Prevent access to cas.login route, if user is already logged in.

Going to make a new branch because this one was created with branch name 2.x and it's making it harder to review locally (I already have a branch with that name)

Rather than just issue an access denied error when an authenticated user accesses /cas to login, the merge request now redirects them to the homepage. This is the same behavior as if they did have a successful login via /cas. So users basically shouldn't notice any difference, other than they are not redirected to the CAS server to re-login again anymore. I think this makes the best UX. Someone may have /cas bookmarked and if they still have an active session, showing them an Access Denied error would be confusing. Just redirect them to the homepage as if they had logged in.

This is similar to what core does when an authenticated user tries accessing /user/login. It redirects them to the user profile page instead of showing an access denied.

Thanks for the review. I'll see about extending that base class!

Another thing I want to try and resolve here is this scenario:

1. Authenticated user clicks a link to /cas?destination=/some/page
2. User is denied access to /cas since they're already logged in
3. Our subscriber intercepts the exception and redirects the user to the homepage
4. The /some/page destination is lost

We have at least one site that's using this workflow for links that this patch breaks.

Given #3463607: AccessDeniedSubscriber should extend HttpExceptionSubscriberBase is RTBC and most likely will me merged, I think we should do it also here.

i think #11 makes sense

Pushed an update that uses HttpExceptionSubscriberBase and preserves the destination parameter. Updated issue summary to describe the change.

Updated the MR to be based on 3.x

Unfortunately tests are failing

Fixed the broken test

Great. You can merge and release 3.0.0.

I propose the following release notes:

Relevant changes

• Drupal 11 compatibility (see "Updating to CAS 3.0" section below)
• Routes /cas and /caslogin are no more accessible by logged in users. See #3446948: Prevent access to cas.login route, if user is already logged in..

Updating to CAS 3.0

• While still on Drupal 10, update your site to CAS 2.3.2. This is very important because starting with CAS 3.0.0, old (post)update functions are removed.
• Require drupal/cas:^3.0 with Composer
• If you have custom code that interacts with the CAS module, you may need to make some updates. There are some tiny backwards compatibility breaking changes that require your attention:
  • The type of value returned by CasLoginException::getCode() was changed from integer to enum of type CasLoginExceptionType. If your code calls this method, you should adapt. If you still need the integer value, you can do something like
    

    $codes = CasLoginExceptionType::cases();
    $code = array_search($exception->getCode(), $codes, TRUE);
    

  • The parameter of CasUserManager::getCasUsernameForAccount() is now strict typed as integer. Make sure you cast the parameter to an Integer before is passed to the method:
    

    $account = ...;
    $uid = (int) $account->id();
    $name = \Drupal::service('cas.user_manager')->getCasUsernameForAccount($uid);
    

  • The CasServerConfig::setProtocolVersion() setter accepts now a CasProtocolVersion enum case as parameter instead of a string. Same, the CasServerConfig::getProtocolVersion() getter returns now a CasProtocolVersion enum case instead of a string. If needed, get the server version as a legacy string: CasServerConfig::getProtocolVersion()->value.
  • The CasServerConfig::setHttpScheme() setter accepts now a HttpScheme enum case as parameter instead of a string. Same, the CasServerConfig::getHttpScheme() getter returns now a HttpScheme enum case instead of a string. If needed, get the HTTP scheme as a legacy string: CasServerConfig:: getHttpScheme()->value.
  • The CasServerConfig::setVerify() setter accepts now a SslCertificateVerification enum case as parameter instead of an integer. Same, the CasServerConfig::getVerify() getter returns now a SslCertificateVerification enum case instead of an integer. If needed, get the certificate verification scheme as a legacy integer: CasServerConfig:: getVerify()->value.
• You can now update your site to Drupal 11.
• After updating to CAS 3.0, prepare for the next CAS version by replacing the deprecated code. Check https://www.drupal.org/node/3462792 to learn what is deprecated in CAS 3.0 and adapt your code.