Fix logout for #3184

.env.example

@@ -177,6 +177,13 @@ LOGIN_PROVIDER=eloquent
 # This function is available in Firefly III v5.3.0 and higher.
 AUTHENTICATION_GUARD=web
 
+#
+# Likewise, it's impossible to log out users who's authentication is handled by an external system.
+# Enter a custom URL here that will force a logout (your authentication provider can tell you).
+# Setting this variable only works when AUTHENTICATION_GUARD != web
+#
+CUSTOM_LOGOUT_URI=
+
 # LDAP connection configuration
 # OpenLDAP, FreeIPA or ActiveDirectory
 # # If you use Docker or similar, you can set this variable from a file by appending it with _FILE

app/Http/Controllers/Auth/LoginController.php

@@ -176,4 +176,35 @@ class LoginController extends Controller
         throw $exception;
     }
 
+
+    /**
+     * Log the user out of the application.
+     *
+     * @param \Illuminate\Http\Request $request
+     *
+     * @return \Illuminate\Http\Response
+     */
+    public function logout(Request $request)
+    {
+        $authGuard = config('firefly.authentication_guard');
+        $logoutUri = config('firefly.custom_logout_uri');
+        if ('remote_user_guard' === $authGuard && '' !== $logoutUri) {
+            return redirect($logoutUri);
+        }
+
+        $this->guard()->logout();
+
+        $request->session()->invalidate();
+
+        $request->session()->regenerateToken();
+
+        if ($response = $this->loggedOut($request)) {
+            return $response;
+        }
+
+        return $request->wantsJson()
+            ? new \Illuminate\Http\Response('', 204)
+            : redirect('/');
+    }
+
 }

app/Http/Controllers/ProfileController.php

@@ -61,6 +61,8 @@ class ProfileController extends Controller
 {
     use RequestInformation, CreateStuff;
 
+    protected bool $externalIdentity;
+
     /**
      * ProfileController constructor.
      *
@@ -78,6 +80,9 @@ class ProfileController extends Controller
                 return $next($request);
             }
         );
+        $loginProvider          = config('firefly.login_provider');
+        $authGuard              = config('firefly.authentication_guard');
+        $this->externalIdentity = 'eloquent' === $loginProvider || 'remote_user_guard' === $authGuard;
 
         $this->middleware(IsDemoUser::class)->except(['index']);
         $this->middleware(IsSandStormUser::class)->except('index');
@@ -92,13 +97,10 @@ class ProfileController extends Controller
      */
     public function changeEmail(Request $request)
     {
-        $loginProvider = config('firefly.login_provider');
-        if ('eloquent' !== $loginProvider) {
-            // @codeCoverageIgnoreStart
-            $request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => e($loginProvider)]));
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
 
             return redirect(route('profile.index'));
-            // @codeCoverageIgnoreEnd
         }
 
         $title        = auth()->user()->email;
@@ -118,13 +120,10 @@ class ProfileController extends Controller
      */
     public function changePassword(Request $request)
     {
-        $loginProvider = config('firefly.login_provider');
-        if ('eloquent' !== $loginProvider) {
-            // @codeCoverageIgnoreStart
-            $request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => e($loginProvider)]));
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
 
             return redirect(route('profile.index'));
-            // @codeCoverageIgnoreEnd
         }
 
         $title        = auth()->user()->email;
@@ -137,10 +136,17 @@ class ProfileController extends Controller
     /**
      * View that generates a 2FA code for the user.
      *
+     * @param Request $request
+     *
      * @return Factory|View
      */
-    public function code()
+    public function code(Request $request)
     {
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
+
+            return redirect(route('profile.index'));
+        }
         $domain = $this->getDomain();
         $secret = null;
 
