Contrib.social

Add _csrf_confirm_form_route option for to the user/logout route

Open on Drupal.org β†’
Created on 9 April 2025, 15 days ago

Problem/Motivation

This is a followup issue to https://www.drupal.org/project/openid_connect/issues/3508791 πŸ› Add CSRF protection for /user/logout Active .

In that issue, we added CSRF protection to the logout link provided by OpenID Connect. The next step is to add a confirmation form to the route to follow the Core best practices (see: https://www.drupal.org/node/3152693 β†’ ).

Steps to reproduce

1. Login with an OpenID provider.
2. Browse to `user/logout`
3. Currently receive a 403 access denied (because of the missing CSRF token).

Proposed resolution

Add the `_csrf_confirm_form_route` token to the logout route and provide the confirmation form to allow the logout action without the csrf token in the route.

Remaining tasks

[ ] Add the route option
[ ] Add the confirmation form
[ ] Add testing.

✨ Feature request
Status

Active

Version

3.0

Component

Code

Created by

πŸ‡ΊπŸ‡ΈUnited States pfrilling Minster, OH

Live updates comments and jobs are added and updated live.
Sign in to follow issues

Comments & Activities

contrib.social Blog FAQ Discussions
Production build 0.71.5 2024