You are presented with a session_token, csrf_token, and logout_token during a rest request to /user/login. You can always obtain a new copy of the csrf_token from the path /session/token. You however cannot request a new copy of the logout_token to the best of my knowledge. I propose that we make an endpoint available at /session/logouttoken where you can request a copy of this token after its initial point of creation.
This is my first time reporting an issue/creating a patch for core. Hopefully I didn't mess this process up horribly!
Comment | File | Size | Author |
---|---|---|---|
#15 | interdiff_13-14.txt | 502 bytes | adityasingh |
#14 | 3004421-14.patch | 1.85 KB | adityasingh |
#13 | 3004421-13-7-interdiff.txt | 502 bytes | mbovan |
#13 | 3004421-13.patch | 1.85 KB | mbovan |
#7 | logouttoken-3004421-6.patch | 1.85 KB | katzilla |
Comments
Comment #2
shawnmatthews CreditAttribution: shawnmatthews as a volunteer commentedRe-roll after reading - https://www.drupal.org/node/1319154
Comment #4
katzillaHi @shawnmatthews. Thanks for your patch - exactly what I needed for my project :) The patch did not apply against 8.6.13 because of some missing Quotes in the .yml File. Also, this should be a GET and not a POST request, because we are not sending over any data. Attached a new patch.
Comment #6
katzillanew patch for d8.9
Comment #7
katzillawrong filename ;)
Comment #8
katzillaComment #10
inders CreditAttribution: inders as a volunteer and commented+1 for this issue.
As of now, I am exposing this manually inside one of rest resource plugin. logout_token is needed for avoiding 403 errors in case of App. I was loosing my local session storage sometime but it was logged in at server. So was never able to login again inside App. I had to manually expose it from rest resource and use it inside Vue App. While doing error handling , it was easy to get this token and logging out from App.
Thank you!
Comment #12
mbovan CreditAttribution: mbovan at MD Systems GmbH for Liip commentedWould it make sense to use
session/token/logout
path instead?Comment #13
mbovan CreditAttribution: mbovan at MD Systems GmbH for Liip commentedI addressed #12.
Comment #14
adityasingh CreditAttribution: adityasingh as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedFixed coding standards issue.
Comment #15
adityasingh CreditAttribution: adityasingh as a volunteer and at Srijan | A Material+ Company for Drupal India Association commentedAdding the interdiff.
Comment #17
sadikyalcin CreditAttribution: sadikyalcin commentedI'm keep getting
access denied / This route can only be accessed by authenticated users
after upgrading to 9.x. Any pointers on what the issue might be? I am definitely logged in.Comment #21
smustgrave CreditAttribution: smustgrave at Mobomo commentedThis issue is being reviewed by the kind folks in Slack, #needs-review-queue-initiative. We are working to keep the size of Needs Review queue [2700+ issues] to around 400 (1 month or less), following Review a patch or merge request as a guide.
public function logoutToken(Request $request
Should be typehinted
This will need test coverage.
Also will need a change record to announce the new route.
Comment #23
tcfunk CreditAttribution: tcfunk at ICF commentedWould it make sense to just return the token value as text (similar to the response from /session/token) instead of as a json object?
Comment #24
maxilein CreditAttribution: maxilein commentedIn the meantime see: https://www.drupal.org/project/logout_token