@@ -192,10 +198,9 @@ class ProfileController extends Controller
      */
     public function confirmEmailChange(UserRepositoryInterface $repository, string $token)
     {
-        $loginProvider = config('firefly.login_provider');
-        if ('eloquent' !== $loginProvider) {
+        if ($this->externalIdentity) {
             // @codeCoverageIgnoreStart
-            throw new FireflyException('Cannot confirm email change when authentication provider is not local.');
+            throw new FireflyException(trans('firefly.external_user_mgt_disabled'));
             // @codeCoverageIgnoreEnd
         }
         // find preference with this token value.
@@ -229,15 +234,14 @@ class ProfileController extends Controller
      *
      * @param Request $request
      *
-     * @return Factory|View
+     * @return \Illuminate\Contracts\Foundation\Application|RedirectResponse|Redirector
      */
     public function deleteAccount(Request $request)
     {
-        $loginProvider = config('firefly.login_provider');
-        if ('eloquent' !== $loginProvider) {
-            // @codeCoverageIgnoreStart
-            $request->session()->flash('warning', trans('firefly.delete_local_info_only', ['login_provider' => e($loginProvider)]));
-            // @codeCoverageIgnoreEnd
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
+
+            return redirect(route('profile.index'));
         }
         $title        = auth()->user()->email;
         $subTitle     = (string) trans('firefly.delete_account');
@@ -251,8 +255,13 @@ class ProfileController extends Controller
      *
      * @return RedirectResponse|Redirector
      */
-    public function deleteCode()
+    public function deleteCode(Request $request)
     {
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
+
+            return redirect(route('profile.index'));
+        }
         /** @var UserRepositoryInterface $repository */
         $repository = app(UserRepositoryInterface::class);
 
@@ -271,8 +280,14 @@ class ProfileController extends Controller
      *
      * @return RedirectResponse|Redirector
      */
-    public function enable2FA()
+    public function enable2FA(Request $request)
     {
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
+
+            return redirect(route('profile.index'));
+        }
+
         /** @var User $user */
         $user       = auth()->user();
         $enabledMFA = null !== $user->mfa_secret;
@@ -329,6 +344,12 @@ class ProfileController extends Controller
      */
     public function newBackupCodes()
     {
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
+
+            return redirect(route('profile.index'));
+        }
+
         // generate recovery codes:
         $recovery      = app(Recovery::class);
         $recoveryCodes = $recovery->lowercase()
@@ -354,13 +375,10 @@ class ProfileController extends Controller
      */
     public function postChangeEmail(EmailFormRequest $request, UserRepositoryInterface $repository)
     {
-        $loginProvider = config('firefly.login_provider');
-        if ('eloquent' !== $loginProvider) {
-            // @codeCoverageIgnoreStart
-            $request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => e($loginProvider)]));
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
 
             return redirect(route('profile.index'));
-            // @codeCoverageIgnoreEnd
         }
 
         /** @var User $user */
@@ -408,13 +426,10 @@ class ProfileController extends Controller
      */
     public function postChangePassword(ProfileFormRequest $request, UserRepositoryInterface $repository)
     {
-        $loginProvider = config('firefly.login_provider');
-        if ('eloquent' !== $loginProvider) {
-            // @codeCoverageIgnoreStart
-            $request->session()->flash('error', trans('firefly.login_provider_local_only', ['login_provider' => e($loginProvider)]));
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
 
             return redirect(route('profile.index'));
-            // @codeCoverageIgnoreEnd
         }
 
         // the request has already validated both new passwords must be equal.
@@ -446,6 +461,12 @@ class ProfileController extends Controller
      */
     public function postCode(TokenFormRequest $request)
     {
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
+
+            return redirect(route('profile.index'));
+        }
+
         /** @var User $user */
         $user = auth()->user();
         /** @var UserRepositoryInterface $repository */
@@ -485,6 +506,12 @@ class ProfileController extends Controller
      */
     public function postDeleteAccount(UserRepositoryInterface $repository, DeleteAccountFormRequest $request)
     {
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
+
+            return redirect(route('profile.index'));
+        }
+
         if (!Hash::check($request->get('password'), auth()->user()->password)) {
             session()->flash('error', (string) trans('firefly.invalid_password'));
 
