Merge pull request #406 from johngian/fix-405

Add configuration to opt in logout using GET
mozilla · Mar 22, 2021 · b704982 · b704982
2 parents 5d775a8 + 8b67577
commit b704982
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 4 deletions.
diff --git a/docs/settings.rst b/docs/settings.rst
@@ -257,3 +257,9 @@ of ``mozilla-django-oidc``.
    :default: False
 
    Use HTTP Basic Authentication instead of sending the client secret in token request POST body.
+
+.. py:attribute:: ALLOW_LOGOUT_GET_METHOD
+
+   :default: False
+
+   Allow using GET method to logout user
diff --git a/mozilla_django_oidc/views.py b/mozilla_django_oidc/views.py
@@ -2,7 +2,7 @@
 
 from django.contrib import auth
 from django.core.exceptions import SuspiciousOperation
-from django.http import HttpResponseRedirect
+from django.http import HttpResponseRedirect, HttpResponseNotAllowed
 from django.urls import reverse
 from django.utils.crypto import get_random_string
 
@@ -202,7 +202,7 @@ def redirect_url(self):
         """Return the logout url defined in settings."""
         return self.get_settings('LOGOUT_REDIRECT_URL', '/')
 
-    def get(self, request):
+    def post(self, request):
         """Log out the user."""
         logout_url = self.redirect_url
 
@@ -218,6 +218,8 @@ def get(self, request):
 
         return HttpResponseRedirect(logout_url)
 
-    def post(self, request):
+    def get(self, request):
         """Log out the user."""
-        return self.get(request)
+        if self.get_settings("ALLOW_LOGOUT_GET_METHOD", False):
+            return self.post(request)
+        return HttpResponseNotAllowed(["POST"])