Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
feature #49306 [Security] Add logout configuration for Clear-Site-Dat…
…a header (maxbeckers) This PR was merged into the 6.3 branch. Discussion ---------- [Security] Add logout configuration for Clear-Site-Data header | Q | A | ------------- | --- | Branch? | 6.3 | Bug fix? | no | New feature? | yes | Deprecations? | no | Tickets | Fix #49266 | License | MIT | Doc PR | symfony/symfony-docs#17900 Enhance security by issuing a Clear-Site-Data header on logout. * [Clear-Site-Data](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Clear-Site-Data#sign_out_of_a_web_site) Documentation * Example: https://www.w3.org/TR/clear-site-data/#example-signout Default config is off. Config example for all: ```yaml security: # ... firewalls: main: # ... logout: path: app_logout clear_site_data: - "*" ``` Instead of all with the ``*`` it's also possible to add a set of ``cache``, ``cookies``, ``storage``, ``executionContexts``. For example without cookies it will look like this: ```yaml security: # ... firewalls: main: # ... logout: path: app_logout clear_site_data: - cache - storage - executionContexts ``` **TODO** - [x] Doc PR symfony/symfony-docs#17900 Commits ------- f9e76c1 [Security] Add logout configuration for Clear-Site-Data header
- Loading branch information
Showing
11 changed files
with
235 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
20 changes: 20 additions & 0 deletions
20
...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/php/logout_clear_site_data.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,20 @@ | ||
<?php | ||
|
||
$container->loadFromExtension('security', [ | ||
'providers' => [ | ||
'default' => ['id' => 'foo'], | ||
], | ||
|
||
'firewalls' => [ | ||
'main' => [ | ||
'provider' => 'default', | ||
'form_login' => true, | ||
'logout' => [ | ||
'clear-site-data' => [ | ||
'cookies', | ||
'executionContexts', | ||
], | ||
], | ||
], | ||
], | ||
]); |
22 changes: 22 additions & 0 deletions
22
...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/xml/logout_clear_site_data.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,22 @@ | ||
<?xml version="1.0" encoding="UTF-8"?> | ||
|
||
<srv:container xmlns="http://symfony.com/schema/dic/security" | ||
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
xmlns:srv="http://symfony.com/schema/dic/services" | ||
xsi:schemaLocation="http://symfony.com/schema/dic/services | ||
https://symfony.com/schema/dic/services/services-1.0.xsd | ||
http://symfony.com/schema/dic/security | ||
https://symfony.com/schema/dic/security/security-1.0.xsd"> | ||
|
||
<config> | ||
<provider name="default" id="foo" /> | ||
|
||
<firewall name="main" provider="default"> | ||
<form-login /> | ||
<logout> | ||
<clear-site-data>cookies</clear-site-data> | ||
<clear-site-data>executionContexts</clear-site-data> | ||
</logout> | ||
</firewall> | ||
</config> | ||
</srv:container> |
13 changes: 13 additions & 0 deletions
13
...y/Bundle/SecurityBundle/Tests/DependencyInjection/Fixtures/yml/logout_clear_site_data.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,13 @@ | ||
security: | ||
providers: | ||
default: | ||
id: foo | ||
|
||
firewalls: | ||
main: | ||
provider: default | ||
form_login: true | ||
logout: | ||
clear_site_data: | ||
- cookies | ||
- executionContexts |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
49 changes: 49 additions & 0 deletions
49
src/Symfony/Component/Security/Http/EventListener/ClearSiteDataLogoutListener.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,49 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the Symfony package. | ||
* | ||
* (c) Fabien Potencier <fabien@symfony.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
namespace Symfony\Component\Security\Http\EventListener; | ||
|
||
use Symfony\Component\EventDispatcher\EventSubscriberInterface; | ||
use Symfony\Component\Security\Http\Event\LogoutEvent; | ||
|
||
/** | ||
* Handler for Clear-Site-Data header during logout. | ||
* | ||
* @author Max Beckers <beckers.maximilian@gmail.com> | ||
* | ||
* @final | ||
*/ | ||
class ClearSiteDataLogoutListener implements EventSubscriberInterface | ||
{ | ||
private const HEADER_NAME = 'Clear-Site-Data'; | ||
|
||
/** | ||
* @param string[] $cookieValue The value for the Clear-Site-Data header. | ||
* Can be '*' or a subset of 'cache', 'cookies', 'storage', 'executionContexts'. | ||
*/ | ||
public function __construct(private readonly array $cookieValue) | ||
{ | ||
} | ||
|
||
public function onLogout(LogoutEvent $event): void | ||
{ | ||
if (!$event->getResponse()?->headers->has(static::HEADER_NAME)) { | ||
$event->getResponse()->headers->set(static::HEADER_NAME, implode(', ', array_map(fn ($v) => '"'.$v.'"', $this->cookieValue))); | ||
} | ||
} | ||
|
||
public static function getSubscribedEvents(): array | ||
{ | ||
return [ | ||
LogoutEvent::class => 'onLogout', | ||
]; | ||
} | ||
} |
48 changes: 48 additions & 0 deletions
48
src/Symfony/Component/Security/Http/Tests/EventListener/ClearSiteDataLogoutListenerTest.php
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,48 @@ | ||
<?php | ||
|
||
/* | ||
* This file is part of the Symfony package. | ||
* | ||
* (c) Fabien Potencier <fabien@symfony.com> | ||
* | ||
* For the full copyright and license information, please view the LICENSE | ||
* file that was distributed with this source code. | ||
*/ | ||
|
||
namespace Symfony\Component\Security\Http\Tests\EventListener; | ||
|
||
use PHPUnit\Framework\TestCase; | ||
use Symfony\Component\HttpFoundation\Request; | ||
use Symfony\Component\HttpFoundation\Response; | ||
use Symfony\Component\Security\Http\Event\LogoutEvent; | ||
use Symfony\Component\Security\Http\EventListener\ClearSiteDataLogoutListener; | ||
|
||
class ClearSiteDataLogoutListenerTest extends TestCase | ||
{ | ||
/** | ||
* @dataProvider provideClearSiteDataConfig | ||
*/ | ||
public function testLogout(array $clearSiteDataConfig, string $expectedHeader) | ||
{ | ||
$response = new Response(); | ||
$event = new LogoutEvent(new Request(), null); | ||
$event->setResponse($response); | ||
|
||
$listener = new ClearSiteDataLogoutListener($clearSiteDataConfig); | ||
|
||
$headerCountBefore = $response->headers->count(); | ||
|
||
$listener->onLogout($event); | ||
|
||
$this->assertEquals(++$headerCountBefore, $response->headers->count()); | ||
|
||
$this->assertNotNull($response->headers->get('Clear-Site-Data')); | ||
$this->assertEquals($expectedHeader, $response->headers->get('Clear-Site-Data')); | ||
} | ||
|
||
public static function provideClearSiteDataConfig(): iterable | ||
{ | ||
yield [['*'], '"*"']; | ||
yield [['cache', 'cookies', 'storage', 'executionContexts'], '"cache", "cookies", "storage", "executionContexts"']; | ||
} | ||
} |