance of "%s" or "%s", "%s" given.', __METHOD__, EventDispatcherInterface::class, LogoutSuccessHandlerInterface::class, get_debug_type($eventDispatcher)));
  56. }
  58. $successHandler = $eventDispatcher;
  59. $eventDispatcher = new EventDispatcher();
  60. $eventDispatcher->addListener(LogoutEvent::class, function (LogoutEvent $event) use ($successHandler) {
  61. $event->setResponse($r = $successHandler->onLogoutSuccess($event->getRequest()));
  62. });
  63. }
  65. $this->tokenStorage = $tokenStorage;
  66. $this->httpUtils = $httpUtils;
  67. $this->options = array_merge([
  68. 'csrf_parameter' => '_csrf_token',
  69. 'csrf_token_id' => 'logout',
  70. 'logout_path' => '/logout',
  71. ], $options);
  72. $this->csrfTokenManager = $csrfTokenManager;
  73. $this->eventDispatcher = $eventDispatcher;
  74. }
  76. /**
  77. * @deprecated since Symfony 5.1
  78. */
  79. public function addHandler(LogoutHandlerInterface $handler)
  80. {
  81. trigger_deprecation('symfony/security-http', '5.1', 'Calling "%s" is deprecated, register a listener on the "%s" event instead.', __METHOD__, LogoutEvent::class);
  83. $this->eventDispatcher->addListener(LogoutEvent::class, function (LogoutEvent $event) use ($handler) {
  84. if (null === $event->getResponse()) {
  85. throw new LogicException(sprintf('No response was set for this logout action. Make sure the DefaultLogoutListener or another listener has set the response before "%s" is called.', __CLASS__));
  86. }
  88. $handler->logout($event->getRequest(), $event->getResponse(), $event->getToken());
  89. });
  90. }
  92. /**
  93. * {@inheritdoc}
  94. */
  95. public function supports(Request $request): ?bool
  96. {
  97. return $this->requiresLogout($request);
  98. }
  100. /**
  101. * Performs the logout if requested.
  102. *
  103. * If a CsrfTokenManagerInterface instance is available, it will be used to
  104. * validate the request.
  105. *
  106. * @throws LogoutException if the CSRF token is invalid
  107. * @throws \RuntimeException if the LogoutSuccessHandlerInterface instance does not return a response
  108. */
  109. public function authenticate(RequestEvent $event)
  110. {
  111. $request = $event->getRequest();
  113. if (null !== $this->csrfTokenManager) {
  114. $csrfToken = ParameterBagUtils::getRequestParameterValue($request, $this->options['csrf_parameter']);
  116. if (!\is_string($csrfToken) || false === $this->csrfTokenManager->isTokenValid(new CsrfToken($this->options['csrf_token_id'], $csrfToken))) {
  117. throw new LogoutException('Invalid CSRF token.');
  118. }
  119. }
  121. $logoutEvent = new LogoutEvent($request, $this->tokenStorage->getToken());
  122. $this->eventDispatcher->dispatch($logoutEvent);
  124. if (!$response = $logoutEvent->getResponse()) {
  125. throw new \RuntimeException('No logout listener set the Response, make sure at least the DefaultLogoutListener is registered.');
  126. }
  128. $this->tokenStorage->setToken(null);
  130. $event->setResponse($response);
  131. }
  133. /**
  134. * Whether this request is asking for logout.
  135. *
  136. * The default implementation only processed requests to a specific path,
  137. * but a subclass could change this to logout requests where
  138. * certain parameters is present.
  139. */
  140. protected function requiresLogout(Request $request): bool
  141. {
  142. return isset($this->options['logout_path']) && $this->httpUtils->checkRequestPath($request, $this->options['logout_path']);
  143. }
  145. public static function getPriority(): int
  146. {
  147. return -127;
  148. }
  149. }