Turn logout link into a POST API call with refresh

It's better to get rid of any GET request with csrf token Bug: T25227 Change-Id: I76464c750945d07a283b99b449f137593c685f02
wikimedia · May 18, 2019 · 8f03391 · 8f03391
1 parent f453ae8
commit 8f03391
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 0 deletions.
diff --git a/languages/i18n/en.json b/languages/i18n/en.json
@@ -388,6 +388,8 @@
 	"virus-scanfailed": "scan failed (code $1)",
 	"virus-unknownscanner": "unknown antivirus:",
 	"logouttext": "<strong>You are now logged out.</strong>\n\nNote that some pages may continue to be displayed as if you were still logged in, until you clear your browser cache.",
+	"logging-out-notify": "You are being logged out, please wait.",
+	"logout-failed": "Cannot log out now: $1",
 	"cannotlogoutnow-title": "Cannot log out now",
 	"cannotlogoutnow-text": "Logging out is not possible when using $1.",
 	"welcomeuser": "Welcome, $1!",

diff --git a/languages/i18n/qqq.json b/languages/i18n/qqq.json
@@ -595,6 +595,8 @@
 	"virus-scanfailed": "Used as error message. \"scan\" stands for \"virus scan\". Parameters:\n* $1 - exit code of virus scanner",
 	"virus-unknownscanner": "Used as error message. This message is followed by the virus scanner name.",
 	"logouttext": "Log out message. Parameters:\n* $1 - (Unused) an URL to [[Special:Userlogin]] containing <code>returnto</code> and <code>returntoquery</code> parameters",
+	"logging-out-notify": "The message when the user is being logged out",
+	"logout-failed": "Message when log out fails in notification popup. Parameters:\n* $1 - Error message",
 	"cannotlogoutnow-title": "Error page title shown when logging out is not possible.",
 	"cannotlogoutnow-text": "Error page text shown when logging out is not possible. Parameters:\n* $1 - Session type in use that makes it not possible to log out, from a message like {{msg-mw|sessionprovider-mediawiki-session-cookiesessionprovider}}.",
 	"welcomeuser": "Text for a welcome heading that users see after registering a user account.\n\nParameters:\n* $1 - the username of the new user. See [[phab:T44215]]",

diff --git a/resources/Resources.php b/resources/Resources.php
@@ -1704,8 +1704,14 @@
 		'dependencies' => [
 			'jquery.accessKeyLabel',
 			'jquery.checkboxShiftClick',
+			'mediawiki.notify',
+			'mediawiki.api'
 		],
 		'targets' => [ 'desktop', 'mobile' ],
+		'messages' => [
+			'logout-failed',
+			'logging-out-notify'
+		]
 	],
 	'mediawiki.page.startup' => [
 		'scripts' => 'resources/src/mediawiki.page.startup.js',

diff --git a/resources/src/mediawiki.page.ready.js b/resources/src/mediawiki.page.ready.js
@@ -53,6 +53,29 @@
 			window.print();
 			e.preventDefault();
 		} );
+
+		// Turn logout to a POST action
+		$( '#pt-logout a' ).on( 'click', function ( e ) {
+			var api = new mw.Api(), returnUrl;
+			returnUrl = $( '#pt-logout a' ).attr( 'href' );
+			mw.notify(
+				mw.message( 'logging-out-notify' ),
+				{ tag: 'logout', autoHide: false }
+			);
+			api.postWithToken( 'csrf', {
+				action: 'logout'
+			} ).done( function () {
+				// Horrible hack until deprecation of logoutToken in GET is done
+				returnUrl = returnUrl.replace( /logoutToken=.+?($|&)/g, 'logoutToken=%2B%5C' );
+				window.location = returnUrl;
+			} ).fail( function ( e ) {
+				mw.notify(
+					mw.message( 'logout-failed', e ),
+					{ type: 'error', tag: 'logout', autoHide: false }
+				);
+			} );
+			e.preventDefault();
+		} );
 	} );
 
 }() );