@@ -506,8 +533,14 @@ class ProfileController extends Controller
      *
      * @return RedirectResponse|Redirector
      */
-    public function regenerate()
+    public function regenerate(Request $request)
     {
+        if ($this->externalIdentity) {
+            $request->session()->flash('error', trans('firefly.external_user_mgt_disabled'));
+
+            return redirect(route('profile.index'));
+        }
+
         /** @var User $user */
         $user  = auth()->user();
         $token = $user->generateAccessToken();
@@ -530,11 +563,8 @@ class ProfileController extends Controller
      */
     public function undoEmailChange(UserRepositoryInterface $repository, string $token, string $hash)
     {
-        $loginProvider = config('firefly.login_provider');
-        if ('eloquent' !== $loginProvider) {
-            // @codeCoverageIgnoreStart
-            throw new FireflyException('Cannot confirm email change when authentication provider is not local.');
-            // @codeCoverageIgnoreEnd
+        if ($this->externalIdentity) {
+            throw new FireflyException(trans('firefly.external_user_mgt_disabled'));
         }
 
         // find preference with this token value.

config/firefly.php

@@ -83,14 +83,14 @@ use FireflyIII\TransactionRules\Triggers\AmountMore;
 use FireflyIII\TransactionRules\Triggers\BudgetIs;
 use FireflyIII\TransactionRules\Triggers\CategoryIs;
 use FireflyIII\TransactionRules\Triggers\CurrencyIs;
-use FireflyIII\TransactionRules\Triggers\ForeignCurrencyIs;
-use FireflyIII\TransactionRules\Triggers\DateIs;
-use FireflyIII\TransactionRules\Triggers\DateBefore;
 use FireflyIII\TransactionRules\Triggers\DateAfter;
+use FireflyIII\TransactionRules\Triggers\DateBefore;
+use FireflyIII\TransactionRules\Triggers\DateIs;
 use FireflyIII\TransactionRules\Triggers\DescriptionContains;
 use FireflyIII\TransactionRules\Triggers\DescriptionEnds;
 use FireflyIII\TransactionRules\Triggers\DescriptionIs;
 use FireflyIII\TransactionRules\Triggers\DescriptionStarts;
+use FireflyIII\TransactionRules\Triggers\ForeignCurrencyIs;
 use FireflyIII\TransactionRules\Triggers\FromAccountContains;
 use FireflyIII\TransactionRules\Triggers\FromAccountEnds;
 use FireflyIII\TransactionRules\Triggers\FromAccountIs;
@@ -162,6 +162,8 @@ return [
     'disable_frame_header'    => env('DISABLE_FRAME_HEADER', false),
     'disable_csp_header'      => env('DISABLE_CSP_HEADER', false),
     'login_provider'          => envNonEmpty('LOGIN_PROVIDER', 'eloquent'),
+    'authentication_guard'    => envNonEmpty('AUTHENTICATION_GUARD', 'web'),
+    'custom_logout_uri'       => envNonEmpty('CUSTOM_LOGOUT_URI', ''),
     'cer_provider'            => envNonEmpty('CER_PROVIDER', 'fixer'),
     'update_endpoint'         => 'https://version.firefly-iii.org/index.json',
     'send_telemetry'          => env('SEND_TELEMETRY', false),

config/view.php

@@ -48,6 +48,6 @@ return [
     |
     */
 
-    'compiled' => realpath(storage_path('framework/views/v1')),
+    'compiled' => realpath(storage_path(sprintf('framework/views/%s', env('FIREFLY_III_LAYOUT', 'v1')))),
 
 ];

resources/lang/en_US/firefly.php

@@ -655,7 +655,8 @@ return [
     'login_with_new_email'                      => 'You can now login with your new email address.',
     'login_with_old_email'                      => 'You can now login with your old email address again.',
     'login_provider_local_only'                 => 'This action is not available when authenticating through ":login_provider".',
-    'delete_local_info_only'                    => "Because you authenticate through ':login_provider', this will only delete local Firefly III information.",
+    'external_user_mgt_disabled'                => 'This action is not available when Firefly III isn\'t responsible for user management or authentication handling.',
+    'delete_local_info_only'                    => "Because Firefly III isn't responsible for user management or authentication handling, this function will only delete local Firefly III information.",
     'profile_oauth_clients'                     => 'OAuth Clients',
     'profile_oauth_no_clients'                  => 'You have not created any OAuth clients.',
     'profile_oauth_clients_header'              => 'Clients',