Add path to obtain logout_token as logged in user [#3004421]

You are presented with a session_token, csrf_token, and logout_token during a rest request to /user/login. You can always obtain a new copy of the csrf_token from the path /session/token. You however cannot request a new copy of the logout_token to the best of my knowledge. I propose that we make an endpoint available at /session/logouttoken where you can request a copy of this token after its initial point of creation.

This is my first time reporting an issue/creating a patch for core. Hopefully I didn't mess this process up horribly!

Comment	File	Size	Author
#15	interdiff_13-14.txt	502 bytes	adityasingh
#14	interdiff_13-14.patch	502 bytes	adityasingh
#14	9.2.x: PHP 7.3 & MySQL 5.7 Patch Failed to Apply
#14	3004421-14.patch	1.85 KB	adityasingh
#14	9.2.x: PHP 7.3 & MySQL 5.7 28,102 pass PHP 8.1 & MySQL 5.7 Build Successful 9.3.x: PHP 8.0 & MySQL 5.7 28,548 pass
#13	3004421-13-7-interdiff.txt	502 bytes	mbovan
#13	3004421-13.patch	1.85 KB	mbovan
#13	9.2.x: PHP 7.3 & MySQL 5.7 Custom Commands Failed
#7	logouttoken-3004421-6.patch	1.85 KB	katzilla
#7	8.9.x: PHP 7.1 & MySQL 5.7 28,253 pass
#6	logouttoken-3004421-6.patch.txt	1.85 KB	katzilla
#4	logouttoken-3004421-4.patch	1.83 KB	katzilla
#4	8.8.x: PHP 7.1 & MySQL 5.7 26,141 pass
#2	logouttoken-3004421-1.patch	1.83 KB	shawnmatthews
#2	8.7.x: PHP 7.2 & MySQL 5.5 24,405 pass
	logouttoken.patch	1.85 KB	shawnmatthews
	8.7.x: PHP 7.2 & MySQL 5.5 24,404 pass

Support from Acquia helps fund testing for Drupal Acquia logo

Comments

Comment #1

4 October 2018 at 17:51

shawnmatthews created an issue. See original summary.

Comment #2

shawnmatthews CreditAttribution: shawnmatthews as a volunteer commented 4 October 2018 at 18:48

File	Size
logouttoken-3004421-1.patch	1.83 KB
8.7.x: PHP 7.2 & MySQL 5.5 24,405 pass

Re-roll after reading - https://www.drupal.org/node/1319154

Comment #3

4 October 2018 at 18:48

Version:

8.7.x-dev

» 8.8.x-dev

Drupal 8.7.0-alpha1 will be released the week of March 11, 2019, which means new developments and disruptive changes should now be targeted against the 8.8.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Comment #4

katzilla

she/her

German

Göttingen, Germany

CreditAttribution: katzilla at Reinblau commented 25 March 2019 at 13:02

File	Size
logouttoken-3004421-4.patch	1.83 KB
8.8.x: PHP 7.1 & MySQL 5.7 26,141 pass

Hi @shawnmatthews. Thanks for your patch - exactly what I needed for my project :) The patch did not apply against 8.6.13 because of some missing Quotes in the .yml File. Also, this should be a GET and not a POST request, because we are not sending over any data. Attached a new patch.

Comment #5

25 March 2019 at 13:02

Version:

8.8.x-dev

» 8.9.x-dev

Drupal 8.8.0-alpha1 will be released the week of October 14th, 2019, which means new developments and disruptive changes should now be targeted against the 8.9.x-dev branch. (Any changes to 8.9.x will also be committed to 9.0.x in preparation for Drupal 9’s release, but some changes like significant feature additions will be deferred to 9.1.x.). For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #6

katzilla

she/her

German

Göttingen, Germany

CreditAttribution: katzilla at Reinblau commented 25 January 2020 at 12:22

File	Size
logouttoken-3004421-6.patch.txt	1.85 KB

new patch for d8.9

Comment #7

katzilla

she/her

German

Göttingen, Germany

CreditAttribution: katzilla at Reinblau commented 25 January 2020 at 12:25

File	Size
logouttoken-3004421-6.patch	1.85 KB
8.9.x: PHP 7.1 & MySQL 5.7 28,253 pass

1 file was hidden/shown/deleted

File	Size
logouttoken-3004421-6.patch.txt	1.85 KB

wrong filename ;)

Comment #8

katzilla

she/her

German

Göttingen, Germany

CreditAttribution: katzilla at Reinblau commented 25 January 2020 at 12:27

Issue tags:

+ContributionWeekend2020

Comment #9

25 January 2020 at 12:27

Version:

8.9.x-dev

» 9.1.x-dev

Drupal 8.9.0-beta1 was released on March 20, 2020. 8.9.x is the final, long-term support (LTS) minor release of Drupal 8, which means new developments and disruptive changes should now be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Comment #10

inders CreditAttribution: inders as a volunteer and commented 21 August 2020 at 09:06

+1 for this issue.

As of now, I am exposing this manually inside one of rest resource plugin. logout_token is needed for avoiding 403 errors in case of App. I was loosing my local session storage sometime but it was logged in at server. So was never able to login again inside App. I had to manually expose it from rest resource and use it inside Vue App. While doing error handling , it was easy to get this token and logging out from App.

  $logout_path = \Drupal::service('router.route_provider')->getRouteByName('user.logout.http');
  $logout_path = ltrim($logout_path->getPath(), '/');
  $logout_token = \Drupal::service('csrf_token')->get($logout_path);

Thank you!

Comment #11

21 August 2020 at 09:06

Version:

9.1.x-dev

» 9.2.x-dev

Drupal 9.1.0-alpha1 will be released the week of October 19, 2020, which means new developments and disruptive changes should now be targeted for the 9.2.x-dev branch. For more information see the Drupal 9 minor version schedule and the Allowed changes during the Drupal 9 release cycle.

Comment #12

mbovan CreditAttribution: mbovan at MD Systems GmbH for Liip commented 21 January 2021 at 15:41

+++ b/core/modules/user/user.routing.yml
@@ -216,3 +216,13 @@ user.well-known.change_password:
+  path: '/session/logouttoken'

Would it make sense to use session/token/logout path instead?

Comment #13

mbovan CreditAttribution: mbovan at MD Systems GmbH for Liip commented 29 January 2021 at 09:24

Issue tags:

+ContributionWeekendCH, +ContributionWeekend2021

File	Size
3004421-13.patch	1.85 KB
9.2.x: PHP 7.3 & MySQL 5.7 Custom Commands Failed
3004421-13-7-interdiff.txt	502 bytes

I addressed #12.

Comment #14

adityasingh CreditAttribution: adityasingh as a volunteer and at Srijan | A Material+ Company for Drupal India Association commented 31 January 2021 at 08:15

File	Size
3004421-14.patch	1.85 KB
9.2.x: PHP 7.3 & MySQL 5.7 28,102 pass PHP 8.1 & MySQL 5.7 Build Successful 9.3.x: PHP 8.0 & MySQL 5.7 28,548 pass
interdiff_13-14.patch	502 bytes
9.2.x: PHP 7.3 & MySQL 5.7 Patch Failed to Apply

Fixed coding standards issue.

Comment #15

adityasingh CreditAttribution: adityasingh as a volunteer and at Srijan | A Material+ Company for Drupal India Association commented 31 January 2021 at 08:19

File	Size
interdiff_13-14.txt	502 bytes

1 file was hidden/shown/deleted

File	Size
interdiff_13-14.patch	502 bytes
9.2.x: PHP 7.3 & MySQL 5.7 Patch Failed to Apply

Adding the interdiff.

Comment #16

31 January 2021 at 08:19

Version:

9.2.x-dev

» 9.3.x-dev

Drupal 9.2.0-alpha1 will be released the week of May 3, 2021, which means new developments and disruptive changes should now be targeted for the 9.3.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #17

sadikyalcin CreditAttribution: sadikyalcin commented 12 July 2021 at 11:03

I'm keep getting access denied / This route can only be accessed by authenticated users after upgrading to 9.x. Any pointers on what the issue might be? I am definitely logged in.

Comment #18

12 July 2021 at 11:03

Version:

9.3.x-dev

» 9.4.x-dev

Drupal 9.3.0-rc1 was released on November 26, 2021, which means new developments and disruptive changes should now be targeted for the 9.4.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #19

12 July 2021 at 11:03

Version:

9.4.x-dev

» 9.5.x-dev

Drupal 9.4.0-alpha1 was released on May 6, 2022, which means new developments and disruptive changes should now be targeted for the 9.5.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #20

12 July 2021 at 11:03

Version:

9.5.x-dev

» 10.1.x-dev

Drupal 9.5.0-beta2 and Drupal 10.0.0-beta2 were released on September 29, 2022, which means new developments and disruptive changes should now be targeted for the 10.1.x-dev branch. For more information see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.

Comment #21

smustgrave CreditAttribution: smustgrave at Mobomo commented 6 February 2023 at 22:35

Status:	Needs review	» Needs work
Issue tags:		+Needs Review Queue Initiative, +Needs tests, +Needs change record

This issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.

public function logoutToken(Request $request
Should be typehinted

This will need test coverage.
Also will need a change record to announce the new route.

Comment #22

6 February 2023 at 22:35

Version:

10.1.x-dev

» 11.x-dev

Drupal core is moving towards using a “main” branch. As an interim step, a new 11.x branch has been opened, as Drupal.org infrastructure cannot currently fully support a branch named main. New developments and disruptive changes should now be targeted for the 11.x branch, which currently accepts only minor-version allowed changes. For more information, see the Drupal core minor version schedule and the Allowed changes during the Drupal core release cycle.